Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access to LAN for OpenVPN 'road warriors' when pfSense is not the LAN gateway

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robm
      last edited by

      I am configuring OpenVPN on pfSense to allow remote users 'dial-in' type VPN access (this is to replace legacy PPTP connections).

      This is all working as expected, apart from access to LAN devices is only possible if the LAN device either the has the pfSense LAN IP set as the default gateway, or a route is added for the 'tun'/OpenVPN IP range(s).

      For legacy reasons the pfSense won't be the default gateway for most LAN devices (at least not initially).

      To work around this I have created a Outbound NAT rule on the LAN interface with a Source of my 'tun'/OpenVPN range with a NAT address of the LAN address.

      This appears to work (at least under minimal testing).

      Any reason that this should be not used, or an alternate solution?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        That's what I would do, and it should work fine.
        The other way is to put a static route on the other router on LAN to tell it to send packets for the Road Warrior subnet to the pfSense box. But then if the other router is also a statefull firewall you might still run into problems because that other router will only be seeing the return traffic.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • R
          robm
          last edited by

          Thanks phil,
          Adding routes to the other firewall(s) did prove overly complex (and not overly successful), as you stated, seemingly due to the stateful inspection.

          1 Reply Last reply Reply Quote 0
          • M
            marian78
            last edited by

            hi, can you pleas post some screenshots for dummies (ie me)  ;) ?

            Thx.

            EDIT:
            in outbound nat rules i create this rule, but still cant access pc that dont have default gateway setup to openvpn server pfsense box:

            @robm:

            I am configuring OpenVPN on pfSense to allow remote users 'dial-in' type VPN access (this is to replace legacy PPTP connections).

            This is all working as expected, apart from access to LAN devices is only possible if the LAN device either the has the pfSense LAN IP set as the default gateway, or a route is added for the 'tun'/OpenVPN IP range(s).

            For legacy reasons the pfSense won't be the default gateway for most LAN devices (at least not initially).

            To work around this I have created a Outbound NAT rule on the LAN interface with a Source of my 'tun'/OpenVPN range with a NAT address of the LAN address.

            This appears to work (at least under minimal testing).

            Any reason that this should be not used, or an alternate solution?

            Snímka.PNG
            Snímka.PNG_thumb

            pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.