Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connection from OpenVPN Client LAN to OpenVPN server

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jiunnyik
      last edited by

      pfSense is running as OpenVPN client and gateway at home.

      Is there anyway to configure the pfsense so that its LAN client can access OpenVPN server directly ?

      OpenVPN server is running on Centos at data center.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        In client configuration at IPv4 or IPv6 Remote Network enter the networks at server side you want to reach.
        So if the tunnel is up pfSense will add routes to this networks.

        1 Reply Last reply Reply Quote 0
        • J Offline
          jiunnyik
          last edited by

          It doesn't work

          My Centos OpenVPN server has 10.11.12.1

          My pfsense OpenVPN client has 10.11.12.6 and LAN 192.168.18.0/24

          I tried to put 10.11.12.0/24 into IPv4 remote Network, but my LAN client unable to reach / ping 10.11.12.1

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann
            last edited by

            I'll try to replicate.

            Your OpenVPN tunnel is 10.11.12.0/24.
            The server has 10.11.12.1.
            And you just want to reach the server? For that there's no need to add routes if the OpenVPN client (pfSense) is the default gateway. It's in the same subnet.
            Try a ping from pfSense to the server.

            1 Reply Last reply Reply Quote 0
            • J Offline
              jiunnyik
              last edited by

              pfSense can ping to server and vice versa

              1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann
                last edited by

                So if the pfSense box (OpenVPN client) is the default gateway for the host behind the ping should also work from there.

                If not, make a packet capture at pfSense (Diagnostic menu) on OpenVPN interface an filter for ICMP to see what's going on there.

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jiunnyik
                  last edited by 

                  
05:45:21.769837 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 1, length 64
05:45:22.769083 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 2, length 64
05:45:23.768987 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 3, length 64
05:45:24.769018 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 4, length 64
05:45:25.769057 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 5, length 64
05:45:26.769092 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 6, length 64
05:45:27.768991 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 7, length 64
05:45:28.769023 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 8, length 64
05:45:29.769057 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 9, length 64
05:45:30.769092 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 10, length 64
05:45:31.768995 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 11, length 64
05:45:32.769028 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 12, length 64
05:45:33.769065 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 13, length 64
05:45:34.768978 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 14, length 64
05:45:35.768999 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 15, length 64
05:45:36.769031 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 16, length 64
05:45:37.769065 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 17, length 64
05:45:38.769096 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 18, length 64
05:45:39.769002 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 19, length 64
05:45:40.769035 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 20, length 64
05:45:41.769068 IP 192.168.18.4 > 10.11.12.1: ICMP echo request, id 2377, seq 21, length 64

                  This is the test result

                  1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann
                    last edited by

                    There are only seen ICMP requests, no responds.
                    The common way to fix this is to add a route for clients LAN to the server. I think you know, but don't want this.

                    If you want to solve it from client side, you have to add an outbound NAT rule to the clients OpenVPN interface, translating the source address to clients address. This is not recommended, cause this way, you just see at server side requests coming from client address instead of the real LAN hosts address.

                    To do so, go to Firewall > NAT > Outbound. If your outbound NAT does automatic rule generation, select Hybrid or manual and hit save at first.
                    Then add a new rule by +:
                    Interface: OpenVPN
                    Protocol: any
                    Source: the clients LAN network or any
                    Destination: any
                    Translation: Interface address

                    If you have more than one VPN client or also a server running, you have to assign an interface to the vpn client at first and use this in the NAT rule above, if you haven't already!

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      jiunnyik
                      last edited by

                      It works. Thanks

                      What is the settings for vpn client interface when I running both server and client on the same pfsense ?

                      Thanks.

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann
                        last edited by

                        As mentioned, you have to assign an interface in Interfaces > (assign) to each openvpn instance.
                        At "Available network ports" select ovpnc1 for the client and click +, open the new interface, check Enabled, give it an appropriate name and save it.
                        Do the same for the OpenVPN server using ovpns1 network port.

                        In outbound NAT use the new interfaces instead of OpenVPN.
                        For server, you might not need an outbound NAT rule.

                        1 Reply Last reply Reply Quote 0
                        • J Offline
                          jiunnyik
                          last edited by

                          This works perfectly as what I want.

                          Thank you viragomann

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.