Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing OpenVPN to LAN with only LAN port and no WAN port?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      DutchSamurai
      last edited by

      Hello,

      Wasn't sure which of the subforums this would fit in best so went with the general forum ;)

      I'm running pfsense in a VM for testing and I want run a vpn on it that will allow me to access various devices on my lan. Because I'm running pfsense in a VM on a box that is not between my router and devices and I need to have everything on the same subnet I'm having some problems with routing traffic to the lan.

      Configuration

      Router/gateway: 192.168.1.1
      VM host: 192.168.1.5
      Pfsense VM: 192.168.1.10
      Other devices: 192.168.1.20 - 30

      I've got pfsense set up with only one lan port with the above IP and no wan port. With this configuration I can ping the pfsense VM from my lan and pfsense can access the internet.

      I've configured OpenVPN on the pfsense VM and I can successfully connect from my phone, ping and access the pfsense VM but I cannot ping any other devices on my LAN.

      Running wireshark I can see ping requests etc coming from my phone through the VPN tunnel (device ip 10.0.8.6) directed to the ip of the lan devices but I don't see any replies.

      I suppose this makes sense because my lan devices have the router, 192.168.1.1, as their gateway and not the pfsense VM.

      Is it possible to solve this? Should all OpenVPN traffic entering the lan be made to look like its originating from the pfsense VM rather than the OpenVPN tunnel so that devices reply to the pfsense VM which in turn will route it back to the VPN tunnel?

      If I configure a WAN interface on 192.168.1.xxx and the LAN on 192.168.10.xxx and set my host to connected through that on the loopback adapter (so its on the 192.168.10.xxx subnet) I am able to ping lan devices through the VPN tunnel so I know OpenVPN and the Firewall rules are OK but that the routing is failing.

      At least that is what I think is happening :P

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        The destination device on LAN needs a route to the OpenVPN tunnel network with a destination of the pfSense node's LAN address for it to work like that.

        Is it possible to solve this? Should all OpenVPN traffic entering the lan be made to look like its originating from the pfsense VM rather than the OpenVPN tunnel so that devices reply to the pfsense VM which in turn will route it back to the VPN tunnel?

        ding ding ding

        If you do not need to identify the source address of the OpenVPN clients on the destination hosts, you can just outbound NAT on LAN for the tunnel network sources. Just create a hybrid outbound NAT rule on LAN using the tunnel network as the source network and LAN address as the NAT address.

        If you do need to identify the source addresses you will have to get more creative using multiple VIPs, Multiple outbound NAT rules, or perhaps 1:1 NAT.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D Offline
          DutchSamurai
          last edited by

          Thanks. I think I get what you are saying but…

          The destination device on LAN needs a route to the OpenVPN tunnel network with a destination of the pfSense node's LAN address for it to work like that.

          This means that one e.g. a Windows host I'd add route add 10.0.8.0 mask 255.255.255.0 192.168.1.5. Can't test it right now but that makes sense. But this wouldn't be necessary if I'd get NAT working?

          If you do not need to identify the source address of the OpenVPN clients on the destination hosts, you can just outbound NAT on LAN for the tunnel network sources. Just create a hybrid outbound NAT rule on LAN using the tunnel network as the source network and LAN address as the NAT address.

          I don't think so? An example of what I want to do is this: Run VNC server on the host, connect with my phone to the pfsense VM openvpn and then connect to the host using VNC or access some web services running on my host from my phone going through the VPN.

          PS one thing I forgot to mention is that while I can ping and access the pfsense box I cannot browse the internet through the VPN. I understand why I can't access the LAN but shouldn't browsing work since pfsense is doing all the routing (openvpn -> router -> back to pfsense -> openvpn)? Though in the trace it looked like all the requests were coming from the vpn rather than pfsense so maybe this is a nat issue as well.

          I'll try adding routes on my host and configure nat in pfsense.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Yes. That is the kind of route you would need. If it's only the one host it's not so bad.

            If you NAT, the traffic from the host back to the VPN client will be same-subnet so the route is not necessary.

            If you are just trying to do this for access into your own network then you know who is connecting and NAT from the LAN interface address would be fine.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D Offline
              DutchSamurai
              last edited by

              I'm having some problems getting it to work.

              Setting a static route on a Linux or Windows VM doesn't work. Setting the route on my host works but when doing a traceroute it goes: 192.168.1.5 -> 192.168.1.1 -> timeouts.

              The default gateway on pfsense is 192.168.1.1 so it looks like pfsense is routing it back to the router. I can't get this to work with a route or firewall rule.

              I'm also not entirely sure what to do under the NAT settings. I find the language used a little bit unclear.

              Firewall -> NAT -> OUTBOUND ->  Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below) -> Save.

              Interface: LAN
              Source 10.0.8.0/24
              source port: *
              destination: 192.168.1.0/24
              destination port: *
              NAT address: 192168.0/24
              NAT port: *
              Static: NO

              I tried different settings but no luck with any of them. Any hints?

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                NAT address: 192168.0/24

                Try NAT address LAN address

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • D Offline
                  DutchSamurai
                  last edited by

                  I don't have that option. Under source I can only select any, firewall (self) or network. Under destination there is only any or network.

                  I've attached a screenshot.

                  pfsense.png
                  pfsense.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    DutchSamurai
                    last edited by

                    I don't know why but after clicking around some more the hybrid outbound nat automatically created the correct rules. Now there is a source 10.0.8.0/24 destination lan address entry and I'm able to access my lan :)

                    Going to set up a fresh VM tonight on my htpc if I got time.

                    Thanks.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.