Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing traffic thro OpenVPN tunnel

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann
      last edited by

      What you're missing here is an outbound NAT rule (SNAT, the last one of the iptables rules).

      You have to set this in Firewall > NAT > Outbound.
      The rule generation mode has to be set to automatic or hybrid and saved. Then add a new rule with interface=OpenVPN, destination=192.168.3.0/24, translation=interface address.

      1 Reply Last reply Reply Quote 0
      • Y Offline
        yodaphone
        last edited by

        thanks

        do i still have to specify any Port Forward Rules ?

        I want to forward www.foo.com:8088 to 192.168.3.100:8088

        1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann
          last edited by

          Yes, the port forwarding is DNAT.
          You need a rule for any port or any port range you want to forward to the other site.

          However, you don't need additional outbound NAT rules for other port forwardings.

          1 Reply Last reply Reply Quote 0
          • Y Offline
            yodaphone
            last edited by

            sorry, i'm really new to this. so please let me know if this is ok

            I've attached screen shots. With this, accessing www.foo.com:8088 doesnt work

            1. Setup Outbound in OpenVPN
            2. Setup a Port forward for 8088 to go to 192.168.3.50 IP
            3. Setup Firewall Rule

            tunnel1.PNG
            tunnel1.PNG_thumb
            tunnel2.PNG
            tunnel2.PNG_thumb
            tunnel3.PNG
            tunnel3.PNG_thumb
            tunnel4.PNG
            tunnel4.PNG_thumb

            1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann
              last edited by

              In the port forwarding rule the destination is any. I've never set up a rule with this. Try Wan address instead.

              1 Reply Last reply Reply Quote 0
              • Y Offline
                yodaphone
                last edited by

                tried but no luck, thanks anyway

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  You need an OpenVPN assigned interface at the 192.168.3 side.

                  Then you need to make sure the rules passing traffic into that firewall do not match on the OpenVPN tab but instead match on the assigned interface tab.

                  That will give you the reply-to functionality that will prevent reply traffic from being sent out the default gateway at that end, instead routing it back through the OpenVPN tunnel.

                  https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • Y Offline
                    yodaphone
                    last edited by

                    For a n00b like me, this is a bit complicated. sorry about that

                    i have a tomato shibby running on the 192.168.3.0 side.

                    Can you please help me and explain what do you mean by "You need an OpenVPN assigned interface at the 192.168.3 side"?

                    i will however go thro your link. i guess you are assuming that i have another pfsense on the other end too?

                    PS: I earlier had this entire setup working with 2 tomato shibby's on either end & connected these 2 over tinc. all i had to do was add some iptables into the tinc & it worked great. these are the ip tables i had

                    iptables -A wanin -d 192.168.3.50/32 -p tcp -m tcp –dport 8088 -j ACCEPT
                    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 8088 -j DNAT --to-destination 192.168.3.50:8088
                    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8088 -o tinc -j SNAT --to 192.168.11.1

                    PS2: The 192.168.3.0 network is behind a double NAT. The ISP provides only a natted IP & not a public one. So i set up a OpenVPN Site to Site Tunnel with the server running on pfsense with Public IP at home & OpenVPN client connecting to it.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      Pointed you to a recipe in that other post for exactly what you want to do. Not really interested in what worked in iptables since that is pretty much irrelevant in pfSense.

                      If tomato worked for you why not just run that?

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • Y Offline
                        yodaphone
                        last edited by

                        i could go back to tomato but wanted to have a more secure setup on one end.

                        thank you for your help anyway. was looking for a more stepbystep idea.

                        i mentioned iptables just as a reference..

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.