Client > pfsense WAN <nat>> Opt1 > OpenVPN client

pkanuri

Need help with WAN to Openvpn client nat configuration.

I have pfsense 5.6.7.8 as my internet gateway. I have WAN, LAN and OPT1 interface. OPT1 is for OpenVPN. When I forward port in NAT pointing to device which is sitting on LAN network, pfsense works fine, and external clients can access resources on that device.

Problem is, when I want to forward port to OpenVPN client, its not connecting.

Please help with working config .

viragomann

The OpenVPN client probably sends responds to its default gateway instead of sending back over the VPN.
What is the OpenVPN client?

pkanuri

@viragomann - Hey its a Linux box with CentOS. Do i need to check anything else ?

viragomann

You have to care that it sends responses back over the VPN. A router OS should be able to handle that correctly, but a default desktop/server OS won't. If you can't handle that on the client and "redirect gateway" is no option, you may do a workaround with masquerading on pfSense:

Firewall > NAT > Outbound. If it is working in automatic mode switch to hybrid and hit save.
Add a new rule:
Interface: OPT1
Source: any
Destination: <clients IP>
Translation: interface address

However, consider that this rule translates source IPs in packets forwarded to the client to the OpenVPN servers IP, so it takes the capability to determine the origin source on the client.

pkanuri

@viragomann Thanks for your quick reply

Added a static route on client and it started routing return traffic from client to tunnel.

Is this the ideal way to do it rather an adding an outbound rule on pfSense ?

viragomann

No, the way you should go with it is to let OpenVPN handle the route. It's not recommended to set static route to remote addresses across a VPN.

Depending on the OpenVPN server mode, you can tick "Redirect IPvx Gateway" in the server setting to push the default route to the client or add "redirect-gateway def1" to the clients config.

pkanuri

@viragomann Hey Sorry for delayed response.

The challenge is i dont want all the traffic to go via VPN . Only from 2 source IP's i need the VPN client to respond with return traffic tun0 . All other traffic should come and go via eth0.

Based on your suggestion to add "Redirect IPvx Gateway" or "redirect-gateway def1" would send and receive all traffic from tun0 ?

viragomann

"Redirect gateway" sets the default route to the OpenVPN server.

If you try to achieve to strictly route specific IPs over the VPN and not able to access these if the VPN is down, it is okay to go with static routes.

Otherwise you may add IPs in CIDR notation (1.1.1.1/32) you can add those IPs to the "local network/s" in the server setting to push the routes to the clients. If it is an access server with multiple client connections and you want to push the route to only one client, you have to set up a Client specific override for that. However, that only works in SSL auth mode with certs.

Another option is to add a route line to the clients config file.
E.g.

route x.x.x.x 255.255.255.255

Ensure that you have a firewall rule in place on the server side to permit the traffic and that there is an outbound NAT rule on WAN interface matching it.

pkanuri

@viragomann Thank you , Will try those options.