Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TUN OpenVPN Remote Access SSL/TLS in Double NAT scenario

    OpenVPN
    2
    3
    950
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abajac
      last edited by

      Hi guys,

      I'm scratching my head on this one, and would greatly appreciate any assistance.

      I'm currently trying to set up a OpenVPN Remote Access Server (SSL/TLS, no user auth). I'm in a double NAT scenario, as I share the internet with the neighbours.

      Actiontec Router:

      WAN              LAN
      Public IP    192.168.1.0/24

      pfSense Router:

      WAN                                  LAN
      192.168.1.68(DMZ)    10.171.71.0/24

      OpenVPN Tunnel Network:

      10.171.72.0/24

      Now, I've been able to successfully set up the OpenVPN server, use the client export wizard to download an auto-configured package, and connect the client to the server; get a success message and everything.

      For testing, I can ping my gateway (10.171.71.1) from my OpenVPN client (10.171.72.2). However, I can't ping anything else on my LAN subnet; I get a request timed out.

      When trying to ping my OpenVPN client from my LAN subnet (say, 10.171.71.15 > 10.171.71.2) I get a "Destination Host Unreachable" error.

      This implies to me that although my packets may be reaching the LAN machine, the LAN machine cannot send packets back because it doesn't know how to get there.

      Windows Firewalls have been disabled for testing purposes also, so they should be responding to pings.

      Is this correct? If so, how do I add a route so that my LAN machines know how to get to my VPN subnet? Is the double-nat responsible?

      Kind Regards.

      EDIT: I have made some progress. By adding a static route to the LAN machine itself (in this case, Windows), I am able to point it to the VPN subnet via the appropriate gateway. Is there any way to push this route to my LAN computers without needing to do it manually on each one?

      EDIT2: I think I've figured out the issue. The subnet mask on my LAN machines is incorrect. Setting it correctly seems to result in traffic being routed correctly.

      1 Reply Last reply Reply Quote 0
      • M
        mannyjacobs73
        last edited by

        Did you need to do anything 'peculiar' in the steps / wizard, considering your double-NAT setup?

        I'm having some trouble even connecting to my pfsense behind one NAT.  I won't hijack your post with my issue.  I'm just curious to know anyway.

        As far as your issue goes, I was going to say there is a check-box that says 'allow access to other machines on the LAN', as I thought it may be that - seems you have sorted your problem though.

        1 Reply Last reply Reply Quote 0
        • A
          abajac
          last edited by

          Hi manny,

          No, I didn't need to do anything peculiar for the double-nat. No custom routes or NAT settings required. Literally, the issue was the subnet mask, which took quite a while to figure out, but was an easy-fix.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.