TUN OpenVPN Remote Access SSL/TLS in Double NAT scenario

  • Hi guys,

    I'm scratching my head on this one, and would greatly appreciate any assistance.

    I'm currently trying to set up a OpenVPN Remote Access Server (SSL/TLS, no user auth). I'm in a double NAT scenario, as I share the internet with the neighbours.

    Actiontec Router:

    WAN              LAN
    Public IP

    pfSense Router:

    WAN                                  LAN

    OpenVPN Tunnel Network:

    Now, I've been able to successfully set up the OpenVPN server, use the client export wizard to download an auto-configured package, and connect the client to the server; get a success message and everything.

    For testing, I can ping my gateway ( from my OpenVPN client ( However, I can't ping anything else on my LAN subnet; I get a request timed out.

    When trying to ping my OpenVPN client from my LAN subnet (say, > I get a "Destination Host Unreachable" error.

    This implies to me that although my packets may be reaching the LAN machine, the LAN machine cannot send packets back because it doesn't know how to get there.

    Windows Firewalls have been disabled for testing purposes also, so they should be responding to pings.

    Is this correct? If so, how do I add a route so that my LAN machines know how to get to my VPN subnet? Is the double-nat responsible?

    Kind Regards.

    EDIT: I have made some progress. By adding a static route to the LAN machine itself (in this case, Windows), I am able to point it to the VPN subnet via the appropriate gateway. Is there any way to push this route to my LAN computers without needing to do it manually on each one?

    EDIT2: I think I've figured out the issue. The subnet mask on my LAN machines is incorrect. Setting it correctly seems to result in traffic being routed correctly.

  • Did you need to do anything 'peculiar' in the steps / wizard, considering your double-NAT setup?

    I'm having some trouble even connecting to my pfsense behind one NAT.  I won't hijack your post with my issue.  I'm just curious to know anyway.

    As far as your issue goes, I was going to say there is a check-box that says 'allow access to other machines on the LAN', as I thought it may be that - seems you have sorted your problem though.

  • Hi manny,

    No, I didn't need to do anything peculiar for the double-nat. No custom routes or NAT settings required. Literally, the issue was the subnet mask, which took quite a while to figure out, but was an easy-fix.


Log in to reply