OpenVPN Server and Client at the same time



  • Dear pfSense community colleagues,

    I'm fascinated by the possibilities of pfSense :)

    My two OpenVPN Servers (TCP and UDP) were running fine until I installed the OpenVPN Client.
    Unfortunately I've come to a point where I don't know how to fix it.
    Maybe you have already a working solution and could help me out ?

    Status & Issue

    1. WORKS: The OpenVPN Client works perfectly and is speedy.
    1. From outside it's possible to connect to the OpenVPN Servers and when connected also internet access works.
    • ISSUE: But there is no access anymore to the LAN.
    • I tried a workaround, i.e. added a FW Rule in the OpenVPN tab in front of the above described FW Rule in 1)
    • This new FW Rule shall allow OpenVPN Server clients (I used FW Aliases) = Source to access the LAN net=Destination.
    • Some LAN devices could then be accessed but many others not. Without the whole OpenVPN Client settings it worked seamlessly, i.e. all LAN devices could be accessed when connected to one of the OpenVPN Servers.

    I have no Gateways created for the OpenVPN Servers, I've read this could make it run. But how :) ?
    I can make screenshots if needed :)

    Thanks a lot in advance !



  • Do the same as under the heading "Time to set up our OpenVPN gateway interface" in your linked tutorial also for each OpenVPN server. The server ports will be called like ovpns1, ovpns2… At point 4 you have also to check Enable.

    After that you have to define your firewall rules on the appropriate tab for each OpenVPN instance.



  • Hi viragoman,

    Thanks a lot for your answer.

    1. Yesterday I created the interfaces for the two OpenVPN Servers,
      as I had seen your answer in a similar thread.
    • there was no IP address for the OpenVPN Servers like for the WAN or VPN Client Gateways
    • should I have rebooted or restarted the service ?
      And from this point on I was a bit lost…
    1. I created an Outbound FW NAT for the two OpenVPN Gateways
    • source = network (CIDR)
    • NAT address = WAN (ISP)
    1. Under FW Rules and the respective OpenVPN Server tab
    • interface = WAN
    • protocal = any
    • source = network (CIDR) of the OpenVPN Server
    • destination = LAN net
    • Gateway = default
    1. Under FW Rules and the respective OpenVPN Server tab (after 3)
    • interface = WAN
    • protocal = any
    • source = any
    • destination = any
    • Gateway = WAN (ISP)

    And it did not work, no internet, no LAN access.
    Should I have rebooted ?
    I know I messed something up, the rules did not seem logical to me.
    (I'm still confused by the FW Rule in the OpenVPN tab where I had to enter the VPN Client Gateway.)

    Many thanks in advance !



  • Yes, rebooting could solve some issues.

    It'll be more clearly if you post screenshots from your settings instead describing the rules.

    @chulio:

    I know I messed something up, the rules did not seem logical to me.
    (I'm still confused by the FW Rule in the OpenVPN tab where I had to enter the VPN Client Gateway.)

    I absolutely agree.

    1. In the outbound NAT rule for the VPN client the interface should be the VPN client interface and translation address should be "interface address".

    3 + 4) The firewall rules for allowing access from VPN clients connected to your server has to be added to the VPN servers interface, not to WAN.



  • Hi viragomann,

    Thanks a lot for your help.

    I gave my best and this is the current configuration (see screenshots).
    The situation is still the same as I did not really change something, except that rebooting "created" IP addresses to the two OpenVPN Servers
    a) OpenVPN Client works
    b) OpenVPN Servers: internet access works, no LAN access

    Now I guess my firewall settings are wrong…

    Many thanks in advance !

    I added the following screenshots:

    1. Dashboard Interfaces
    2. System Routing
    3. Interfaces
    4. NAT Outbound
    5. NAT Outbound VPN Client
    6. FW Rules OpenVPN TCP Server (3 images)
    7. FW Rule VPN Client
    8. FW Rule "OpenVPN"
    9. OpenVPN Server Settings (2 images)
    10. VPN Client (2 images)






























  • Why do you hide your internal RFC 1918 networks? Nobody can access these from outside albeit he knows your IPs. These networks are not routed in the internet.

    @chulio:

    • Some LAN devices could then be accessed but many others not. Without the whole OpenVPN Client settings it worked seamlessly,

    Seems that tunnel subnets or remote client networks are overlapping with LAN. You have 4 internal interface, presumable with 4 subnets. Are the unreachable hosts in a certain subnet or spread over different subnets?
    To get this straight it's necessary to know your interface setup (Status > Interfaces) and the VPN tunnel subnets without hiding IPs and mask, just WAN could obscured, the only one which makes sense for you.

    Another point, not the issue here: You should delete the allow rule on VPN client interface, if this connection is just for upstreaming, as I understand it.



  • Hi viragomann,

    Yes, sorry, please find the screenshot of Status -> Interfaces attached.
    It seems the 10.16.XX.XX subnet is created automatically.
    Optional, just curious: Could I use these IPs somehow or are they just for NAT?

    I need just access to some hosts in the LAN net when connecting to the OpenVPN Servers.
    The other subnets should not be reachable, intentionally.

    A question to "Another point, not the issue here:" Are you referring to the rule in 7) FW Rule VPN Client ?

    Many thanks in advance !








  • @chulio:

    It seems the 10.16.XX.XX subnet is created automatically.
    Optional, just curious: Could I use these IPs somehow or are they just for NAT?

    This is the VPN clients IP, you get this from the VPN server.
    You can only use it by its variable (clients interface address), cause it's dynamic.

    @chulio:

    I need just access to some hosts in the LAN net when connecting to the OpenVPN Servers.
    The other subnets should not be reachable, intentionally.

    I can't see any cause for the issue here.
    Can you rule out that the LAN subnet overlaps with the VPN servers clients LAN?

    Do also want access the internet over the VPN from your clients? If you don't want this, uncheck "redirect gateway" in the Server settings and enter your LAN subnet in the "Local Networks" box instead.
    However, preventing access to other subnets have to be done later by firewall rules.

    @chulio:

    A question to "Another point, not the issue here:" Are you referring to the rule in 7) FW Rule VPN Client ?

    Yes, this rule allow access from the OpenVPN server site your client is connected to. I don't think that is what you want.



  • Thanks a lot for your answer.
    Now I understand what dynamic means in terms of address "settings".

    VPN Servers, I'm not sure if I understood your question. Maybe this answers (Status Interfaces):

    • The VPN Servers network address range is different to the LAN address range.
    • The VPN Servers' IPv4 tunnel networks set are also correctly mapped in System->Routing.
    • Yes, I want to redirect via the OpenVPN Servers all corresponding VPN clients to the internet, as well as get acces to the LAN network.

    It's good to know that in fact I don't want anybody from ExpressVPN to access my network :)
    Should (can) I remove the rule completely or should I change from source=any to destination=any to something more useful ?

    I'm also confused, that the OpenVPN Servers don't work correctly anymore after having installed the ExpressVPN Client. The FW Rule for the OpenVPN tab seems to be key in order that the ExpressVPN Client works, i.e. where I set to Gateway=ExpressVPN. This rule seems to mess up the OpenVPN Servers ?
    Therefore I'm looking for a better solution to make the OpenVPN Servers work again as they did before :(

    Many thanks in advance !



  • Hi,

    above you mentioned that you can access some hosts over VPN but not all. This could be an indication that your server side LAN overlaps the client side LAN. So you should check if this is the case here.

    If you don't want to grant access from the ExpressVPN subnet you do not need any firewall rule at this tab.
    Also you should delete all rule on OpenVPN tab, since you have now the rules on the appropriate interface.

    Basically in pfSense firewall rules have to be added to that interface where the traffic comes in. So for instance if you want your LAN users to go out to ExpressVPN you have to add rule allowing this to the LAN interface only.

    Please post the interface settings of your OpenVPN servers from the interfaces menu. Maybe there is something wrong.



  • Hi viragomann,

    At the moment I cannot access hosts over the VPN Servers. I tried once adding a rule and it did not work correctly.

    I turned off all FW Rules in the OpenVPN tab. Now I cannot connect to the OpenVPN Servers from the internet.

    • Please find attached the OpenVPN TCP Server (OpenVPN UDP Server is identical) from the interface menu.
    • As well I attached the FW Rules for WAN, whereas the two OpenVPN rules at the lower end were created automatically from the OpenVPN Wizard. Maybe they're not needed anymore as we use OpenVPN Server Gateways now ?

    Many thanks in advance !






  • And here also the FW Rules for LAN, attached.
    Without the third rule I get no internet access from the LAN.




  • @chulio:

    Without the third rule I get no internet access from the LAN.

    If you want to direct traffic from LAN over ExpressVPN you have to change the gateway here to ExpressVPNUDP_VPN4.

    This matter gave me another input. You will get the default route pushed from the VPN provider. This has to be prevented in your case.
    To do so go to the VPN client settings and check "Don't pull routes". This should solve the issue with the VPN servers.



  • Hi viragomann,

    I'm using individual hosts in the "VPN Client UDP" alias,
    i.e. specific IP addresses on the GOST net,
    to go over ExpressVPN to the internet. (see attachment)
    All other subnets are not allowed to use ExpressVPN, which I redirected to WAN ISP (see previous post with FW Rule LAN attachment).

    On the other hand I need to access the LAN over the OpenVPN Servers when I'm not at home,
    i.e. the LAN hosts shall not have access to the ExpressVPN Gateway.

    I added the Don't pull routes to the OpenVPN Client (ExpressVPN) and now I can connect again to the OpenVPN Servers ! I can access again a few hosts on LAN ! Unfortunately not all and it's extremely slow (compared to what I was used to).
    We're getting closer :) Thanks a lot !

    I'm wondering what it could be which blocks a few hosts but others not and being at the same time very slow.

    Many thanks in advance !




  • Is it possible that pfBlockerNG is slowing down something ?



  • No, pfBockerNG just sets filter rules which is the basically job of pfSense.

    Why do you use TCP for VPN connection. UDP will be considerably faster.

    Are the host you cant reach over VPN all in LAN subnet? Have allready asked this, but no answer.



  • Hi,

    Ah ok thanks.

    I use TCP 443 because it's typically not blocked, and UDP for streaming (faster as you said :) ).

    Yes exactly all host I need to reach via OpenVPN Servers are in the LAN subnet, all other subnets such as GOST, VOIP or GAME are not of interest to be reached from the internet via the OpenVPN Servers intentionally.

    As mentioned I can reach only a few hosts on LAN and pretty slow. Some other hosts on the LAN are not reachable at all, which confuses me. Something in my FW Rules or NAT is strange and may cause this strange behaviour. The CPU is an overkill, shouldn't be an issue (i5 quad core).

    As you recommended I turned off the

    • FW Rule in ExpressVPNClient tab as well as
    • all FW Rules in the OpenVPN tab
      I attached my current screenshots, I think I missed something you recommended me to set (in the NAT or Rules part?)…

    Many thanks in advance.
















  • How about the FW traffic shaper which I set up prior setting up all the VPN Servers and Client.
    Is it possible that this causes some "blocking" ?

    Many thanks in advance!



  • Hi viragomann,

    Thanks to your help everything is working now !
    The screenshot I posted actually work.

    1. I found an issue with some LAN hosts … which had nothing to do with pfSense, I had changed something in their firewalls... shame on me !
    2. And it seems that mobile providers started closing some ports.

    Many thanks for your help  :) :) :)

    Now I have a last question :)
    I read about DNS leaks while using VPN providers, I'm not doing anything illegal, but I was wondering if this can be set to work correctly.
    Do these occur with pfSense or could we avoid or minimize DNS leaks when attributing specific DNS servers to the VPN client ?
    (And if yes, how can we do this in pfSense without altering the DNS servers used for the WAN ISP?)

    Many thanks in advance !



  • Fine that it's working.

    To avoid DNS leaks set your VPN clients to use an external DNS. So the request will be directed over the VPN and gets your ExpressVPN address.



  • Hi viragomann,

    Thanks for your reply.

    It works, there are no DNS leaks anymore :) !


Log in to reply