[Solved] Server Log IP Address Points to pfSense OpenVPN {Azure}



  • Hi all,

    Just looking for a little bit of guidance/help. Struggling with this.

    1 Network Interface
                                            Public IP:1194 UDP
                                            Static: 172.20.0.2
                                            {Azure Deployment}
    (Person Wanting to Connect) Internet -> pfSense + OpenVPN ->  Box A  (172.20.1.8 )
                                                              ->  Box B  (172.20.2.9 )

    Clients get ip in : 172.18.0.0/24

    Everything is working perfectly as far as VPN connectivity. A client connects, and is assigned a static ip. Box A & box B are now accessible.

    However, all server logs on Box A & B (and when I do a who on the box) show my pfSense/OpenVPN IP (172.20.0.2) instead of the client static IP.

    Where should I be looking/reading up on – had some troubles finding similar threads.

    Thanks!

    One edit
    I thought IP forwarding might have been the issue after checking the Azure NIC (ip forwarding was off); however, I tested and updated the Azure NIC to enable IP Forwarding and checked on the pfSense box (ip forwarding enabled)

    sysctl net.inet.ip.forwarding
    net.inet.ip.forwarding: 1



  • <= bump =>

    Hopefully it's something obvious.

    My second attempt was with pfSense 2.3.2 (2 Nics, 1 assigned WAN, 1 assigned 'LAN')

    I have openvpn listening on the LAN adapter.  I have created a nat rule to allow vpn connections to the lan (WAN,UDP,,,WAN ADDRESS,1194,lan adapter ip, 1194)… however who shows wan adapater.

    I have setup other servers running OpenVPN (off an Ubuntu box) and the server logs are as I would expect (client IP shows).

    ====================================================================================================

    Well if anyone stumbles upon this, here is what I did to fix this:

    *Automatic nat to manual nat
    *Removed WAN nat entries for my tunnel network (left lan... still need to validate traffic is going through my lan interface)
    *On Azure, create an inbound rule on NSG allowing my tunnel
    *On Azure, create a route table, tunnel next hop = pfsense (associate to the subnet)