PfSense as a Standlone OpenVPN Endpoint?



  • Can pfSense be configured to sit on a LAN (behind a gateway, through which the OpenVPN incoming traffic is NATed) and just be an OpenVPN endpoint to allow traffic to the same LAN?



  • Yes, that works. I've currently such a setup running.



  • Any chance you could give me a rough idea of how to set that up?  Or what to google for in order to find out how it's done?



  • There is nothing special with this setup.
    Just set up an OpenVPN server: https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server
    You may also use the wizard for that.

    The only challange here is to route the response traffic back to the VPN client. Since pfSense wouldn't be the default gateway in LAN here, the LAN devices will direct their responses to vpn clients to the gateway instead of to pfSense and the packets get miss-routed.
    To get this working you either can add a route to each LAN device you want access from vpn or you do SNAT at pfSense to translate source address of any packet from a vpn client to the pfSense LAN address. But this way, any access seem to come from pfSense, which want be ideal, since you cannot differ vpn users.


  • Rebel Alliance Global Moderator

    You can get rid of routing issues by placing your vpn box that is behind gateway on a transit vlan vs on the lan your users are on.  So this removes the asymmetrical routing problem but leaves you with hairpin configuration.

    But this is a hack sort of solution to be honest.  Your vpn endpoint really belong at the edge, not internal to your network.  If the device is internal you either end up with asymmetrical routing or have to do host routing, and you end up with hairpins.. Placing the vpn at the edge of the network removes all of these issues.

    While you could for sure leverage pfsense as just a openvpn appliance sort of thing.  Putting one leg of it outside is the better solution if you can not just use it as your edge/border firewall/router and openvpn device.  To do this you do need more more than 1 public IP.



  • Or you can just NAT packets from VPN to local subnet, that way you will not have a problem with asymmetrical routing, but, depending on number of VPN users and services they will access in your LAN, you can have from almost zero problems (for web services for ex.) to totally non-working (services which really doesn't like to be NATed, like SMB or NFS).