Configuring as OpenVPN server only on single interface



  • New to pfSense and OpenVPN, so hopefully this isn't too basic…

    I am attempting to setup this configuration of OpenVPN "road warrior" remote access mode for pfSense on SG-1000:

    Internet -->  Existing router/Wireless AP --> client stations: Including PC, Mac, iPhone, iPad, and SG-1000

    My desire is to use pfSense/SG-1000 only as an OpenVPN server for incoming sessions to access both the local LAN and go back out to the Internet.

    What I think I should do/have started:

    1. Not using the WAN interface.  Set it to 172.16.0.1 (because would not accept 0.0.0.0)
    2. Set the WAN gateway IP to address of the existing router on the LAN
    3. Set the LAN interface to a static IP on the existing lan subnet as a client station
    4. Ran the OpenVPN setup wizard and configured OpenVPN to use UDP on port 1194
    5. Configured existing router to port forward UDP/1194 to this LAN IP

    Is this correct?

    How do I verify that inbound connections can make it through to the OpenVPN server?  I haven't worked with a UDP service so I am not familiar with what tools are available.

    In this configuration, since I have an existing router (for now), can I turn off the firewall function completely in pfSense or do I need to leave it enabled and verify the rules and configuration?  Seems like all the routing is being done external to pfSense, but I'm not sure about this.  (In the long run, I will replace the existing router with pfSense, but not always as reconfiguring an entire network to replace existing router is a bigger transition.)



  • Why not turn your existing router/wifi into a AP and use the SG1000 as your primary router, it would make your configuration much easier.



  • I do plan to eventually make the SG-1000 my primary router for myself, but currently I have a lot of special configuration on the router that I don't want to replicate and I don't want the "production" network to go down if I screw-up the SG-1000 configs.

    Also, I want to have the option to use SG-1000 as an "OpenVPN appliance" that I can just "drop-in" to client networks by having it completely pre-configured.  The LAN port would get an address by DHCP, so the only configuration I would have to do is define a DHCP address reservation on the foreign/main router and add one port forward to it and then the SG-1000 would just be a "plug and play" device to add a short-term inbound VPN to the network.  A "keep in the toolkit" and deploy so I could minimize time onsite and do the more advanced network administration (of the other stuff, not the SG-1000) via a secure remote access VPN.  (Theoretically, I might even be able to FedEx it to a client and talk them through the minimal installation without a physical trip.)


Log in to reply