OpenVPN rules other then any/any wizard rule?



  • Hi!

    I have an OpenVPN server on pfsense, and also connected to a client on a commercial VPN service.
    I had problems port forwarding from my openvpn client to LAN, due to the OpenVPN wizard any/any rule. Same problem as here: https://forum.pfsense.org/index.php?topic=57970.0

    Now, when I deactivated the OpenVPN any/any rule, i could port forward to LAN, so that's great. However now when connecting to my pfsense OpenVPN server of course, I cannot reach the internet or connect to my internal LAN.

    According to jimp in the bottom of the thread mentioned above: "You can have rules on the OpenVPN tab just make sure they don't match the traffic that would be coming over the assigned interface. Meaning, specify a proper source on the rules for other VPN instances and not just use 'any' or at least make sure that they don't match the same exact traffic as the rules on the assigned interface."

    This is where I am a little lost…I have tried different things, but I'm stuck, it's not working...so I was thinking I could ask someone here. What I am trying to do is two things:

    • Reach my internal LAN. Doesnt have to be all hosts, but four or five that i need to be able to connect to from the OpenVPN server. Including pfsense itself.
    • Make the OpenVPN server route internet traffic through WAN again.

    Sorry for the newbie question, firewall rules is not my strong side...could anyone in an easy understandable way guide me in the right direction for which rules i must set under the OpenVPN rule tab instead of the any/any rule?

    Thanks a lot in advance :)

    Regards Tommy



  • If you are running a vpn client for upstream traffic only on pfSense you shouldn't have an any-to-any rule on vpn interface anyway!

    To separate access permissions of client and server interface you should add a separate interface to each, as Jimp suggested in his upper post. Interfaces > assign.
    At "available network ports" select the OpenVPN server, e.g. ovpns1, and hit add at the right. Then select the vpn client, e.g. ovpnc1 and hit add. Open both new assigned interfaces, enable and save them. No further settings needed.

    Now you have one separate for the client and one for the server. And in Firewall > Rules you'll find both and you can define your needed firewall rules there. If your client is just intend for upstream traffic, you will not need any rule here.
    On the OpenVPN servers tab you may add the appropriate rules for your needs. And on the OpenVPN tab all rules should be deleted.

    If you intend to route not all traffic over the vpn client you should check "Don't pull routes" in the client settings to avoid getting pushed the default route from the server. Now the WAN gateway is your default gateway again and all traffic is routed over it unless you set a special route in the related firewall rule (policy routing).
    To route traffic over the vpn client edit the firewall rule which allow the upstream traffic, go down and expand the advanced options, go to gateway and select the vpn clients gateway.

    To enable internet access to a vpn client connected to you server you need to add an outbound NAT rule on WAN interface for the vpn tunnel subnet aside from an appropriate firewall rule. However, if your Outbound NAT is set to do automatic rule generation, this rule should be added by pfSense itself when assigning an interface to the vpn server. Check this in Firewall > NAT > Outbound.



  • Thank you for a good explanation viragomann! I will give it a go :)



  • SUCCESS! I did as you said, added the openvpn server as a separate interface. Then I copied the any/any OpenVPN rule to the new interface, and deactivated it on OpenVPN interface. Both internet and LAN hosts are now reachable through my VPN server, and the VPN providers port forwarding to me works. :)


Log in to reply