Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Server to OpenVPN Client on same box

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DJBenson
      last edited by

      I am using both server and client versions of OpenVPN on my pfSense install; the OpenVPN server allows me to access my network whilst away from home, and the OpenVPN client(s) allow me to access geo-restricted sites from inside my network using firewall rules and aliases with the domain names of the sites I need to route and over which OpenVPN client to route them.

      What I want to be able to do is access the same OpenVPN client rules when I'm coming externally into my network using the OpenVPN client on my iPhone to the server on pfSense but I seem to have a routing issue so any sites that are on my alias list result in blank screen (removing the site and re-testing allows me to connect, so something is amiss with routing the inbound OpenVPN traffic back out of the OpenVPN client associated to the site I wish to access).

      Something like this;

      iPhone -> INTERNET -> pfSense -> LAN -> OpenVPN Client -> INTERNET -> Target Site

      My OpenVPN server is on the 10.0.3.0/24 network
      My LAN is on the 192.168.1.0/24 network

      OpenVPN Server -> LAN works fine (and back out over WAN), as does LAN -> OpenVPN clients, just not the bit in the middle.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Assuming you have already added an interface to the openVPN server, copy the relevant firewall rules from LAN to the openVPN interface.
        Also check if pfSense has added an outbound NAT rule for 10.0.3.0/24 to the openVPN clients interface you want to go out, when you're using automatic outbound NAT rule generation. If not add it manually.

        1 Reply Last reply Reply Quote 0
        • D
          DJBenson
          last edited by

          Hi

          When I set up the OpenVPN server, I configured 10.0.3.0/24 as the IPv4 tunnel address. In all the firewall screens, I have an interface called "OpenVPN" but I've not explicitly created an interface (from the interfaces menu) for the server.

          There is a default rule on the OpenVPN interface which is to pass everything which was created by the OpenVPN wizard. I manually created an outbound NAT rule as per the following;

          Interface Source         Source Port Destination Destination Port NAT Address         NAT Port Static Port Description Actions
          OpenVPN 10.0.3.0/24 tcp/udp/*         *                 tcp/udp/*         OpenVPN address *

          But it doesn't work.

          EDIT:

          1 Reply Last reply Reply Quote 0
          • D
            DJBenson
            last edited by

            It looks like the rules above are working but it's taking an unacceptable amount of time to hit the target website when compared to LAN->OpenVPN->NET (and is timing out more often than not). If I browse the same site from my laptop (which is going LAN->OpenVPN->NET->Target Site) the site appears almost immediately. Sites not on my alias load instantly over the OpenVPN server connection, as do LAN connections.

            Something is wrong with that hop from OpenVPN server to client :(

            EDIT: Sussed it out. The NAT rule needed to allow from "any" not just the OpenVPN network (10.0.3.0/24) - changing that has made the whole thing work as I expected it to.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              So add an interface for the openVPN server first. On the interface assignment tab select the openVPN server (ovpnsX) from the dropdown next "Available network ports" and hit Add. Then open the interface settings and enable and save it, no other settings needed.

              @DJBenson:

              Interface Source         Source Port Destination Destination Port NAT Address         NAT Port Static Port Description Actions
              OpenVPN 10.0.3.0/24 tcp/udp/*         *                 tcp/udp/*         OpenVPN address *

              You have to add this rule to the client interfaces (OVPNNL, OVPNUS). These are outbound NAT rule, they have to be assigned to the outbound interface. At Translation address select interface address.
              This rule translates the source address of an outgoing packet to the interface address, that one of the VPN client.
              You have to add such rule to each VPN client interface you want to go out.

              1 Reply Last reply Reply Quote 0
              • D
                DJBenson
                last edited by

                OK so I've followed that;

                Created an interface from the OpenVPN interface (OPT5) - enabled it and changed nothing else
                Removed the NAT rules from the OpenVPN server interface (OPENVPN)
                Added the NAT rules to the OpenVPN client interfaces (OVPNNL, OVPNUS), from 10.0.3.0/24 to the interface address

                The page sits loading for a while and then times out.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Off course you may change the name of the interface.

                  You have  also to add appropriate firewall rule to the new VPN servers interface. Maybe you just want an allow anything to any rule.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.