OpenVPN Server to OpenVPN Client on same box

  • I am using both server and client versions of OpenVPN on my pfSense install; the OpenVPN server allows me to access my network whilst away from home, and the OpenVPN client(s) allow me to access geo-restricted sites from inside my network using firewall rules and aliases with the domain names of the sites I need to route and over which OpenVPN client to route them.

    What I want to be able to do is access the same OpenVPN client rules when I'm coming externally into my network using the OpenVPN client on my iPhone to the server on pfSense but I seem to have a routing issue so any sites that are on my alias list result in blank screen (removing the site and re-testing allows me to connect, so something is amiss with routing the inbound OpenVPN traffic back out of the OpenVPN client associated to the site I wish to access).

    Something like this;

    iPhone -> INTERNET -> pfSense -> LAN -> OpenVPN Client -> INTERNET -> Target Site

    My OpenVPN server is on the network
    My LAN is on the network

    OpenVPN Server -> LAN works fine (and back out over WAN), as does LAN -> OpenVPN clients, just not the bit in the middle.

  • Assuming you have already added an interface to the openVPN server, copy the relevant firewall rules from LAN to the openVPN interface.
    Also check if pfSense has added an outbound NAT rule for to the openVPN clients interface you want to go out, when you're using automatic outbound NAT rule generation. If not add it manually.

  • Hi

    When I set up the OpenVPN server, I configured as the IPv4 tunnel address. In all the firewall screens, I have an interface called "OpenVPN" but I've not explicitly created an interface (from the interfaces menu) for the server.

    There is a default rule on the OpenVPN interface which is to pass everything which was created by the OpenVPN wizard. I manually created an outbound NAT rule as per the following;

    Interface Source         Source Port Destination Destination Port NAT Address         NAT Port Static Port Description Actions
    OpenVPN tcp/udp/*         *                 tcp/udp/*         OpenVPN address *

    But it doesn't work.


  • It looks like the rules above are working but it's taking an unacceptable amount of time to hit the target website when compared to LAN->OpenVPN->NET (and is timing out more often than not). If I browse the same site from my laptop (which is going LAN->OpenVPN->NET->Target Site) the site appears almost immediately. Sites not on my alias load instantly over the OpenVPN server connection, as do LAN connections.

    Something is wrong with that hop from OpenVPN server to client :(

    EDIT: Sussed it out. The NAT rule needed to allow from "any" not just the OpenVPN network ( - changing that has made the whole thing work as I expected it to.

  • So add an interface for the openVPN server first. On the interface assignment tab select the openVPN server (ovpnsX) from the dropdown next "Available network ports" and hit Add. Then open the interface settings and enable and save it, no other settings needed.


    Interface Source         Source Port Destination Destination Port NAT Address         NAT Port Static Port Description Actions
    OpenVPN tcp/udp/*         *                 tcp/udp/*         OpenVPN address *

    You have to add this rule to the client interfaces (OVPNNL, OVPNUS). These are outbound NAT rule, they have to be assigned to the outbound interface. At Translation address select interface address.
    This rule translates the source address of an outgoing packet to the interface address, that one of the VPN client.
    You have to add such rule to each VPN client interface you want to go out.

  • OK so I've followed that;

    Created an interface from the OpenVPN interface (OPT5) - enabled it and changed nothing else
    Removed the NAT rules from the OpenVPN server interface (OPENVPN)
    Added the NAT rules to the OpenVPN client interfaces (OVPNNL, OVPNUS), from to the interface address

    The page sits loading for a while and then times out.

  • Off course you may change the name of the interface.

    You have  also to add appropriate firewall rule to the new VPN servers interface. Maybe you just want an allow anything to any rule.

Log in to reply