Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Running OpenVPN on LAN interface.

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann
      last edited by

      That won't be a pfSense issue.

      When you access your LAN devices from a VPN client, the devices will send responses to their default gateway, but pfSense isn't the default GW any more.

      Now you either have to add a static route for VPN tunnel subnet to all your devices you want to access over VPN pointing to pfSense or you do NAT at pfSense for this traffic.

      1 Reply Last reply Reply Quote 0
      • J
        JamesVA
        last edited by

        @viragomann:

        That won't be a pfSense issue.

        When you access your LAN devices from a VPN client, the devices will send responses to their default gateway, but pfSense isn't the default GW any more.

        Now you either have to add a static route for VPN tunnel subnet to all your devices you want to access over VPN pointing to pfSense or you do NAT at pfSense for this traffic.

        viragomann thanks for your reply!  I ran the following on the device i'm trying to remote into (192.168.100.121):

        route ADD 192.168.101.0 MASK 255.255.255.0 192.168.100.5

        The routing table on that devices now looks like:

        IPv4 Route Table

        Active Routes:
        Network Destination        Netmask          Gateway      Interface  Metric
                  0.0.0.0          0.0.0.0    192.168.100.1  192.168.100.121    25
                127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
                127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
          127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
            192.168.100.0    255.255.255.0        On-link  192.168.100.121    281
          192.168.100.121  255.255.255.255        On-link  192.168.100.121    281
          192.168.100.255  255.255.255.255        On-link  192.168.100.121    281
            192.168.101.0    255.255.255.0    192.168.100.5  192.168.100.121    26
            192.168.157.0    255.255.255.0        On-link    192.168.157.1    291
            192.168.157.1  255.255.255.255        On-link    192.168.157.1    291
          192.168.157.255  255.255.255.255        On-link    192.168.157.1    291
            192.168.237.0    255.255.255.0        On-link    192.168.237.1    291
            192.168.237.1  255.255.255.255        On-link    192.168.237.1    291
          192.168.237.255  255.255.255.255        On-link    192.168.237.1    291
                224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
                224.0.0.0        240.0.0.0        On-link    192.168.237.1    291
                224.0.0.0        240.0.0.0        On-link    192.168.157.1    291
                224.0.0.0        240.0.0.0        On-link  192.168.100.121    281
          255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
          255.255.255.255  255.255.255.255        On-link    192.168.237.1    291
          255.255.255.255  255.255.255.255        On-link    192.168.157.1    291
          255.255.255.255  255.255.255.255        On-link  192.168.100.121    281

        However I still can't ping or RDP into that devices from an openVPN client.  Is there anything else I'm missing?

        Thanks!

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          If it has worked before as pfSense was the default gateway it should also work now with this route set on the destination device.

          However, remember that his route is not persistent.

          Maybe there are other reasons for that issue now like Windows firewall?

          1 Reply Last reply Reply Quote 0
          • J
            JamesVA
            last edited by

            OK, i think it's working now with that particular client.  Disabled windows firewall - started working.  Re-enabled wf - continues to work.  shrug.

            viragomann - how would I go about solving this via  NAT?  The issue with adding a persistent route is that on some devices i don't have access to the OS to add a static route. (for example NAS).

            Thanks!

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              You have to add an outbound NAT rule. Firewall > NAT > Outbound.

              If the outbound NAT is set to do automatic rule generation, select hyprid at first and hit the save button below.

              Then add a new rule:
              inteface: LAN
              Source: Network 192.168.101.0/24 (the VPN tunnel network)
              Dest.: any
              Translation: Interface address
              You may enter a description, then save it and apply changes.

              This rule translates source addresses from VPN traffic to the LAN address, so responses are sent back to pfSense without the need of a special route.

              1 Reply Last reply Reply Quote 0
              • J
                JamesVA
                last edited by

                OK, I added the rules as you suggested (screenshots attached), but still can't ping anything that I didn't add a static route on…. Is there anything additional i need to do?

                Thanks!

                pfsense_firewall_nat_outbound.jpg
                pfsense_firewall_nat_outbound.jpg_thumb
                pfsense_firewall_nat_outbound_rule_details.jpg
                pfsense_firewall_nat_outbound_rule_details.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Above you've written, firewalling is disabled.
                  If you've set the option "Disable Firewall" in System > Advanced > Firewall & NAT, there is also NAT disabled and not any firewall or NAT rule would work.

                  DisableFirewall.png
                  DisableFirewall.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • J
                    JamesVA
                    last edited by

                    You're right.  I even got a warning when i was adding a NAT rule saying that filtering is disabled. doh!  I initially disabled fw because i couldn't get into 192.168.100.5:1194/udp from outside at all.

                    I've re-enabled it and added a LAN:any > LAN address:1194tcp/udp.  Seems like I can ping other clients now, thanks!

                    I also use pfsense for DHCP and DNS.  DNS works for LAN clients, but for some reason openVPN clients can't query 192.168.100.5:53.  I've tried adding a couple of rules I thought that I was missing on LAN and VPN interfaces, but they didn't work.

                    Is there a rule I need to add to fix this?

                    Thanks!

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      With the any to any rule on OpenVPN interface shown above the access to the DNS should work.
                      The DNS access need at least access to port 53 with TCP/UDP.

                      Remember that you will have to request host names with their FQDN (host.domain) from remote.

                      1 Reply Last reply Reply Quote 0
                      • J
                        JamesVA
                        last edited by

                        Yup, i've been using FQDNs within nslookup tests (see attached screenshots).  Could it be something within my DNS forwarder settings?  Should i be listening on ALL interfaces within it, or just pick LAN?

                        Thanks!

                        pfsense_dns_forwarder.jpg
                        pfsense_dns_forwarder.jpg_thumb
                        nslookup_from_LAN_client.jpg
                        nslookup_from_LAN_client.jpg_thumb
                        nslookup_from_oVPN_cleint.jpg
                        nslookup_from_oVPN_cleint.jpg_thumb

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann
                          last edited by

                          You may also select multiple interfaces by holding the CTRL key, but the OpenVPN interface has to be selected, though the client is accessing the LAN IP.

                          1 Reply Last reply Reply Quote 0
                          • J
                            JamesVA
                            last edited by

                            Yup - i think that fixed it.  I switched from "All" to multi selected.  All seems to be working now!

                            Huge thanks for your help, truly appreciated!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.