Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Running OpenVPN on LAN interface.

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JamesVA
      last edited by

      @viragomann:

      That won't be a pfSense issue.

      When you access your LAN devices from a VPN client, the devices will send responses to their default gateway, but pfSense isn't the default GW any more.

      Now you either have to add a static route for VPN tunnel subnet to all your devices you want to access over VPN pointing to pfSense or you do NAT at pfSense for this traffic.

      viragomann thanks for your reply!  I ran the following on the device i'm trying to remote into (192.168.100.121):

      route ADD 192.168.101.0 MASK 255.255.255.0 192.168.100.5

      The routing table on that devices now looks like:

      IPv4 Route Table

      Active Routes:
      Network Destination        Netmask          Gateway      Interface  Metric
                0.0.0.0          0.0.0.0    192.168.100.1  192.168.100.121    25
              127.0.0.0        255.0.0.0        On-link        127.0.0.1    331
              127.0.0.1  255.255.255.255        On-link        127.0.0.1    331
        127.255.255.255  255.255.255.255        On-link        127.0.0.1    331
          192.168.100.0    255.255.255.0        On-link  192.168.100.121    281
        192.168.100.121  255.255.255.255        On-link  192.168.100.121    281
        192.168.100.255  255.255.255.255        On-link  192.168.100.121    281
          192.168.101.0    255.255.255.0    192.168.100.5  192.168.100.121    26
          192.168.157.0    255.255.255.0        On-link    192.168.157.1    291
          192.168.157.1  255.255.255.255        On-link    192.168.157.1    291
        192.168.157.255  255.255.255.255        On-link    192.168.157.1    291
          192.168.237.0    255.255.255.0        On-link    192.168.237.1    291
          192.168.237.1  255.255.255.255        On-link    192.168.237.1    291
        192.168.237.255  255.255.255.255        On-link    192.168.237.1    291
              224.0.0.0        240.0.0.0        On-link        127.0.0.1    331
              224.0.0.0        240.0.0.0        On-link    192.168.237.1    291
              224.0.0.0        240.0.0.0        On-link    192.168.157.1    291
              224.0.0.0        240.0.0.0        On-link  192.168.100.121    281
        255.255.255.255  255.255.255.255        On-link        127.0.0.1    331
        255.255.255.255  255.255.255.255        On-link    192.168.237.1    291
        255.255.255.255  255.255.255.255        On-link    192.168.157.1    291
        255.255.255.255  255.255.255.255        On-link  192.168.100.121    281

      However I still can't ping or RDP into that devices from an openVPN client.  Is there anything else I'm missing?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        If it has worked before as pfSense was the default gateway it should also work now with this route set on the destination device.

        However, remember that his route is not persistent.

        Maybe there are other reasons for that issue now like Windows firewall?

        1 Reply Last reply Reply Quote 0
        • J
          JamesVA
          last edited by

          OK, i think it's working now with that particular client.  Disabled windows firewall - started working.  Re-enabled wf - continues to work.  shrug.

          viragomann - how would I go about solving this via  NAT?  The issue with adding a persistent route is that on some devices i don't have access to the OS to add a static route. (for example NAS).

          Thanks!

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            You have to add an outbound NAT rule. Firewall > NAT > Outbound.

            If the outbound NAT is set to do automatic rule generation, select hyprid at first and hit the save button below.

            Then add a new rule:
            inteface: LAN
            Source: Network 192.168.101.0/24 (the VPN tunnel network)
            Dest.: any
            Translation: Interface address
            You may enter a description, then save it and apply changes.

            This rule translates source addresses from VPN traffic to the LAN address, so responses are sent back to pfSense without the need of a special route.

            1 Reply Last reply Reply Quote 0
            • J
              JamesVA
              last edited by

              OK, I added the rules as you suggested (screenshots attached), but still can't ping anything that I didn't add a static route on…. Is there anything additional i need to do?

              Thanks!

              pfsense_firewall_nat_outbound.jpg
              pfsense_firewall_nat_outbound.jpg_thumb
              pfsense_firewall_nat_outbound_rule_details.jpg
              pfsense_firewall_nat_outbound_rule_details.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                Above you've written, firewalling is disabled.
                If you've set the option "Disable Firewall" in System > Advanced > Firewall & NAT, there is also NAT disabled and not any firewall or NAT rule would work.

                DisableFirewall.png
                DisableFirewall.png_thumb

                1 Reply Last reply Reply Quote 0
                • J
                  JamesVA
                  last edited by

                  You're right.  I even got a warning when i was adding a NAT rule saying that filtering is disabled. doh!  I initially disabled fw because i couldn't get into 192.168.100.5:1194/udp from outside at all.

                  I've re-enabled it and added a LAN:any > LAN address:1194tcp/udp.  Seems like I can ping other clients now, thanks!

                  I also use pfsense for DHCP and DNS.  DNS works for LAN clients, but for some reason openVPN clients can't query 192.168.100.5:53.  I've tried adding a couple of rules I thought that I was missing on LAN and VPN interfaces, but they didn't work.

                  Is there a rule I need to add to fix this?

                  Thanks!

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    With the any to any rule on OpenVPN interface shown above the access to the DNS should work.
                    The DNS access need at least access to port 53 with TCP/UDP.

                    Remember that you will have to request host names with their FQDN (host.domain) from remote.

                    1 Reply Last reply Reply Quote 0
                    • J
                      JamesVA
                      last edited by

                      Yup, i've been using FQDNs within nslookup tests (see attached screenshots).  Could it be something within my DNS forwarder settings?  Should i be listening on ALL interfaces within it, or just pick LAN?

                      Thanks!

                      pfsense_dns_forwarder.jpg
                      pfsense_dns_forwarder.jpg_thumb
                      nslookup_from_LAN_client.jpg
                      nslookup_from_LAN_client.jpg_thumb
                      nslookup_from_oVPN_cleint.jpg
                      nslookup_from_oVPN_cleint.jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • V
                        viragomann
                        last edited by

                        You may also select multiple interfaces by holding the CTRL key, but the OpenVPN interface has to be selected, though the client is accessing the LAN IP.

                        1 Reply Last reply Reply Quote 0
                        • J
                          JamesVA
                          last edited by

                          Yup - i think that fixed it.  I switched from "All" to multi selected.  All seems to be working now!

                          Huge thanks for your help, truly appreciated!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.