Multiple OpenVPN Clients and Server Together

  • I have tried searching, but I can't seem to find my specific answer.  I found this thread -, but I must not be replicating all the steps just right.

    In a nut shell, I can't seem to get NAT and Firewall rules configured properly to use two OpenVPN clients and host one OpenVPN server on the same box.

    On my home pfsense instance, I have configured three client VPN's.  One is a site to site with my work and two are for IPVanish.

    The two IPVanish VPN connections are setup as a failover gateway.

    All of my traffic routes either directly on to the WAN (in rare instances such as Netflix who block proxies and VPNs), will connect to my office site to site, or it will exit through the IPVanish failover gateway.  Everything works perfect at home.

    I am not sure if it is relevant, but my house is not the only client that connects into the work VPN server.  I have many sites (family, friends, and mobile devices) which are all connected through the office setup.  It is a hub and spoke configuration to share assets across the various VPN subnets.  All of the networks and devices use the primary work gateway for DNS to avoid transparent DNS proxies, etc as well as obscure traffic through aggregation.  It is much easier to route everyone through one gateway then to try and setup DNScrypt or other tools on every single router.  Also, one of my objectives is to be able to connect any number of mobile devices into my work VPN which will then route all outbound, WAN side traffic through IPVanish.  This allows me many more concurrent connections via aggregation then you are otherwise permitted and it also allows me to maintain a single VPN connection while traveling or abroad which will still allow me to access internal assets while protecting all of my traffic.

    My problem is when I try to replicate my home setup on my work pfsense setup.  The critical difference is that home is exclusively OpenVPN clients and work is the server.

    EDIT: I change the OpenVPN server Tunnel network to so that it isn't part of the range.

    Everything works at work when its just a server, but when I try to add the IPVanish client connections, I break the site to site connections.

    Any tips on how to manually configure NAT, if I need static routes, etc would be much appreciated.  I'm a little over my head on making the in and out complexity all work for this setup.

  • Reads like a complex setup, which requires skills to run.

    Some suggestions:

    • Check your routing tables (diagnostics/routes) on each box, it will tell you where your traffic wants to go

    • Install package mtr to watch routes in real time

    • Replicate your environment on a virtual server with software defined networking support, so you can validate the permutations

  • Thank you for the advice.  I will attempt those suggestions.  I edited my original post to make things clearer and more descriptive for anyone else who may be able to render advice.

Log in to reply