Cleanly separate WiFi and LAN using OpenVPN

  • Hello

    I want to separate LAN and WiFi subnets.
    Here is what I have:

    LAN interface 
      Subnet (with DHCP)
    WIFI interface
      Subnet (with DHCP)

      Private_IPv4,, Private IPv4 ranges


    At this point everything seems to work, WiFi clients can use internet but have no access to LAN hosts.

    Now I want to use OpenVPN to enable WiFi clients be able to access LAN hosts.  And with the current rule, of cause, I can't connect to my OpenVPN server.

    What would be good way to accomplish this?


  • LAYER 8 Global Moderator

    Put a rule above your ! private IPv4 alias that allows access to your vpn port on pfsense wifi net interface IP.

    Rules are evaluated top down, inbound into that interface from that network, first rule to trigger wins, no other rules are evaluated.

  • Thanks for quick reply !

    I must be missing something, this did not work so far

  • LAYER 8 Global Moderator

    that rule is set for TCP.. 1194 on openvpn is the default UDP port - so not going to work no, don't even see any hits to it the 0/0

  • Stupid me  :(

    Corrected, but still no love

  • LAYER 8 Global Moderator

    what rules do you have above that rule?  Is openvpn listening on that interface, what are you pointing your client to - name or IP, etc.

    I see hits to that rule.. So seems maybe you have pfsense not listening on interface your hitting, or you using some name that is not resolving correctly to the correct IP, etc.

    If you hit your openvpn are you allowing access to your lan, etc.

  • Here is what I know (maybe not all what you are asking)
    My OpenVPN server is on port 1194

    it's using DDNS not IP

    When I use rules like !LAN net ( it seems working fine, restricting access to LAN and allows to connect to OpenVPN server

    However, when I enable rules like this, I can connect from other WiFi's and connect to OpenVPN, but from my WiFi i have not internet access and no OpenVPN connect.

  • LAYER 8 Global Moderator

    What interface is that openvpn running on?

    In your client config what are you pointing them too in your export of the config?

    If you want your wifi clients to use the vpn, then it should be listening on your wifi interface of pfsense, and NOT your wan..

Log in to reply