Pfsense on LAN as OpenVPN RAS only, how to access the rest of the LAN

  • hi

    i set up pfsense in KVM on a existing LAN to act as a VPN appliance with private and public IP assigned. pfsense is not the router or dhcp server for this existing network.
    it has two vNICs static LAN and static WAN
    i can ping all other local hosts on the subnet from static LAN on pfsense

    i set up OPENVPN server and can connect with the exported config. however i can only ping static LAN ip of the pfsense and not anything in the existing LAN. it's set in the local LAN field in openvpn config.

    if anyone could shed some light on how to get it to work i'd really appreciate it.

  • If you try to access your LAN devices they will send responses to the default gateway, since they have no route to the VPN tunnel subnet. And responses never reach the vpn client.
    Run an access server in tun mode within the LAN doesn't work without additional settings.

    Some ways to resolve:

    • Take pfSense out from LAN and put it in a transit network between it and your router. This also may be VLAN on the same LAN cable. On the router set a route for the tunnel network pointing to pfSense.

    • Add a route for the tunnel network pointing to pfSense's LAN address to each LAN device you want to access over vpn.

    • With NAT: Add an outbound NAT rule to pfSense translating source addresses in packets coming from vpn and destined to a LAN device to its LAN address. So the devices will send responses back to pfSense. But you're not able to determine on a LAN device, which vpn client the access comes from. That's an easy solution and good for home use.

    • Run the vpn access server in tap mode. So the VPN clients get an IP out of the LAN network. (Not recommended)

  • thanks viragomann! i went with your 2nd suggestion of adding routes to each device I needed to access. routing is performed by proxmox host and i don't trust myself yet with attempting suggestion #1 since this is a production environment although it seems like the best way to go about it. thanks again.

Log in to reply