Using pfSense's OpenVPN in tun mode with public subnet



  • Hi folks,
    I am trying to make OpenVPN with pfsense work using tun mode (layer 3).

    VPN IP (WAN) is - 1.1.1.1
    I have /29 public subnet to be used with clients - 2.2.2.0/29

    Right now, when I connect the client I get 2.2.2.2 IP and default gateway, 2.2.2.1, is pushed to the client.

    OK so far so good, however I see traceroutes go to my default gateway and get lost there.

    Just in case, I tried to do NAT and all my clients get 1.1.1.1 IP which is not what I want.

    I'd like all my clients to have public IP from that dedicated 2.2.2.0/29 subnet. I was able to make this using tap but I want to avoid layer 2 and make this work with tun.

    As you can tell from my post, my knowledge here is lacking and I am not sure what to search for/do here.
    I suspect I'll need to make some sort of routing on pfSense - traffic from 2.2.2.0/29 subnet (vpn clients) to go through 1.1.1.1 (WAN's) gateway, correct? How would I go about this?

    Thanks!


  • Rebel Alliance Developer Netgate

    There are automatic NAT rules that get put in place to mask VPN client networks on the way out.

    You can override that:

    • Navigate to Firewall > NAT, Outbound tab
    • Switch to Hybrid Outbound NAT mode and save
    • Click Add to top (upward pointing arrow)
    • Check "Do Not NAT"
    • Interface=WAN, protocol=any
    • Set the source to your public subnet (e.g. 2.2.2.0/29)
    • Destination=Any
    • Description="Do not NAT OpenVPN public clients"
    • Save, Apply Changes