Using pfSense's OpenVPN in tun mode with public subnet

  • Hi folks,
    I am trying to make OpenVPN with pfsense work using tun mode (layer 3).

    VPN IP (WAN) is -
    I have /29 public subnet to be used with clients -

    Right now, when I connect the client I get IP and default gateway,, is pushed to the client.

    OK so far so good, however I see traceroutes go to my default gateway and get lost there.

    Just in case, I tried to do NAT and all my clients get IP which is not what I want.

    I'd like all my clients to have public IP from that dedicated subnet. I was able to make this using tap but I want to avoid layer 2 and make this work with tun.

    As you can tell from my post, my knowledge here is lacking and I am not sure what to search for/do here.
    I suspect I'll need to make some sort of routing on pfSense - traffic from subnet (vpn clients) to go through (WAN's) gateway, correct? How would I go about this?


  • Rebel Alliance Developer Netgate

    There are automatic NAT rules that get put in place to mask VPN client networks on the way out.

    You can override that:

    • Navigate to Firewall > NAT, Outbound tab
    • Switch to Hybrid Outbound NAT mode and save
    • Click Add to top (upward pointing arrow)
    • Check "Do Not NAT"
    • Interface=WAN, protocol=any
    • Set the source to your public subnet (e.g.
    • Destination=Any
    • Description="Do not NAT OpenVPN public clients"
    • Save, Apply Changes

Log in to reply