Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using pfSense's OpenVPN in tun mode with public subnet

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 338 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      Entheogen
      last edited by

      Hi folks,
      I am trying to make OpenVPN with pfsense work using tun mode (layer 3).

      VPN IP (WAN) is - 1.1.1.1
      I have /29 public subnet to be used with clients - 2.2.2.0/29

      Right now, when I connect the client I get 2.2.2.2 IP and default gateway, 2.2.2.1, is pushed to the client.

      OK so far so good, however I see traceroutes go to my default gateway and get lost there.

      Just in case, I tried to do NAT and all my clients get 1.1.1.1 IP which is not what I want.

      I'd like all my clients to have public IP from that dedicated 2.2.2.0/29 subnet. I was able to make this using tap but I want to avoid layer 2 and make this work with tun.

      As you can tell from my post, my knowledge here is lacking and I am not sure what to search for/do here.
      I suspect I'll need to make some sort of routing on pfSense - traffic from 2.2.2.0/29 subnet (vpn clients) to go through 1.1.1.1 (WAN's) gateway, correct? How would I go about this?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        There are automatic NAT rules that get put in place to mask VPN client networks on the way out.

        You can override that:

        • Navigate to Firewall > NAT, Outbound tab
        • Switch to Hybrid Outbound NAT mode and save
        • Click Add to top (upward pointing arrow)
        • Check "Do Not NAT"
        • Interface=WAN, protocol=any
        • Set the source to your public subnet (e.g. 2.2.2.0/29)
        • Destination=Any
        • Description="Do not NAT OpenVPN public clients"
        • Save, Apply Changes

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.