[SOLVED] VPN routing

  • Hi all!

    I`m gonna post this here and not in OpenVPN as it feels more like routing issue.

    So here is the thing.
    We have Cisco firewall and behind this firewall is my pfSense with Openvpn.

    It has 1 nic and it`s connected to Cisco.
    I configured my OpenVPN and basically everything works just fine.

    But VPN clients are seen on network as WAN NIC IP of my pfsense.
    So web server sees connect from pfsense wan but I would like to actually see the real client IP. I disabled Outgoing NAT but when I do this, client cant browse at all.
    BUT it CAN ping server and server CAN ping client. HTTP it doesn`t work for example.

    Any ideas?


  • I presume it is an OpenVPN access server.

    If the devices you want to access from a vpn client are in the pfSense WAN network, the only way to solve is to add a static route for the vpn tunnel network to each unique device pointing to pfSense.

    Better solution would be to connect the pfSense WAN interface to a separate network interface of the Cisco with a separate network segment.
    So you would only have to add a static route for the vpn tunnel network on the Cisco firewall pointing to pfSense and on pfSense you have to add static route(s) for your internal network(s) pointing to the Cisco.

  • Is there anyone vpn provider for online gaming ? Because i want to play some high games on my android mobile phone ?

  • Yeah OpenVPN classic access (roadwarrior setup) server.
    WAN is plugged into Cisco firewall network.
    On core switches and Cisco firewall there are routes to my VPN subnet pointing to pfsense WAN IP (which is IP from network attached to Cisco).
    On pfsense I have not configured any static routes, I juts added subnets to OpenVPN server config.
    Funny thing is if I disable outbound NAT ping and tracert work but http not, and with outbound NAT everything works but server on vlan on core switch sees traffic from pfsense WAN instead of actual client.

  • @maverick_slo said in VPN routing:

    Funny thing is if I disable outbound NAT ping and tracert work but http not

    As I mentioned above, that's the problem when the vpn endpoint is in the same network segment as the destination device, but the vpn endpoint is not the default gateway.

    TCP which http is based on is a stateful protocol, ICMP (ping) is stateless.
    When you try to access a device from vpn client, the request packets go from pfSense directly to the device, while response packets are sent to the default gateway (Cisco FW, presumably) where they should be directed to pfSense. However, your default gateway has no state for it since it didn't get the request packet and will drop it.
    For a stateless protocol that doesn't matter.

    When using outbound NAT, request packets have the source IP of pfSense, so responses are directed back to pfSense directly.

    So as already suggested, put the pfSense in a separate network segment and set up a correct routing. This can also be done by VLAN.

  • hmm.
    pfsense IS on separate network on ASA.
    routing works actually everything works but little thing I mentioned.

    on server on different VLAN all requests are coming from pfsense WAN.
    So how do I make them come from openvpn client instead.

  • Turn off the outbound NAT on pfSense.

    Consider that for routing vpn responses back you need a static route for the vpn tunnel network on your ASA?

  • Well if I turn off outbound NAT things stop to work.

    I have route on asa to route my tunnel network to pfsense WAN IP.

  • If that's the case, the route won't work.

    Try a traceroute from the device you tried to access.

  • Tracert is OK.
    Tried both ways both ways OK.

  • If the routes are OK there is no need for the outbound NAT.

    Sorry, no more ideas as long as I don't get more infos like tunnel network, network map, detailed routes, packets capture of an access attempt from a vpn client.

  • Thanks, will check tomorrow with our fw guys as I don't see errors in my config...

  • Closure:
    I had it configured correctly.
    So correct FW rules and outbound nat (SNAT) disabled.
    Problem was on cisco router where network guys forgot to allow my traffic (even when they say they did, well doublecheck) :)

  • i have same problem thank

Log in to reply