Own OpenVPN server behind Pfsense firewall - need to create static route to it.



  • Hi All, we already have our own OpenVPN server (192.168.1.101) in our LAN (192.168.1.0/24). We don't want to use Pfsense Openvpn server for now because we already have many Openvpn users issued with keys from our existing Openvpn server.

    For routed Openvpn to work, we need to create a static route for 10.8.0.0/24 (the Routed VPN network) to go to our own Openvpn server 192.168.1.101 (our LAN). This is from openvpn.net: "Including multiple machines on the server side when using a routed VPN (dev tun) .... Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)."

    We were able to do this in our current GTA firewall, but now we want to use Pfsense. But Pfsense's Static Routes setting does not allow a user-defined gateway, i.e., 192.168.1.101. It appears that pfSense creates a gateway 192.168.1.1 on the LAN interface by default. We do not want to change this LAN gateway from 192.168.1.1 to 192.168.1.101. We want to create a gateway with ip 192.168.1.101 but not tied to any interface. That is, we want to add a persistent static route in pfSense, something like this in /etc/rc.conf:
    static_routes="routedopenvpnnet"
    routedopenvpnnet="-net 10.8.0.0/24 192.168.1.101" .
    But unfortunately, pfSense's Freebsd does not use /etc/rc.conf.

    In our current GTA firewall, we were able to route all 10.8.0.0/24 traffic to a user-defined gateway (not tied to any interface on the firewall) which is our Openvpn server 192.168.1.101.

    Update: We changed the LAN Gateway IP from 192.168.1.1 to 192.168.1.101 (the IP of our Openvpn server), and then created a static route for 10.8.0.0/24 to go to the LAN Gateway. But it is still not working. Our Openvpn clients can only go to the Openvpn server but not any other devices in the LAN network. The whole purpose of creating the static route is to make the entire LAN accessible to the Openvpn client. We also checked that ip forwarding is enabled on the Openvpn server. And the Openvpn server was tested working when we were using our GTA firewall.

    UPDATE : Okay, it is working now after we added a firewall rule to allow 10.8.0.0/24 source to enter any.

    But the issue remains: we still need to configure the LAN Gateway to the Openvpn server IP address 192.168.1.101, instead of the default 192.168.1.1 (which is the IP of the firewall). In one of our offices, we actually have two Routed Openvpn servers. Can we add persistent static routes in the pfsense Freebsd server? Since /etc/rc.conf is not available, can we do this:
    route add -net 10.8.0.0/24 192.168.1.101
    route add -net 10.10.0.0/24 192.168.1.102
    Since we cannot add these in /etc/rc.conf, can we include this in some startup script?

    Thank you.



  • You can add gateways in the GUI: System > Routing > Gateways
    Then go to the Static routes tab and enter the static route for 10.8.0.0/24 and 192.168.1.101 at gateway to be used.

    Don't set a gateway in the LAN interfaces settings!

    However, with a static route a routed vpn communication won't work properly if the vpn server is within the LAN. You will get asymmetric routing issues with that.
    If the vpn servers IP is not the default gateway you do better when you set up a separate network between the default gateway and the vpn server, maybe a vLAN.



  • Thank you Viragomann for the reply. But when I go to System/Routing/Static Routes to add a static route, I get an Edit Route Entry which requires me to select a Gateway. I had to create a Gateway with the IP of our Openvpn server. See screenshot :
    Static Route in pfSense
    (our LAN network is actually 192.168.25.0/24)

    Right now, after creating a UbuntuRoutedOpenvpn gateway with the IP address of our Openvpn server and adding the static route, it seems to work. That is, our Openvpn clients is now able to access all the devices in the LAN and not just the Openvpn server. Before we created this gateway and static route, our Openvpn clients could only access the Openvpn server.

    In GTA firewalls (company now defunct - and that's why we are considering pfSense), it is easy to add a route like this: 10.8.0.0/24 gateway 192.168.1.101 - without having to select an Interface for the gateway. This is similar to route add -net 10.8.0.0/24 192.168.1.101 in Freebsd. And we could add as many static routes as we want. In pfSense, the static routes require a gateway tied to an interface in the pfSense firewall. So the number of static routes possible in pfSense is limited to the number of NIC's in the firewall (plus the loopback interface). pfSense is not as good as GTA in this aspect.



  • Yeah, first create a gateway with the vpn servers IP then add a static route using this gateway.

    When adding a gateway you only habe to select the interface which is facing to that gateway.
    You also can add as many static route a you need, but each need a gateway. That's normal behaviour.



  • @viragomann
    Thank you once again viragomann

    In Unix and Windows, you can add as many static routes you want to the same interface. You are not limited to the number of interfaces in the system. You specify the gateway but there can be many gateways pointing the same interface.
    For example, in Freebsd, you can run these commands:

    route add -net 10.8.0.0/24 192.168.5.101
    route add -net 10.10.0.0/24 192.168.5.102
    route add -net 10.12.0.0/24 192.168.5.103
    route add -net 10.14.0.0/24 192.168.5.104

    You don't even need to specify the interface as Freebsd will know it from the IP address (here 192.168.1.0/x is the LAN interface). netstat -rn will show the newly added routes
    Destination Gateway Flags Netif Expire
    default 192.168.5.1 UGS em0
    10.8.0.0/24 192.168.5.101 UGS em0
    10.10.0.0/24 192.168.5.102 UGS em0
    10.12.0.0/24 192.168.5.103 UGS em0
    10.14.0.0/24 192.168.5.104 UGS em0

    See screenshots here:
    Freebsd Add Static Route



  • The number of gateways is only limited by the network range assigned the particular interface. There are not other limits.
    Of course you can add multiple gateways on one interface.



  • @viragomann

    Thank you!
    Oops my bad. I am able to add multiple gateways to the same interface now. Guess I must have made some silly mistake earlier when I tried the same thing and got an error.

    I don't understand what you meant by "You will get asymmetric routing issues with that.". But it seems to be working now.

    Thank you once again.