Own OpenVPN server behind Pfsense firewall - need to create static route to it.

  • Hi All, we already have our own OpenVPN server ( in our LAN ( We don't want to use Pfsense Openvpn server for now because we already have many Openvpn users issued with keys from our existing Openvpn server.

    For routed Openvpn to work, we need to create a static route for (the Routed VPN network) to go to our own Openvpn server (our LAN). This is from openvpn.net: "Including multiple machines on the server side when using a routed VPN (dev tun) .... Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet ( to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)."

    We were able to do this in our current GTA firewall, but now we want to use Pfsense. But Pfsense's Static Routes setting does not allow a user-defined gateway, i.e., It appears that pfSense creates a gateway on the LAN interface by default. We do not want to change this LAN gateway from to We want to create a gateway with ip but not tied to any interface. That is, we want to add a persistent static route in pfSense, something like this in /etc/rc.conf:
    routedopenvpnnet="-net" .
    But unfortunately, pfSense's Freebsd does not use /etc/rc.conf.

    In our current GTA firewall, we were able to route all traffic to a user-defined gateway (not tied to any interface on the firewall) which is our Openvpn server

    Update: We changed the LAN Gateway IP from to (the IP of our Openvpn server), and then created a static route for to go to the LAN Gateway. But it is still not working. Our Openvpn clients can only go to the Openvpn server but not any other devices in the LAN network. The whole purpose of creating the static route is to make the entire LAN accessible to the Openvpn client. We also checked that ip forwarding is enabled on the Openvpn server. And the Openvpn server was tested working when we were using our GTA firewall.

    UPDATE : Okay, it is working now after we added a firewall rule to allow source to enter any.

    But the issue remains: we still need to configure the LAN Gateway to the Openvpn server IP address, instead of the default (which is the IP of the firewall). In one of our offices, we actually have two Routed Openvpn servers. Can we add persistent static routes in the pfsense Freebsd server? Since /etc/rc.conf is not available, can we do this:
    route add -net
    route add -net
    Since we cannot add these in /etc/rc.conf, can we include this in some startup script?

    Thank you.

  • You can add gateways in the GUI: System > Routing > Gateways
    Then go to the Static routes tab and enter the static route for and at gateway to be used.

    Don't set a gateway in the LAN interfaces settings!

    However, with a static route a routed vpn communication won't work properly if the vpn server is within the LAN. You will get asymmetric routing issues with that.
    If the vpn servers IP is not the default gateway you do better when you set up a separate network between the default gateway and the vpn server, maybe a vLAN.

  • Thank you Viragomann for the reply. But when I go to System/Routing/Static Routes to add a static route, I get an Edit Route Entry which requires me to select a Gateway. I had to create a Gateway with the IP of our Openvpn server. See screenshot :
    Static Route in pfSense
    (our LAN network is actually

    Right now, after creating a UbuntuRoutedOpenvpn gateway with the IP address of our Openvpn server and adding the static route, it seems to work. That is, our Openvpn clients is now able to access all the devices in the LAN and not just the Openvpn server. Before we created this gateway and static route, our Openvpn clients could only access the Openvpn server.

    In GTA firewalls (company now defunct - and that's why we are considering pfSense), it is easy to add a route like this: gateway - without having to select an Interface for the gateway. This is similar to route add -net in Freebsd. And we could add as many static routes as we want. In pfSense, the static routes require a gateway tied to an interface in the pfSense firewall. So the number of static routes possible in pfSense is limited to the number of NIC's in the firewall (plus the loopback interface). pfSense is not as good as GTA in this aspect.

  • Yeah, first create a gateway with the vpn servers IP then add a static route using this gateway.

    When adding a gateway you only habe to select the interface which is facing to that gateway.
    You also can add as many static route a you need, but each need a gateway. That's normal behaviour.

  • @viragomann
    Thank you once again viragomann

    In Unix and Windows, you can add as many static routes you want to the same interface. You are not limited to the number of interfaces in the system. You specify the gateway but there can be many gateways pointing the same interface.
    For example, in Freebsd, you can run these commands:

    route add -net
    route add -net
    route add -net
    route add -net

    You don't even need to specify the interface as Freebsd will know it from the IP address (here is the LAN interface). netstat -rn will show the newly added routes
    Destination Gateway Flags Netif Expire
    default UGS em0 UGS em0 UGS em0 UGS em0 UGS em0

    See screenshots here:
    Freebsd Add Static Route

  • The number of gateways is only limited by the network range assigned the particular interface. There are not other limits.
    Of course you can add multiple gateways on one interface.

  • @viragomann

    Thank you!
    Oops my bad. I am able to add multiple gateways to the same interface now. Guess I must have made some silly mistake earlier when I tried the same thing and got an error.

    I don't understand what you meant by "You will get asymmetric routing issues with that.". But it seems to be working now.

    Thank you once again.