Routing over OpenVPN to public Internet



  • Hello all, we using pfSense as gateway firewall for our company and now solving issue wit OpenVPN, can somebody help me please?

    We using standard road warrior architecture
    Client (Homeworker, public IP *) ==> pfSense (vpnserver; gateway public IP 200.200.200.200) ==> pfsense openvpn interface (tap, virtual subnet 10.1.0.0/24) ==> company LAN (10.0.0.0/24)

    this working fine, but from some reason are issue with routing OpenVPN clients to public internet

    Client (Homeworker, public IP *) ==> pfSense (vpnserver; public IP 200.200.200.200) ==> pfsense openvpn interface (tap, virtual subnet 10.1.0.0/24) ==> * Public IP (for example google.com)

    for setup this function we allow outgoing communication from openvpn subnet (10.1.0.0/24) to internet and pushing route to clients (push "route 210.210.210.210 255.255.255.255";). Are necessary setup something other? Because if client try ping some public server over VPN then not get response.

    We try dump communication (wan interface) and if pinging to public server from LAN then packet look this:
    17:38:22.900321 IP 200.200.200.200 > 210.210.210.210: ICMP echo request, id 424, seq 6698, length 40         REQUEST
    17:38:22.901278 IP 210.210.210.210 > 200.200.200.200: ICMP echo reply, id 424, seq 6698, length 40          RESPONSE

    but if try it over VPN then are send just request withour response:
    17:39:52.720342 IP 10.1.0.10 > 210.210.210.210: ICMP echo request, id 768, seq 55808, length 40         REQUEST

    Can be issue in source address (not translated, masquaraded)?? How fix it please?

    Thanks

    Note: Public adresses 200.200.200.200 and 210.210.210.210 are just examples.



  • @http://forum.pfsense.org/index.php/topic:

    Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
    For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.



  • Works!!!

    Thanks for help.


Locked