Routing over OpenVPN to public Internet
Hello all, we using pfSense as gateway firewall for our company and now solving issue wit OpenVPN, can somebody help me please?
We using standard road warrior architecture
Client (Homeworker, public IP *) ==> pfSense (vpnserver; gateway public IP 18.104.22.168) ==> pfsense openvpn interface (tap, virtual subnet 10.1.0.0/24) ==> company LAN (10.0.0.0/24)
this working fine, but from some reason are issue with routing OpenVPN clients to public internet
Client (Homeworker, public IP *) ==> pfSense (vpnserver; public IP 22.214.171.124) ==> pfsense openvpn interface (tap, virtual subnet 10.1.0.0/24) ==> * Public IP (for example google.com)
for setup this function we allow outgoing communication from openvpn subnet (10.1.0.0/24) to internet and pushing route to clients (push "route 126.96.36.199 255.255.255.255";). Are necessary setup something other? Because if client try ping some public server over VPN then not get response.
We try dump communication (wan interface) and if pinging to public server from LAN then packet look this:
17:38:22.900321 IP 188.8.131.52 > 184.108.40.206: ICMP echo request, id 424, seq 6698, length 40 REQUEST
17:38:22.901278 IP 220.127.116.11 > 18.104.22.168: ICMP echo reply, id 424, seq 6698, length 40 RESPONSE
but if try it over VPN then are send just request withour response:
17:39:52.720342 IP 10.1.0.10 > 22.214.171.124: ICMP echo request, id 768, seq 55808, length 40 REQUEST
Can be issue in source address (not translated, masquaraded)?? How fix it please?
Note: Public adresses 126.96.36.199 and 188.8.131.52 are just examples.
GruensFroeschli last edited by
Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.
Thanks for help.