Routing over OpenVPN to public Internet

  • Hello all, we using pfSense as gateway firewall for our company and now solving issue wit OpenVPN, can somebody help me please?

    We using standard road warrior architecture
    Client (Homeworker, public IP *) ==> pfSense (vpnserver; gateway public IP ==> pfsense openvpn interface (tap, virtual subnet ==> company LAN (

    this working fine, but from some reason are issue with routing OpenVPN clients to public internet

    Client (Homeworker, public IP *) ==> pfSense (vpnserver; public IP ==> pfsense openvpn interface (tap, virtual subnet ==> * Public IP (for example

    for setup this function we allow outgoing communication from openvpn subnet ( to internet and pushing route to clients (push "route";). Are necessary setup something other? Because if client try ping some public server over VPN then not get response.

    We try dump communication (wan interface) and if pinging to public server from LAN then packet look this:
    17:38:22.900321 IP > ICMP echo request, id 424, seq 6698, length 40         REQUEST
    17:38:22.901278 IP > ICMP echo reply, id 424, seq 6698, length 40          RESPONSE

    but if try it over VPN then are send just request withour response:
    17:39:52.720342 IP > ICMP echo request, id 768, seq 55808, length 40         REQUEST

    Can be issue in source address (not translated, masquaraded)?? How fix it please?


    Note: Public adresses and are just examples.

  • @

    Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
    For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.

  • Works!!!

    Thanks for help.

Log in to reply