Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing over OpenVPN to public Internet

    OpenVPN
    2
    3
    2279
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tt
      last edited by

      Hello all, we using pfSense as gateway firewall for our company and now solving issue wit OpenVPN, can somebody help me please?

      We using standard road warrior architecture
      Client (Homeworker, public IP *) ==> pfSense (vpnserver; gateway public IP 200.200.200.200) ==> pfsense openvpn interface (tap, virtual subnet 10.1.0.0/24) ==> company LAN (10.0.0.0/24)

      this working fine, but from some reason are issue with routing OpenVPN clients to public internet

      Client (Homeworker, public IP *) ==> pfSense (vpnserver; public IP 200.200.200.200) ==> pfsense openvpn interface (tap, virtual subnet 10.1.0.0/24) ==> * Public IP (for example google.com)

      for setup this function we allow outgoing communication from openvpn subnet (10.1.0.0/24) to internet and pushing route to clients (push "route 210.210.210.210 255.255.255.255";). Are necessary setup something other? Because if client try ping some public server over VPN then not get response.

      We try dump communication (wan interface) and if pinging to public server from LAN then packet look this:
      17:38:22.900321 IP 200.200.200.200 > 210.210.210.210: ICMP echo request, id 424, seq 6698, length 40         REQUEST
      17:38:22.901278 IP 210.210.210.210 > 200.200.200.200: ICMP echo reply, id 424, seq 6698, length 40          RESPONSE

      but if try it over VPN then are send just request withour response:
      17:39:52.720342 IP 10.1.0.10 > 210.210.210.210: ICMP echo request, id 768, seq 55808, length 40         REQUEST

      Can be issue in source address (not translated, masquaraded)?? How fix it please?

      Thanks

      Note: Public adresses 200.200.200.200 and 210.210.210.210 are just examples.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        @http://forum.pfsense.org/index.php/topic:

        Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
        For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • T
          tt
          last edited by

          Works!!!

          Thanks for help.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post