[Solved] Gateway over OpenVPN



  • I have an OpenVPN server on pfSense. I have a main client that connects and goes out the public IP of the pfSense box. It works fine. I have a second client that needs to route all of its VPN traffic to a third client (to use the third client's public IP). I have been trying to setup a gateway with the third client's VPN IP and use policy routing to route traffic from the second client to the new gateway. The new gateway doesn't appear in the advanced section of the firewall rule. Am I doing something wrong or am I going about this the wrong way or do I just need to setup another pfSense box?



  • Have you assigned an interface for openvpn?



  • Yes. It is disabled and if I enable it then the OpenVPN server dies.



  • I'm in doubt that this would work properly with only one OpenVPN instance.
    You may add an additional server instance for one of the affected clients and then assign interfaces to both. After that you can route between these interfaces.



  • If I add another server instance (not another install if I'm understanding correctly), why wouldn't I run into the same issue? The routing table will still have The current server's public IP/interface as the default route.



  • pfSense is only able to route between interfaces. So each of the concerned vpn clients has to be connected to a different interface.



  • It is "normal" for openvpn to die when assigning an interface. Please restart the service and it will work.
    As far as routing is concerned, openvpn handles it internally, when you enable the peer to peer communication option.
    Then it is quite possible to e.g. rdp from one client to another via openvpn.
    The thing is you are trying to access the Internet using the ip of another client.
    This means quite a few things.
    First the "client" supplying internet should be able to do nat of the traffic arriving on vpn to its public ip.
    And you also need a second vpn interface on pf so as to policy route the default gw traffic of the client.
    I would opt for an openvpn server running at the "client" that needs to give internet acccess. Linux of course, or another pf in a dedicated role.
    And then a client connection from pf, to this openvpn server.

    I have already tested this and works well.



  • So the third client who has the other public IP needed is a pfSense box. It is on a network that I cannot open ports on so it has to connect out. I can setup another openvpn server on the current pfsense openvpn server but then I don't understand why I wouldn't have the same issue. I am trying to make a default gateway out of client rather than the regular default gateway. Adding another openvpn server / interface would make the gateway show up? I can go make a rule on the wan interface already with the wan gateway. Why/how would setting up another openvpn server allow me ignore the regular routing table?



  • @mecjay12 said in Gateway over OpenVPN:

    Why/how would setting up another openvpn server allow me ignore the regular routing table?

    That can be achieved by policy routing. However, therefore you need a gateway for the client. A gateway requires an interface to be assigned to the appropriate OpenVPN instance.



  • Right. I have a gateway on an interface assigned to my openvpn server. The VPN doesn't work if the interface is enabled. When I go to make a firewall rule to do policy routing the gateway doesn't show up.



  • Of course, it isn't shown in the droptown if it is disabled.

    @mecjay12 said in Gateway over OpenVPN:

    The VPN doesn't work if the interface is enabled

    Obviously you did something wrong.
    Assigned an IP address to it?

    Check the OpenVPN log for relevant entries.



  • You must not assign an ip address on the openvpn interface. Keep it at none.
    It will be assigned by openvpn server (or client) automatically.
    Then you will have the needed gateway,