openvpn packets getting returned over WAN gateway and not VPN gateway

  • I would like to forward the following ports ( 80,443,32400 )over a VPN tunnel to my VPS. I can't open ports on my WAN as my ISP is a 4G provider. I currently have a similar solution setup using an Ubuntu server with openvpn it workes but requires the client on each PC :/ .

    Here is my setup:

    VPS with pfsense 2.4.4 installed (OpenVPN server)
    VPS IP : 321.321.321.321

    pfsense 2.4.4 installed (OpenVPN client)
    Home IP:

    Step #1: I have OpenVPN setup and connected to my home pfsense 2.4.4 I can ping to my home pfsense LAN network just fine form the pfsense server installed on the VPS.

    Step #2: Added vpn as an Interface and enabled then saved.

    Step #3: Went to System/Routing/Gateways and added a monitor IP to VPN_VPNV4

    Step #4: Went to Firewall/NAT/Outbound set it to hybrid NAT
    Created a new mapping for to the VPN Interface that I created in (Step 2).

    Step #5: Created a rule under LAN interface

    Action: Pass
    Interface: LAN
    Protocol: Any
    Destination: any
    -Advanced Options-
    Gateway: VPN_VPNV4

    Step #6: Check that the client was getting the VPS pfsense External IP - It is getting IP 321.321.321.321 from a google search.

    Step #7: Logged into the VPS pfsese box and created a NAT rule for port 32400 to IP

    Step #8: canyouseeme.0rg test for port 32400 on Ip 321.321.321.321 and the test fails.

    Step #9: Packet capture on Home pfsense box under WAN.... Below I can see that the packets are being returned over my WAN home ISP and not the VPN gateway.

    08:47:26.323119 IP > tcp 0
    08:47:29.327666 IP > tcp 0

    Step #10: Smash head on desk. Make a thread post.


    Step #2 0_1540130248025_12345.JPG

    Step #3 0_1540130303090_123123.JPG

    Step #4 0_1540130155387_123.JPG

    Step #5 0_1540130199141_1234.JPG

  • Did you figure this out? I suspect I am struggling with the same issue.

  • I did actually just yesterday I will be making a guide shortly.

  • Rebel Alliance Developer Netgate

    You need to make sure the firewall rules to match incoming OpenVPN traffic only exist on the assigned OpenVPN interface tab and that traffic is not matched by any rules on the OpenVPN tab.

    Then reply-to will handle sending the return traffic back the correct path.

  • This might help you out..

    OPT3 (aka assigned vpn interface)
    Outbound NAT
    0_1540908275068_Screen Shot 2018-10-30 at 9.03.54 AM.png

  • I'll be honest. I don't understand those screenshots due to the stuff you're doing that is unique to your needs rather than what is purely necessary for setting up an OpenVPN Client to route all traffic through. Thanks for sharing the screenshots though!

  • @scottlindner

    Do you want all of your (lan) traffic over the VPN?

  • If it were simple, I would want that for only one VLAN (and only one remote domain even) but I'm finding routing in pfSense to be so scattered across things that I want to keep it stupid simple until I get my head around all of the pieces and parts.

    Ultimately, I'm only doing this so I can watch blackout NHL.TV on my Rokus. But for now, the true idiot's guide is what I'm after.

  • @scottlindner

    Okay so you want to pick and choose what devices go over vpn on a certain subnet ?

  • That would be truly ideal, but if it isn't simple I might shy away from it.

  • @scottlindner
    It's simple so basically the screenshots I provide is what you want. Just ignore the ports that I open.

    Tell me what network and ips on that network you want to go over vpn. I'll cook up a screenshot or 2 for you based off what you want to happen .

  • Here are the internal LAN IPs I want routed over the OpenVPN Client:,,

    I really appreciate this!

  • @scottlindner
    Do you have another network other than the 192.168.13.x/24?
    If you do have a second network does that network need to go over the WAN or VPN?

  • @sesipod yes. I have the untagged LAN carrying tagged traffic (trunk) and four tagged VLANs all going out over the gateway group which includes my WAN interface and a broadband interface as failover.

  • @scottlindner
    oh geez ...
    Well you can basically follow the screen caps above but ignore the Rules I have for OPT3 network. I am at work right now so I do not have my pfsense page up. Try the below and let me know ( if ) it works out for you. I basically made everything on the 13.x stay on the WAN unless you made a rule for the individual IP on that network.

    • OpenVpn RULES tab

    You should have noting in there.

    • Interfaces

    You should have the vpn interface assigned mine is called OPT3 above. You just add it and then press save making sure that it's enabled.

    ** I do not think that you have to set the vpn interface as the default gateway. However in my screen shots above I did and everything is working. You might want to test this. I do know if you do that you will have to update your rules for each network that is intended for WAN to have the advanced option gateway set as WAN

    • outbound nat page

    Switch to (hybrid) or (manual)

    For the 192.168.13.x/24 network copy the existing WAN interface mapping. In the new mapping setup change the Interface to your VPN Gateway interface. Put the new mapping above the WAN mapping for this .13.x network.

    • Rules Tab

    13.x network Tab:

    Starting out we will setup the 3 ips that you want over the VPN these rules should be placed above all others. ( rules 1-3 ) the last rule ( rule 4 ) is stating anything else will take WAN gateway.

    Rule #1
    Protocol: IPV4 ALL
    Port: ANY
    Destination ANY
    (advanced) - Gateway - VPN Gateway

    Rule #2
    Protocol: IPV4 ALL
    Port: ANY
    Destination ANY
    (advanced) - Gateway - VPN Gateway

    Rule #3
    Protocol: IPV4 ALL
    Port: ANY
    Destination ANY
    (advanced) - Gateway - VPN Gateway

    Rule #4
    Protocol: IPV4 ALL
    Source: (networkname) net
    Port: ANY
    Destination ANY
    (advanced) - Gateway - WAN Gateway.

  • I swear I'm doing everything you have specified here but the moment I switch on the OpenVPN Client all WAN access dies for the LAN and all VLANs.

  • LAYER 8 Netgate

    Check Don't Pull Routes in the VPN client.