AWS pfSense Instance Masks OpenVPN Source IP of Remote Client



  • Hi,

    I have a pfSense AWS Marketplace instance with OpenVPN configured to securely access AWS instances on the same subnet from a remote client. Everything works perfectly from a connectivity point-of-view, except for one thing: the source-IP on the packets that reach my internal AWS instances is the AWS subnet IP assigned to the pfSense instance.

    Preserving the original IP is a strong requirement for me. I've attached the OpenVPN configuration that I think is relevant for this.

    https://drive.google.com/file/d/1vH-3z6gSKZ2JScKNvgoCL-Gx_4_mDg70/view?usp=sharing

    Thanks,
    Erez



  • @erez-buchnik Can you please explain what "original" ip means to you?



  • @netblues thanks for responding,

    By 'original IP' I mean the IP that was assigned by the OpenVPN DHCP server when the VPN connection was established.

    When the packet left the remote client, its source IP was e.g. 128.128.128.5 (out of the address range that I've assigned to the OpenVPN), and the destination IP was e.g. 172.31.33.33 (assigned to my instance by the AWS subnet DHCP server). A packet capture on the OPT1 interface (which I assigned over my OpenVPN interface) showed the same packets with the same source / destination IPs, after decryption. Only when I sniffed the internal target VM, I saw that the source IP was replaced with the pfSense IP.

    I expected that by default, the packet would go through basic L3 forwarding (i.e. MAC swap, TTL decrease), and that the original source IP assigned by the OpenVPN server would be retained.

    10x,
    Erez



  • Pf is doing nat . Put a rule and exclude nat and you will see the original ip assigned by openvpn to the client


  • LAYER 8 Netgate

    And you will also have to specifically route the tunnel network to the pfSense interface in the VPC routing table. And pass it in security groups, disable source/dest check, and all that.


Log in to reply