Access to LAN net behind pfsense from OpenVPN net

  • I have latest pfsense, installed on custom hardware. It has LAN net - and WAN to provider's router - I set up OpenVPN client on pfsense to remote server with subnet topology. Pfsense is in OVPN net. I want to connect from other OpenVPN clients ( and so) to some LAN clients.

    Now i can't:

    pinging (pfsense LAN address) from (OVPN address) successfull

    PING ( from 56 data bytes
    64 bytes from icmp_seq=0 ttl=64 time=0.070 ms
    64 bytes from icmp_seq=1 ttl=64 time=0.022 ms
    64 bytes from icmp_seq=2 ttl=64 time=0.019 ms

    pinging (LAN client behind pfsense) from fail

    PING ( from 56 data bytes
    --- ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss

    My settings are:

    • routes:
    default	UGS	1855672	        1500	em0	UGS	5678	        1497	ovpnc1	link#9	        UH	17561	        1497	ovpnc1	link#9	        UHS	234	        16384	lo0	link#1	        U	906808	        1500	em0	link#1	        UHS	0	        16384	lo0	link#3	        UHS	0	        16384	lo0	link#3	        U	0	        1500	em2	link#6	        UH	225741262	16384	lo0	link#3	        U	521033894	1500	em2	link#3	        UHS	18	        16384	lo0
    • firewall rules in LAN tab:
    • firewall rules in OVPN tab:

    On VPN server, in ccd file added line:

    push "route"

    But receive in OpenVPN log on pfsense:

    Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])

  • LAYER 8 Rebel Alliance

    The setup you describe is not clear to me.
    Maybe you can draw your network picture and share all OpenVPN settings.


  • Looks like you're double NAT'd. The first thing you'll want to do is have your ISP put their router in bridge mode so PFsense gets a public IP.

    Second, your push route command is not necessary if you've configured things correctly in the GUI. Not to mention, I doubt you're trying to push a route with a different gateway, plus the syntax is incorrect anyway, you can remove that push route. If you need something client specific, use the "Client Specific Overrides" tab on VPN -> OpenVPN -

    Post your server1.conf (/var/etc/openvpn).

  • Yep, LAN net is double NAT'd - I'm now working with ISP for switching router to bridge.
    My net is:

    On VPS I have OpenVPN server + Zabbix ( On pfSense I have Zabbix agent + proxy ( Pfsense self-monitoring works fine (without proxy). I want to monitor some devices in LAN - Now i've been stuck in settings - pinging LAN devices from OVPN interface is not work, but pinging pfsense LAN address works fine.


    dev ovpnc1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp4
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote <ip> 31194
    ca /var/etc/openvpn/
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    resolv-retry infinite
    link-mtu 1601
    remote-cert-tls server

    My goal is to set up Zabbix monitoring from VPS (IP of devices on the LAN network (IP through a proxy installed on pfSense router (IP Now zabbix says "Timeout while connecting to ""." In the diagnostics tab of the pfsense router in the ping section i can successfully ping pfsense itself: from, but from fail: packages are lost somewhere

Log in to reply