TAP, can't access OpenVPN Server external IP address
I have a very simple bridge situation:
OpenVPN Server, pfsense,
External IP (for example): 22.214.171.124
OpenVPN server port: 1111
OpenVPN Client, pfsense,
I have good connectivity between any clients behind both servers in both directions.
But I can't access 126.96.36.199 from OpenVPN Client side.
There is nothing wrong with OpenVPN config itself.
Let's say I have completely independent server 188.8.131.52. If I'm doing port forwarding (with NAT) from 184.108.40.206:1111 to 220.127.116.11:1111, and changing OpenVPN server address to 18.104.22.168 (So now I'm connecting to 22.214.171.124 via 126.96.36.199), I'm suddenly having a connection to 188.8.131.52 services! While loosing the ability to connect to 184.108.40.206.
So the problem is exactly with OpenVPN client in TAP mode, which filters direct connections to openvpn server ip address.
Packet sniffing shows data goes through connection at the client side, but nothing arrives at server side. It seems like the problem lays on the client side.
What am I'm missing there?
P.S. The client config is here, but I don't see anything suspicious:
dev ovpnc3 verb 1 dev-type tap dev-node /dev/tap3 writepid /var/run/openvpn_client3.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.1.253 engine cryptodev tls-client client lport 0 management /var/etc/openvpn/client3.sock unix remote 220.127.116.11 1111 (fictional ip) ca /var/etc/openvpn/client3.ca cert /var/etc/openvpn/client3.cert key /var/etc/openvpn/client3.key tls-crypt /var/etc/openvpn/client3.tls-crypt ncp-ciphers AES-128-GCM comp-lzo no resolv-retry infinite fast-io mssfix 1400 fragment 1400 sndbuf 393216 rcvbuf 393216 mlock fast-io
P.S. To clarify things:
When I use port forwarding proxy, there's nothing wrong with 18.104.22.168
Just confirmed the very same behavior with freshly installed OPNSense, which suggests the reason to be quite deep inside.
UPD2: Okay, I found the workaround, but it's obviously very messy:
I've created a port forwarding proxy at the client side. So now, pfSense OpenVPN client connects to local proxy (which is actually behind this pfSense firewall), and the proxy forwards traffic to the actual Server ip address.