TAP, can't access OpenVPN Server external IP address

  • Hi!
    I have a very simple bridge situation:
    OpenVPN Server, pfsense,
    External IP (for example):
    OpenVPN server port: 1111

    OpenVPN Client, pfsense,

    I have good connectivity between any clients behind both servers in both directions.

    But I can't access from OpenVPN Client side.
    There is nothing wrong with OpenVPN config itself.

    Let's say I have completely independent server If I'm doing port forwarding (with NAT) from to, and changing OpenVPN server address to (So now I'm connecting to via, I'm suddenly having a connection to services! While loosing the ability to connect to

    So the problem is exactly with OpenVPN client in TAP mode, which filters direct connections to openvpn server ip address.
    Packet sniffing shows data goes through connection at the client side, but nothing arrives at server side. It seems like the problem lays on the client side.

    What am I'm missing there?

    P.S. The client config is here, but I don't see anything suspicious:

    dev ovpnc3
    verb 1
    dev-type tap
    dev-node /dev/tap3
    writepid /var/run/openvpn_client3.pid
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp4
    cipher AES-128-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    engine cryptodev
    lport 0
    management /var/etc/openvpn/client3.sock unix
    remote 1111 (fictional ip)
    ca /var/etc/openvpn/client3.ca 
    cert /var/etc/openvpn/client3.cert 
    key /var/etc/openvpn/client3.key 
    tls-crypt /var/etc/openvpn/client3.tls-crypt 
    ncp-ciphers AES-128-GCM
    comp-lzo no
    resolv-retry infinite
    mssfix 1400
    fragment 1400
    sndbuf 393216
    rcvbuf 393216

    P.S. To clarify things:


    When I use port forwarding proxy, there's nothing wrong with


    Just confirmed the very same behavior with freshly installed OPNSense, which suggests the reason to be quite deep inside.

    UPD2: Okay, I found the workaround, but it's obviously very messy:
    I've created a port forwarding proxy at the client side. So now, pfSense OpenVPN client connects to local proxy (which is actually behind this pfSense firewall), and the proxy forwards traffic to the actual Server ip address.

Log in to reply