Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense Openvpn behind existing network

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 762 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blepas
      last edited by

      Hi, can anyone help me please? I want to install a pfsense openvpn server into an existing network without touching it.
      Existing network is very basic, Internet router + routed firewall (2 nic) + LAN
      I want to put the pfsense into the LAN and give access to remote users. Is it possible?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Yes, however if you do not run the VPN server on the default gateway you have some extra work to get the routing working:

        If you don't care about the origin source address to be able to determine the VPN user on the destination device, you may set an outbound NAT rule on pfSense, which translates source addresses in packets from a VPN clients to a LAN devices to the pfSense LAN address.

        If you want to see the origin source addresses on the destination devices you have to set a static route on each device you want to reach directing packets destined to the VPN tunnel network to pfSense.
        Otherwise the packets are sent to the default gateway and you get no communication.

        1 Reply Last reply Reply Quote 0
        • B
          blepas
          last edited by

          oh! perfect, I need 1st point... you mean I have to define an outbound NAT choosing :

          Edit Advanced Outbound NAT Entry:

          • LAN interface?
          • Protocol Any
          • source: Any ?
          • dest: lan network ?

          Translation:
          address: Interface Address

          thanks!!

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by Gertjan

            Outbound ?
            No way.

            Your pfSense setup with the VPN server doesn't need any special setup.

            The upstream router** need a simple NAT rule : WAN side port 1193 address any, LAN side : port 1193, address ... the WAN IP of your pfSense. Protocol : UDP.
            The most basic NAT rule on the planet ;)

            ** you got the : the works need to be done on the router in front of pfSense.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by viragomann

              @blepas
              Exactly. If your pfSense only does the OpenVPN connections, otherwise you may restrict the source to the OpenVPN tunnel network.

              Don't forget to set the Outbound NAT into the manual mode.

              GertjanG 1 Reply Last reply Reply Quote 1
              • V
                viragomann
                last edited by

                However, the modification on the upstream router (NAT / forwarding) as @Gertjan suggested is also needed, of course.

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @viragomann
                  last edited by

                  I guess I'm not using something the right way then ?

                  This is what I have :
                  @viragomann said in pfsense Openvpn behind existing network:

                  Don't forget to set the Outbound NAT into the manual mode.

                  Never ever visited that page before .... mine is on "auto".
                  I do have a OpebVPN server so I can remote login.
                  I do have a ISP router in front of my pfSEnse, so I had to nat 1193/UDP through it..

                  I miss something ?

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @Gertjan
                    last edited by

                    @Gertjan said in pfsense Openvpn behind existing network:

                    I miss something ?

                    If the OpenVPN server (pfSense) is the default gateway on the devices you want to reach from VPN clients, nothing.
                    But as I understood the TO, his ISP router should stay the default gateway in his LAN.

                    1 Reply Last reply Reply Quote 0
                    • B
                      blepas
                      last edited by

                      Solved:

                      Edit Advanced Outbound NAT Entry:

                      LAN interface
                      Protocol Any
                      source: Any
                      dest: lan network

                      Translation:
                      address: Interface Address

                      wofks perfect!
                      Thanks!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.