Using aliases for network/ip tunneling over OpenVPN



  • Hi there,

    I've configured OpenVPN to let me access part of our LAN (some /24) but also some external IP (/32) only accessible from the WAN IP of the PFSense (what I call, tunneling over OpenVPN).
    To make it works, I thought about adding specific routes (/32) and add a specific NAT Outbound for those external IPs.

    Would that be possible somehow to do this (aka, tunneling some -and not all- external IP, over the VPN), using aliases ?
    Therefor, I won't have to edit :

    1. The list of IPv4 Local Network/s on the OpenVPN client override (for each user)
    2. The NAT Outbound

    For all external IP ?



  • You can do that, but you cannot use aliases in the OpenVPN settings.
    In the "IPv4 Local Network/s" box you have to enter networks in CIDR notation solely. E.g. "10.85.22.0/24,1.1.1.1/32,2.2.2.2/32"

    You may use aliases including all IPs or networks a user (group) is permitted to access over the VPN in firewall rules. Then you can set the source in the outbound NAT rule to your whole VPN tunnel network.



  • @viragomann
    This is basically what I'm doing :
    on "IPv4 Local Network/s" i'm adding the x.x.x.x/32
    and as nat outboud rule :
    Interface: WAN
    Source: any ("this firewall" doesn't work)
    Destination: Network (the same x.x.x.x/32)

    => It works, but that means that for every new IP I should edit :
    every user config file (Yeah, I can't change that on the server config, not every user have the same access rights)
    But also
    adding a new NAT Outbound rules (as well there, aliases isn't possible).

    But I honestly didn't get how the permission per group/user may works on this case ? Can you explain ?



  • Above you mentioned to add CSO for each user. By that you can control the virtual IP addresses the user get.
    So if you have two user groups which should get different permissions you can assign group 1 the tunnel network 10.10.22.0/26 und group 2 10.10.22.64/26. Then you may use that subnets in your firewall rule as source networks to control access of each user group.

    As well you can set "IPv4 Local Network/s" in the CSO.

    These settings are pushed to the clients. So there is no need to edit the client config files.

    In the outbound NAT rule, if you want restrict, you can use aliases by selecting Network and enter the alias into the network box.
    However, as mentioned, if you restrict access in the firewall rule already there is no need to do that in the outbound NAT additionally.


Log in to reply