Open VPN, Portforwarding

  • Hello i do have following Problem.
    I connected a VPN to my mailserver to get a static IP adress.

    Recently i do have a lot of traffic coming from Russia, China etc.
    So i decided it might be good to have a firewall running in front of the mailserver.

    So i connected the Pfsense Firewall to the VPN.
    I managed to set the Pfsense Firewall as the Gateway of my mailserver.
    I also managed to Forward the ports coming in on the VPN at the Pfsense Firewall and sending them to the mailserver.

    I am able to get Mails and i am also able to connect to the mailserver via Thunderbird.

    The only problem i have is, that i am not able to send mails with the mailserver.
    They unfortunately get stuck.

    I hope someone can help me and that my bad english is understandable.


  • So you're running an OpenVPN client on pfSense which connects to a VPN provider. And the provider forward mails to you?

    And now you want to direct mails from your server out to the VPN?
    Do you want to send out any traffic over the VPN or only mails?

  • Hello, thanks for the answer.
    Yeah the VPN was normally connected to the Mail server to get a static IP adress.
    The VPN also got the reverse DNS to my domain. Everything worked nice.
    Exept the Guests from Russia and China.

    Now i connected the firewall to the VPN.
    So my static ip adress is sitting at my firewall and i forward the Mails coming from the VPN trough the Firewall to the Server.
    This is already working.

    My problem is that mails coming from the server dont go threw the firewall back to the VPN.

    Maybe i need some special route or an option that the whole traffic exiting the server is going to the VPN.

    I am a little helpless here.

  • And i only want the Mails to send out over the VPN if this is possible.

  • You have to assign an interface to the OpenVPN client isntance. Interfaces > Assign.
    At "available network ports" select the vpn client instance (e.g. ovpnc1) and hit Add. Open the new interface and enable it, set a friendly name if you want, and save the settings.

    Then add a firewall pass rule to the top of the interface facing to the mail server. Enter the servers IP at source, leave destination at any. If you really want direct only mails over the VPN you may restrict the destination port(s) the the used ones (25). Go down and expand the advanced options, go to gateway and select the OpenVPN gateway.

    At last you have to set the outbound for that: Firewall > NAT > Outbound
    If it's working in automatic mode (default) switch to hybrid and hit save.
    Then add a rule, select the OpenVPN clients interface (you have assigned first), at source enter your mail servers IP, destination is any and the translation address is "interface address" which are default values.

    Now it should work as you want.

  • Thank you so so much for your help.
    It worked quite nice.

    I am very glad that you took the time to write the answer that detailed.


  • Glad to read that it works now as desired.

  • Hey yeah i got one last question.

    The traffic coming threw the VPN and getting forwarded isnt showing up at the firewall.

    The Firewall only shows the WAN and VPN (exit) interface i created but the incoming traffic of the vpn is nowhere to be seen.

  • What do you mean?

    There is no exit and entry interface. Traffic can flow in both directions on any interface, as long firewall rules allow it.
    The interface you have added to the OpenVPN client is the interface traffic comes in from the VPN provider and goes out as well.
    The "OpenVPN" tab in the firewall rules is an interface group including all OpenVPN instances you're running. If you have only one, the group includes only that one, but it is still a group.

  • Sorry my mistake. I solved it by myself. Forgot to activate that i can see traffic that passed the firewall. I only saw traffic that got blocked.

Log in to reply