PfSense connecting to existing OpenVPN Server

  • Hi All,

    I'm currently migrating to pfSense from DD-Wrt (VPN) and I am trying to achieve the following

    pfSense                                OpenVPN
        Home                                    Server                                Client
                          –---------->                          -------------'    PC's
      192.168.1.X                              10.9.8.X                            10.9.8.X

    I have configured the VPN Client in pfSense to connect to the OpenVPN server , from pfSense I can ping hosts on the VPN and from the OpenVPN server I can ping pfSense, however I cannot route from OpenVPN back to pfSense - this all worked with DDWrt

    I have modified the openvpn server.conf file as below

    push "route"

    I think either im missing something in pfSense, or I have misunderstood the way of setting the pfSense box up?

    Many Thanks,

  • Routing subnets over OpenVPN is somewhat non-trivial since both the client and server routing tables need to be manipulated to be aware of the subnets on either side of the tunnel. IPsec is easier to get working for a LAN->LAN tunnel, or bridging may work for your application as well.

    You really need to read the OpenVPN HOWTO, particularly the section entitled 'Expanding the scope of the VPN to include additional machines on either the client or server subnet.' to make this work. Your 'push' command is definitely backwards, it should advertise the subnet. The route command is necessary as it is, but you also need an iroute attached to a client CN. I'm wondering from the lack of detail if you're also using as your internal OpenVPN subnet, which will never work.

  • Hi,

    Thanks for the reply - things are certainly different in regards to achieving this using pfSense

    I think I have now set this up the correct way , just using the OpenVPN Client settings in the pfSense GUI.

    From a remote host connected to the VPN server , I can now ping the pfSense box and a device on the internal network.