OpenVPN Client - Port Forward Guidance



  • Problem:

    I have spent several days now trying to tinker with pfsense settings to allow Mullvad VPN to port forward. If I leave "Don't pull routes" unchecked, then my normal "LAN" traffic cannot access WAN. If I uncheck "Don't pull routes" then both LAN and VPN clients can access the internet through their gateways, but ports are not forwarded to VPN clients anymore.


    Question: How can I add the necessary routes to enable port forwarding without pulling routes from Mullvad VPN?


    Network Topology

    • LAN clients use default WAN (192.168.10.0/24)
    • VPN clients have separate subnet, and should use VPN gateway only (192.168.65.0/24)
    • VPN traffic is tagged, floating rule blocks this traffic at WAN

    Explanation of Data Below

    • The config below shows the following:
    • Both LAN and VPN clients are able to access the internet on the correct gateway
    • The port forward function does not work for VPN clients
    • The only way I can get ports to successfully forward is by pulling all routes, and redirecting all traffic to VPN gateway (which I don't want to do)
    • The config below shows status with "dont pull routes" enabled, meaning that port forward does not work
    • Copied below are settings for OpenVPN, NAT port forward, NAT outbound, Firewall rules, logs, and wireshark dumps

    VPN Settings

    See pictures here


    NAT Settings

    See pictures here


    Firewall Rules

    See pictures here


    OpenVPN Log

    See pictures here


    Routes

    See pictures here


    Wireshark Dump

    See pictures here


    Thank you for your time and assistance. Appreciate all your support on this one. I am going crazy.



  • i portforwarded with mullvad for a year. they work fairly well. i will tell you i did have to restart the tunnel on the occasion for traffic to flow again.

    one thing i noticed.

    under topology i have mine set too SUBNET

    1. i don't see firewall > nat > outbound where the traffic is allowed to leave on that interface at least i don't think i do...

Log in to reply