OpenVPN Client - Port Forward Guidance
-
Problem:
I have spent several days now trying to tinker with pfsense settings to allow Mullvad VPN to port forward. If I leave "Don't pull routes" unchecked, then my normal "LAN" traffic cannot access WAN. If I uncheck "Don't pull routes" then both LAN and VPN clients can access the internet through their gateways, but ports are not forwarded to VPN clients anymore.
Question: How can I add the necessary routes to enable port forwarding without pulling routes from Mullvad VPN?
Network Topology
- LAN clients use default WAN (192.168.10.0/24)
- VPN clients have separate subnet, and should use VPN gateway only (192.168.65.0/24)
- VPN traffic is tagged, floating rule blocks this traffic at WAN
Explanation of Data Below
- The config below shows the following:
- Both LAN and VPN clients are able to access the internet on the correct gateway
- The port forward function does not work for VPN clients
- The only way I can get ports to successfully forward is by pulling all routes, and redirecting all traffic to VPN gateway (which I don't want to do)
- The config below shows status with "dont pull routes" enabled, meaning that port forward does not work
- Copied below are settings for OpenVPN, NAT port forward, NAT outbound, Firewall rules, logs, and wireshark dumps
VPN Settings
See pictures here
NAT Settings
See pictures here
Firewall Rules
See pictures here
OpenVPN Log
See pictures here
Routes
See pictures here
Wireshark Dump
See pictures here
Thank you for your time and assistance. Appreciate all your support on this one. I am going crazy.
-
i portforwarded with mullvad for a year. they work fairly well. i will tell you i did have to restart the tunnel on the occasion for traffic to flow again.
one thing i noticed.
under topology i have mine set too SUBNET
- i don't see firewall > nat > outbound where the traffic is allowed to leave on that interface at least i don't think i do...
-
Not sure if this will still help you or not. I found myself troubleshooting the same issue with Mullvad Port Forwarding and came across your post. I eventually overcame this problem by leaving the route pulling options unchecked and allowing the Mullvad routes into my routing table and using using "policy based forwarding" on my to direct traffic on my LAN interface.
You can create (or use the existing) firewall rule that allows traffic out of the LAN to the WAN. On this rule use the advanced options drop-down to specify the gateway on your primary WAN interface.
This is not an ideal workaround as the default route for the firewall is still set to use Mullvad and this can have some unintended consequences, but it will allow you to use port forwarding on your VPN client.
Hope this helps. I'd be interested to know if you ever came up with a solution of your own.