Firewall or routing issue with OpenVPN remote client

  • Hello Everyone,

    I have an issue with my device, probably a configuration error.

    Through an OpenVPN connection, this is working fine:
    Computer -> Teltonika RUT device -> OpenVPN tunnel -> PfSense -> Computers in the network

    The Teltonika device got an IP from the PfSense,
    I can ping the Teltonika device from the PfSense. The Teltonika can ping any computer in the network.

    The problem is that I can't ping the device connected to the Teltonika, and all the other. Basically the network is not reachable from and by so

    I've manually tested 2 different routes on the PfSense:
    route add -net
    route add -net -iface ovpns2

    It doesn't make any difference, the ping doesn't leave the PfSense.

    Any idea of what I'm missing ? Firewall or routing ?

    Best regards

  • The routes for OpenVPN connections have to be added by OpenVPN, not statically.

    What kind of OpenVPN server are you running? A remote access server or a site to site?

    Is the Teltonika device the default gateway in the network?

  • The OpenVPN server is the PfSense.
    Server mode: Remote access SSL/TLS + User auth
    Device mode: tun - Layer 3 tunnel mode
    Interface: WAN

    Yes the Teltonika is the main device. It is a 4G with sim card access point.

  • So you have to set up an OpenVPN Client Specific Override for the client and add the remote network to the "IPv4 Remote Networks" as it's described in Configuring a Single Multi-Purpose OpenVPN Instance.

    However, if the Teltonika is the only one client, I'd recommend the change the server mode to a site-to-site. In this mode you can add the remote network in the server settings directly and don't need a CSO.

  • Thanks for the advice. I will try this setup.
    Indeed there will be multiple Teltonika clients.

    Is this solution compatible so another Teltonika will be and be able to reach ?

  • Yes, you can define a CSO for each client, each with a unique tunnel subnet and with their appropriate remote networks.
    The must be added in the second Teltonika settings to the "IPv4 Remote Networks", so that the client device routes the traffic for over the VPN and the must be added to the first Teltonika settings.

  • Thanks for your help. With the CSO, I can ping the Teltonika and the computer behind it from my computer connected directly through OpenVPN (Viscosity)

    I will now begin the installation of the second Teltonika and confirm here if the solution is completely working. Also I will clarify which Firewall rules are necessary.

    FYI I still can't ping the Teltonika from the PfSense. 100% packet loss whatever the Source address is.

    Edit: I had a few instabilities. Can you confirm that I need to setup a different tunnel for each Teltonika ?

    And the CSO for each remote network:
    On -> 11.0/24 and 12.0/24
    On -> 10.0/24 and 12.0/24
    And so ?

    Best regards

Log in to reply