Yet another 'Cannot access LAN through VPN' post

  • Due to the shitty modem Bell gave me, I cannot give my pfsense box a regular WAN IP, it has to be given an IP within the range. It's LAN ip is (See this post for additional details) I can provide a crude network diagram if need be.

    I followed the OpenVPN video by Lawrence Systems to set up my VPN server. I can connect to the VPN using my android phone if I have the phone connected to my home hub's WIFI (this wifi is part of the network)

    Server wizard step 9:
    Server wizard step 10:
    Server tweak: I changed the server mode to remote access using SSL/TLS only
    Client export config tool: ( is the WAN IP of my pfsense box)
    WAN firewall rules:
    LAN firewall rules:
    OpenVPN firewall rules:
    IPv4 routes: em0 is WAN, em1 is LAN, is pfblockerng I believe.

    I've spent maybe two hours trying to get this to work. What am I missing?

  • What's the question?

    I assume you can connect to the OpenVPN-Server fine but you cannot connect to things on LAN right?

    If that's the case, turn the OpenVPN-Interface into a TAP interface (L2), then turn LAN into a bridge, adding the OpenVPN-TAP-Interface and the LAN-NIC to the bridge.

    Restart the OpenVPN-Server, export the OpenVPN-config to the phone again, refresh and reconnect.

    Now the phone should get an ip-address and be bridged into the LAN, problem solved. (This can take a few seconds if STP is enabled on the bridge).

    The other option is to use a TUN interface. The downside here is that stuff like broadcasting is not working. Nevertheless you can go down two routes:

    Easy route:

    Give the VPN-Clients a different subnet, e.g. and route them to the LAN-subnet. As the LAN uses pfSense as default gateway, LAN is able to find the way back.

    Hard route:

    You use brouting to make this happen. You have to understand that routing and subnetting are NOT the same.

    So on the LAN-Interface you have as subnet and as ip-address. On OpenVPN's TUN interface you have (YES, 24) as IP-address. Also you hand out IP-addresses in the range of to the clients. You add a static route of to the tun interface (YES, THE INTERFACE) and enable proxy ARP for the interface.

    Now a client dials in via tun interface, gets an IP-address in the range of and the firewall proxies the arp requests from one site to the other. As it knows what's going on, it magically copies the packets back and forth and you're a happy camper.

    You need to understand what this does, how proxy arp works and that you can get yourself into a lot of trouble if other networks exist and you haven't configured this correctly.



Log in to reply