Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN setup on pfsense and something I'm missing...

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 253 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kaisai
      last edited by kaisai

      Hi everyone

      I try to setup OpenVPN on pfSense.
      My goal is to have a static IP on the internet that I can connect to, to get into my home network.
      I don't want traffic to go out to the internet through this route, except the one that was initiated through the VPS (port forwarded).

      My situation somehow like this:
      network

      What I already worked out:

      • I set up an OpenVPN server on a VPS
      • I also got the OpenVPN client working on the pfSense, so the tunnel is up and running, so I can ping 10.1.1.1 from 10.1.1.2 and vice versa.

      What I'm struggling with is the routing between the tunnel network (10.1.1.0/24) and my home networks (several VLANs with subnets like 192.168.x.0/24):

      • If I try to ping some machine in my local network from the VPS (10.1.1.1), I can see the traffic going over the tunnel (in the traffic graph), but nothing arrives at my machine (checked with wireshark)
      • If I try to ping 10.1.1.1 from somewhere in my local network (e.g. 192.168.1.100), I there's no traffic on the tunnel
      • If I traceroute my local network machine from the pfSense (source 10.1.1.2) then it seems to be stuck directly at the gateway:
        1 10.1.1.2 39.255 ms 33.299 ms 31.461 ms
        2 10.1.1.2 62.069 ms 62.753 ms 54.512 ms
        3 10.1.1.2 59.731 ms 90.618 ms 81.735 ms
        4 10.1.1.2 88.704 ms 85.744 ms 111.079 ms

      So I'm sure I must be missing something but I just don't grasp it.
      I'm already working on this setup for some days now, so I beg for your help :)

      Finally, my configs:

      server.conf on the VPS:

      port 1194
      proto udp
      dev tun
      tls-version-min 1.2
      cipher AES-256-CBC
      auth SHA512
      tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
      ca ca.crt
      cert server_stargate01.crt
      key server_stargate01.key  # This file should be kept secret
      dh dh.pem
      topology subnet
      server 10.1.1.0 255.255.255.0
      push "redirect-gateway def1 bypass-dhcp"
      push "dhcp-option DNS 8.8.8.8"
      comp-lzo no
      keepalive 10 120
      tls-auth ta.key 0 # This file is secret
      user nobody
      group nogroup
      persist-key
      persist-tun
      status /var/log/openvpn/openvpn-status.log
      log         /var/log/openvpn/openvpn.log
      log-append  /var/log/openvpn/openvpn.log
      verb 3
      explicit-exit-notify 1
      
      client-config-dir ccd
      client-to-client
      
      route 192.168.1.0 255.255.255.0
      route 192.168.2.0 255.255.255.0
      push "route 192.168.1.0 255.255.255.0"
      push "route 192.168.2.0 255.255.255.0"
      

      ccd/client file:

      ifconfig-push 10.1.1.2 255.255.255.255
      
      iroute 192.168.1.0 255.255.255.0
      iroute 192.168.2.0 255.255.255.0
      

      In the OpenVPN client configuration on the pfSense, I got these settings (condensed to the most important. Ask if you need anything else):

      • Server mode: peer to peer (SSL/TLS)
      • Protocol: UDP on IPv4 only
      • Device mode: tun
      • IPv4 Tunnel network(s): empty
      • IPv4 Remote network(s): empty
      • Topology: subnet
      • Don't pull routes: unchecked
      • Don't add/remove routes: checked
      • Custom options: empty
      • Gateway creation: IPv4 only

      Gateway settings:

      • Address family: IPv4
      • Gateway: 10.1.1.2

      Everything else is default.

      Thanks
      Kaisai

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.