OpenVPN setup on pfsense and something I'm missing...

  • Hi everyone

    I try to setup OpenVPN on pfSense.
    My goal is to have a static IP on the internet that I can connect to, to get into my home network.
    I don't want traffic to go out to the internet through this route, except the one that was initiated through the VPS (port forwarded).

    My situation somehow like this:

    What I already worked out:

    • I set up an OpenVPN server on a VPS
    • I also got the OpenVPN client working on the pfSense, so the tunnel is up and running, so I can ping from and vice versa.

    What I'm struggling with is the routing between the tunnel network ( and my home networks (several VLANs with subnets like 192.168.x.0/24):

    • If I try to ping some machine in my local network from the VPS (, I can see the traffic going over the tunnel (in the traffic graph), but nothing arrives at my machine (checked with wireshark)
    • If I try to ping from somewhere in my local network (e.g., I there's no traffic on the tunnel
    • If I traceroute my local network machine from the pfSense (source then it seems to be stuck directly at the gateway:
      1 39.255 ms 33.299 ms 31.461 ms
      2 62.069 ms 62.753 ms 54.512 ms
      3 59.731 ms 90.618 ms 81.735 ms
      4 88.704 ms 85.744 ms 111.079 ms

    So I'm sure I must be missing something but I just don't grasp it.
    I'm already working on this setup for some days now, so I beg for your help :)

    Finally, my configs:

    server.conf on the VPS:

    port 1194
    proto udp
    dev tun
    tls-version-min 1.2
    cipher AES-256-CBC
    auth SHA512
    tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
    ca ca.crt
    cert server_stargate01.crt
    key server_stargate01.key  # This file should be kept secret
    dh dh.pem
    topology subnet
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS"
    comp-lzo no
    keepalive 10 120
    tls-auth ta.key 0 # This file is secret
    user nobody
    group nogroup
    status /var/log/openvpn/openvpn-status.log
    log         /var/log/openvpn/openvpn.log
    log-append  /var/log/openvpn/openvpn.log
    verb 3
    explicit-exit-notify 1
    client-config-dir ccd
    push "route"
    push "route"

    ccd/client file:


    In the OpenVPN client configuration on the pfSense, I got these settings (condensed to the most important. Ask if you need anything else):

    • Server mode: peer to peer (SSL/TLS)
    • Protocol: UDP on IPv4 only
    • Device mode: tun
    • IPv4 Tunnel network(s): empty
    • IPv4 Remote network(s): empty
    • Topology: subnet
    • Don't pull routes: unchecked
    • Don't add/remove routes: checked
    • Custom options: empty
    • Gateway creation: IPv4 only

    Gateway settings:

    • Address family: IPv4
    • Gateway:

    Everything else is default.


Log in to reply