How does pfSense handle OpenVPN subnet?



  • Hello, all!

    I recently setup an OpenVPN from my house that works well for me to connect in remotely. However, once I connect, I can access my pfSense router (which I am going to be firewalling off soon) but nothing else, ie other VLANs. I'm sure that this is due to firewall rules, but I am unclear on how to configure things.

    I noticed that there is an OpenVPN tab under firewall rules that I can add rules to. However, there is also now an unassigned interface. Am I supposed to assign that interface so that I can edit things such as DHCP, VLAN tags, etc? When I setup OpenVPN initially, I had to specify a subnet that wasn't in use anywhere. Am I correct in assuming that OpenVPN created its own VLAN with default rules with that subnet, and if I want to modify it I have to assign that "ovpns" interface?

    I think the part that confuses me overall is that OpenVPN took that subnet I specified and created a whole network around it, but I don't see it as an editable object anywhere in pfSense like I do my other VLANs/interfaces.

    Thanks!



  • You do not have to assign OpenVPN to an interface.

    You do need to have a rule in place on your OpenVPN firwall tab to allow your vpn subnet access to the rest of your subnets.

    Its been a while but I believe the subnets have to be added to the config file of any OpenVPN instance running in a "road warrior" client device.

    If you are connecting via another router then the subnets need to be added to that box under "IPv4 Remote network(s)"



  • Thanks for the reply! I had no idea about specifying subnets in the config file; I'll go read up on that more.

    Yes, I am connecting from behind another router (at work). I'm trying to access a server that's on a separate VLAN than what OpenVPN puts me on. It looks something like this:

    Work PC --> Work Router --> {WAN/Internet} --> pfSense --trunk--> switch --> server

    Where in pfSense do I need to add the subnets that you are mentioning? Also, I shouldn't have to worry about tagging my traffic to go through the switch, correct?


Log in to reply