OpenVPN client to pfSense Firewall acrossing IPSEC tunnels for remote connection

  • I just got OpenVPN up and running :)  It took long enough.  I messed with it off and on for 3 or 4 months between other more critical projects and work.

    I have tested my connection and have been able to connect to my internal network no issues.  I added specific rules so that in theory I can connect to remote sites.

    I have 6 or more IPSEC vpn tunnels.  I like to be able connect to OpenVPN then go out over my IPSEC connections and due maintenance.  Will this work?

  • I have tried the following:

    I have added the remote subnets that are connected to the via IPSEC to my client via a push route.  The route has made it to my client.  I still can't connect to the subnet on the other end of a IPSEC tunnel.

    I have also added a 4 firewall rules (1 TCP, 1TCP/UDP, 1 UDP, 1 ICMP) to allow for communication.  My client end is 192.168.19 and I connect to 192.168.14 subnet behind my firewall.

    I am trying to connect to connect to 192.168.24 subnet that is connected to my network via a IPSEC VPN tunnel.

    Anyone even attempted to do what I am trying? (I have both a IPSEC moblie client and OpenVPN client).  I am working on getting either to work or working with the best solution.


  • Make sure all the other routers on your network know about your openvpn subnet (i.e. Static Routes) or they will not be able to route packets back to you on the openvpn subnet even if your packets make it to the IPSEC subnets.

  • I will give that a shot this weekend.  I was think that was my next thing on the check list.  It's been nuts lately.  Thanks for the tip.

  • Hello.

    Is there a solution for this?

    I have the same problem, the OpenVPN connection between my notebook and the pfsense works fine (I can reach the pfsense's LAN), but I can't reach the networks of our customers, which are connected by IPSec (so the same scenario).

  • IMO the problem is, that re remote client behind the IPSEC tunnel has to know that the request comes from the OpenVPN client.

    Does the remote client in your setup know to send traffic back through the IPSEC tunnel?

  • From the pfsense I can ping the other Site of the IPSec Tunnels, so the Routing between the far ends an my pfsense seems to be correct.

    Now I'm not sure what to do so that I can reach the far end of the IPSec Tunnels when I'm connected with OpenVPN to the pfsense.

    I've just started to work with pfsense (and Tunneling with IPsec and OpenVPN), so if somebody have a hint for me, I would be very grateful.
    Somebody told me that I could be better (and less confusing) to use OpenVPN for the hole scenario.

    The Attachment shows the current scenario.

  • Yes using OpenVPN for everything would be easier.

    I'm not sure it possible to redirect certain traffic over the IPSEC connection.
    The problem is not, that traffic from the clients doesnt go over the IPSEC connection, but that the reply doesnt know where to go.

    Did you make sure the other side of the IPSEC connection has correct static routes for the OpenVPN subnet pointing to the pfSense?

  • @GruensFroeschli:

    Did you make sure the other side of the IPSEC connection has correct static routes for the OpenVPN subnet pointing to the pfSense?

    No, because of the fact that I can send pings between the pfsense and the other IPSec Sites I thought the only thing that is missing is a routing on the pfsense to make this scenario work.

    And the problem is I have no full access to the other site of the IPSec Tunnels (for example I have no acess to the Firewalls on the other Sites).

  • A solution would be to NAT traffic from the OpenVPN subnet to the IPSEC tunnel.
    Essentially from the other side it would appear as if everything originates from the pfSense iteself.
    However this functionality is currently not present in pfSense.

    I think a bounty is going to add the ability to NAT into the IPSEC tunnel.

  • I have done some research and I have found out what I was looking at was call casading vpn tunnels.  This allows you you to connect to your main site and go down one of the spokes as it called.

  • I'm having the same problem I can make a remote desktop connection from my mobile client to one of my servers and request the webpage of one of the printers in the Office.
    I can't directly access that webpage from the mobile client.

    As far as I can see, all the gateways are correct.

    Firewall rules:
    IPSec: Allow all on all for all
    WAN: Allow TCP/UDP on port 1194 for all
    LAN: Allow All from LAN Net to all

    Maby I'm missing something?

    When I traceroute a host in the office network from the mobile client, I get a response from the PFSense server and than from the default gateway of PFSense. So PFSense is routing the traffic the wrong way…

    Doing the same traceroute from one of my servers, i get the PFSense host, than the router at the office and than the host I'm looking for.