WAN->Port forward->openVPN Client

natem

i have found a few topics on this, but still have not gotten it to work. basically i want to forward a port (4444) to a client that is connected to the PFsense box with open VPN. LAN subnet on the LAN can talk to the openVPN subnet and the other way. Port forwarding though NAT works to the LAN subnet.

Based on other forum threads:
I removed all rules on the OpenVPN tab
I added the interface for ovpns (Open VPN Remote Users)
To get LAN to talk to OpenVPN after deleting the rules in the "OpenVPN tab" i added the same rule in to the ovpns tab.

Based on other forum threads i have read i dont know if interface should be WAN or OVPNS. either way it does not work.

Any help would be

in the image below the IP that is redacted is IP of the openVPN client (its static)

Other notes:
there is a ipsec site to site vpn configured, however i have not tried that to see if it can forward ports

viragomann

@natem said in WAN->Port forward->openVPN Client:

basically i want to forward a port (4444) to a client that is connected to the PFsense box with open VPN.

What is the source of this traffic? Internet host or a LAN device?

What is the OpenVPN client OS?

Firewall and NAT rule have to be added to the incoming interface. So the rules for allowing and forwarding destination port 4444 will be on the wrong interface.

natem

@viragomann

Sorry, I guess i did not say that the traffic is coming from internet (WAN)

Client software is OpenVPN Connect on a Macintosh

pfsense 2.4.5-RELEASE-p1

tonight I will try again to put that on the WAN interface, but it didnt work last time (it was exactly the same port forward rule, but with the interface changed)

viragomann

@natem
Does your OpenVPN server push the default route to that respective client?
If it doesn't, the only way to get that work is by masquerading the traffic destined to the VPN client, which means that the client is not able to determine the origin source IP. Otherwise the client sends response packets out to it's default gateway.

natem

@viragomann

pushed the default route to the vpn clients and that worked! do you know if there is a way to do this with out sending all traffic over the VPN?

viragomann

@natem said in WAN->Port forward->openVPN Client:

do you know if there is a way to do this with out sending all traffic over the VPN?

Yes, I mentioned already above:

If it doesn't, the only way to get that work is by masquerading the traffic destined to the VPN client

natem

@viragomann cool, thanks i did not notice that before. ill look into that, and thanks a bunch for your help. :)

natem

@natem said in WAN->Port forward->openVPN Client:

@viragomann

@viragomann so i was just about to reply as i was having trouble getting more that one connection at a time, but it looks like i got it. figure ill upload a screen shot for anyone else