How to set up OpenVPN behind pfsense

  • Hello, folks.

    I have a pfsense running as fw, gw. I want to shift the vpn load to a separate server running FreeBSD 7.2 to do just VPN.
    I could not get this combo to work.

    dial-up VPN users–-----------Internet------pfsense 1.2.2 -----NAT----OpenVPN

    I've been searching sample configuration with OpenVPN behind NAT or a router. But I haven't found one that works.

    I think it might be routing thing. But I am not sure.
    Do I have to add a static route on the pfsense?

    Please advise.
    Thanks a lot!


  • Are you doing any NAT on the OpenVPN-server?

    You can create a static route under:
    system –> static routes

  • Thank you for your reply.

    The setup I have is this.

    I created a public VIP and a NAT rule forwarding port tcp/443 to the private IP of the openvpn server listening on tcp/443.

    dial-up Users –-----------Internet-------------pfSense FW ------NAT----(OpenVPN private IP: (,, etc...)

    The reason I used tcp/443 is to allow dial-up VPN users to get to VPN from behind any restrictive firewall.
    This is the first time I use this set up. I don't know if this works.

    I'm kinda confused now. I think I have to create a static route on the openvpn server instead of the pfsense. Is that correct?

  • Seems like you would have to create a static route on every other machine for that to work. If a machine on your LAN gets an echo request from some IP (in this case let's a say a remote LAN IP of one of your clients), it will go to the default gateway, which will be pfSense. The traffic won't get to the openVPN server even though that's how it got into the network in the first place.

    The problem with this is that if these are mobile clients (and it sounds like they are) you don't know what their remote subnets are going to be, so you can't add static routes for them, either on the clients or on the pfsense machine (not 100% on whether that would work anyway even if you knew the subnets).

    I do exactly what you're doing with a few servers (openvpn server on a NAT'd IP) but it works for me because I only want the clients of those servers to have access to the IP of the server, so I haven't actually tried to solve the problem you're having.

    Edit: maybe a bridged rather than routed setup would work better; it would also solve the problem of the possibility of overlapping subnets with your road warriors.

Log in to reply