Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    site-to-site OpenVPN with client side with dynamic IP and behind NAT

    OpenVPN
    3
    4
    443
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zippydan
      last edited by

      I have a site-to-site OpenVPN setup that has been working great.

      Due to circumstances beyond my control, one of the clients (running a pfSense 2.7.0 router) is temporarily behind another router with a dynamic IP connection doing NAT.

      I still have complete control of the server side which is running pfSense 2.7.0 on a static public IP.

      The connection was working fine before the client moved; the configuration is unchanged. However, the VPN connection no longer establishes successfully.

      I increased OpenVPN's log verbosity, and I see that the client is passing 192.168.1.16 (which is the current IP of the client's pfSense WAN) as its local IP. I assume this is why the connection is not establishing itself correctly.

      So I have a two-part question:

      1. How can I manually define the local public IP of the client connection? At least to test, I could grab the current public IP of the connection and try inputting that into the config to see if I can successfully establish the OpenVPN connection again.
      2. If that is the only issue, I then need a way to pass the local IP of the client connection dynamically, if the public IP changes. I assume the best way to do this would be to setup some kind of dynamic DNS service on the pfSense box connected to a subdomain, and then use that subdomain as the local address for the client. What would be the best/easiest way to do this?
      3. Sneaky third question: is there any way to programmatically have the client fetch the public IP and use that when passing settings to the OpenVPN server?
      V B 2 Replies Last reply Reply Quote 0
      • V
        viragomann @zippydan
        last edited by

        @zippydan said in site-to-site OpenVPN with client side with dynamic IP and behind NAT:

        How can I manually define the local public IP of the client connection?

        This is not necessary in OpenVPN.

        Something else to see in the server log?

        1 Reply Last reply Reply Quote 0
        • B
          Bambos @zippydan
          last edited by

          @zippydan if the open VPN Client is behind 65 routers, it should be able to connect to your Open VPN Server anyway. The source IP from the client will be the public IP of the last router doing NAT.

          Maybe you have setup (in the beginning a firewall rule taking into consideration the "source IP" as well ?? Try to modify the firewall rule on your Server WAN interface , source -> any.

          Z 1 Reply Last reply Reply Quote 0
          • Z
            zippydan @Bambos
            last edited by

            @Bambos said in site-to-site OpenVPN with client side with dynamic IP and behind NAT:

            Maybe you have setup (in the beginning a firewall rule taking into consideration the "source IP" as well ??

            Yup, I'm a dummy. That was it. My firewall rule for the OpenVPN port (standard is 1194) was restricted to an Alias Group containing all the public IPs of my clients. I've disabled that group for now - just until I can get a static IP for the client that moved.

            Thanks!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.