Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing when using pfSense as Openvpn server only

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 43 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      arcusnetworks
      last edited by

      I am using pfSense as an Open VPN server as I have a CISCO ASA as the main firewall at my service provider. So to create a VPN into my cloud I am trying to use OpenVPN on the pfSense. I have the server setup, the client connects just fine, but when I try to ping a server in my cloud from my windows machine I get no reply. BUT... If I add a static route on a device in my cloud that routes back to the LAN ip of the pfSense, all is well. From what I have read, pfsense OpenVPN should be pushing the route to the destination device, but it appears not to be happening. This is probably clear as mud. Please let me know if there is any more info I need to provide. TIA.

      JKnottJ V 2 Replies Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @arcusnetworks
        last edited by

        @arcusnetworks

        Is pfSense or the ASA your gateway? If the ASA is the gateway and the VPN is on pfSense, clients will have no idea how to reach the other end of the VPN.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        A 1 Reply Last reply Reply Quote 0
        • A Offline
          arcusnetworks @JKnott
          last edited by

          @JKnott Yes, the GW is the ASA. I thought the OpenVPN server had the ability to "push" routes to an end point? Is that not the case?

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @arcusnetworks
            last edited by

            @arcusnetworks said in Routing when using pfSense as Openvpn server only:

            If I add a static route on a device in my cloud that routes back to the LAN ip of the pfSense, all is well.

            This would not work if the client had route to the remote device. So I presume, the server pushes the route to the client properly.
            But you need proper routes for both directions.

            The issue in your setup is that the ASA is the default gateway. So the devices route all traffic, which they have no route for, to the ASA, even packets destined to the VPN client.
            If you think now, a route on the ASA for the VPN tunnel network to pfSense does the job - forget it. This would lead into asymmetric routing. It would work for pings though, but not for TCP traffic.

            There are three possible ways to make the routing work in your setup:

            • The bad one you found out already: Add a static route for the VPN tunnel network to each device you want to reach from VPN clients.
            • Better, but depends: NAT the traffic from the VPN clients on pfSense LAN interface to its LAN IP. So the devices send responses back to pfSense and access from the VPN clients will work.
              The drawback of this is that you are not able to see the real clients IP on the destination device. But maybe that's acceptable for your use case.
            • The best: Disconnect pfSense from the LAN and put it into a separate network segment. Then add a static route for the VPN pool to the ASA and point it to pfSense.
              With this the whole VPN traffic passes the ASA in both directions. The packets arrive with the client IP on the destination device, responses are sent to the ASA and due to the static route, they are forwarded to pfSense.
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.