OpenVPN routing

  • Hellow everybody!

    I have pfSense box behind ADSL Router on WAN interface and Network switch on LAN interface.
    Internet (ADSL)<-> WAN(pfSense) / LAN(pfSense) - > Switch => ( Local Net)
    The OpenVPN server runs fine, but when I decide to route all trafic trow it, nothing happends.
    The roadwarior connects ok.
    I see all things in local net (print, shares, etc.).
    Also can connect to pfSense web interface.
    But when I whant to check mail or brouse in internet it is no traffic.

    Roadwarior -> Windows 7 with GUI - behind router ; local network

    This is my server configuration:
    1194 UDP
    address poll:
    Local network:
    Cryptography: AES128
    Authentication method: PKI
    DHCP-Opt.: DNS-Domainname ->is set!
    Lzo Compression: -> Check.
    Custom Opt.: push "dhcp-option DNS"; push "redirect-gateway def1"  (here I try DNS with and aslo but it is the same).

    Client config:

    dev tun
    proto udp
    remote address 1194
    ping 10
    resolv-retry infinite
    ca ca.crt
    cert cert.crt
    key keyy.key
    ns-cert-type server
    cipher AES-128-CBC
    verb 3

    Firewall rules:
    WAN: allow 1194; Block ICMP, Block IGMP, Block private networks
    LAN: allow  all to all;  to all;

    WAN -> source:
    WAN -> source:

    There is DNS, because it resolve names, but when I make:
    in command promt
    the first hop is
    and after that is no hops.

    The windows interface is with dhcp IP DNS

    I Try many things from this forum and from google but nothing work. Please suggest descision.

    P.P.: Sorry for my English.

  • You probably need to enable Advanced outbound NAT (firewall –> NAT --> outbound) and create a rule to NAT your OpenVPN subnet to the WAN.

  • Yes.

    This is the rull: WAN -> source: (see attached jpg)

    This is the OpenVpn network. Am I right?

  • Finaly. It works!

    I don't know what was the problem. I just made again the configuration.


  • hi!

    i wish we could have known what the problem was, because i am having the exact same issue.
    i can connect to my 3rd party VPN provider just fine.

    from the pfSense web-ui, if i tracert to google for example, i see its going through my tunnel.
    when i use a computer in my LAN, my desktop for example, nothing !

    ive recently switched from Endian Firewall to pfsense, and when i was using Endian, id establish the VPN tunnel.
    then try from LAN and nothing worked, UNTILL, i entered:

    iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

    after this everything was tunneled through my VPN.

    are the 2 above iptable rules the solution to my problem ?

    some background about my pfsense setup:

    it is a fresh install. the only changes to the web-ui are:
    added the CA in the cert manager
    added a VPN client.

    vpn establishes just fine.

    in the firewall rules page, LAN is set to allow all OUT, and allow all IN.
    the WAN page has 2 rules already installed; 1 for not allowing private networks, and another for bogon nets

    in the openvpn log, it automatically pushes routes and appends them to my routing table. (see screenshot below)

    here are a few screenshots:

    first set is from my Endian Firewall  which worked. the vpn tunnel has been started.
    (note: ip's have been edited.)

    routing table.
    vpn initialization sequence:

    finally my pfSense box, the vpn tunnel has been started.
    routing table:
    vpn initialization sequence:

    help  :-\

  • It is no needed to write iptables commands. Every thing is in web GUI (except the real WAN addres when you use DynDNS and pfSense behind router - it is a little change in one config file)

    I attached my config.
    See the firewall rules.
    What is your client local network?
    and what is your local network (LAN) for pfSense?

    If these two netwokrs are equal as for the client and for the pfSense LAN
    I saw that is problem. the client don't know where to find as example
    But with extra options to redirect all traffic trow vpn is OK.
    That's why I change my local net for the client to

    Look the tutorial and do it as it is writen in

    Then look my config, and aslo the client config in the first post.

    If this not help reboot the system. (i found that some times the firewall rules are not get on when i change them)

    The NAT thing is important and aslo the firewall rules and networks (local, address poll, …)

    when do this connect from the client and tracert some web site and see if this is routed trow vpn or not.

    I aslo has a problem with seeing local network services - i see the clients but can't print, brouse shares and etc.

    I make the fire wall rules and every thing is ok now and with the nat thinks i have all traffic routed trow vpn.

  • and the other part of my config

Log in to reply