Client > pfsense WAN <nat>> Opt1 > OpenVPN client</nat>



  • Hello pfsense world. :)

    I have pfsense 1.2.3 as my internet gateway. I have WAN, LAN and OPT1 interface. OPT1 is for OpenVPN. When I forward port in NAT pointing to device which is sitting on LAN network, pfsense works fine, and external clients can access resources on that device.

    Problem is, when I want to forward port to OpenVPN client, after applying settings, nothing happens.

    What am I doing wrong?

    Here is my NAT table:

    10.10.10.33 is IP adress of one OpenVPN Client connected to OpenVPN Server.

    Thanks in advance



  • Are you forcing all traffic of the client to go though the VPN tunnel?
    Unless you do, this is what is probably happening:

    • External users connects to your pfSense.
    • Packets are forwarded to your OpenVPN client.
    • Since the source is a public IP, and you're not forcing everything through the tunnel, the client answers directly via it's default gateway.

    To solve this:

    • Force all traffic from the OpenVPN client into the tunnel (redir def1)
    • Source NAT on the pfSense so it seems to the OpenVPN client that the requests come from the pfSense and answers correctly.


  • @GruensFroeschli:

    Are you forcing all traffic of the client to go though the VPN tunnel?

    No.

    • External users connects to your pfSense.
    • Packets are forwarded to your OpenVPN client.
    • Since the source is a public IP, and you're not forcing everything through the tunnel, the client answers directly via it's default gateway.

    It seems so, now I understand why does not work and thanks for that.

    • Source NAT on the pfSense so it seems to the OpenVPN client that the requests come from the pfSense and answers correctly.

    How to do that? Firewall / NAT / Outbound? What should I do with Automatic outbound rule? Leave that way or change to manual? What to enter in outbound rules to make sure that my LAN subnet won't be cuted of from Internet?



  • Enable manual outbound rule generation.

    Per default there will be an auto-generated rule to NAT outbound traffic from the LAN to the WAN.
    You need to create a new rule with:
    interface: openVPN-interface
    source: any
    destination: server you NAT to



  • 10x, I will try that and let you know if it works of not. :D


Log in to reply