Pfsense 2.0 route traffic between two different openvpn subnets

  • hello folks

    I succesfully setup 2 openvpn server with 2 different subnets:



    my goal is to make some common comes in the 1) server to be able to reach ips on the but not vice versa, how do I achieve that?

    I tried setups NAT for forwarding and put push route in the conf of the first server, my clients in the 2) subnet can reach the gateway of the 1) (, but that's it, they cannot reach the single clients, what am i doing wrong?

    any help would be appreciated

  • don't do NAT at all. Make sure both ends have routes, and restrict the traffic as desired via firewall rules on OpenVPN.

  • cmb, I created interface OPT1 and OPT2 with their gateway and, then I created two routes: one towards net through and the other towards through

    done that I can reach every ip from the pfsense machine, but I cannot reach subnet 2) from clients in subnet 1) i can only reach their gateway, not the peers, and if I try to ping a peer on 2) from a peer on 1) the packets that should go from OPT1 to OPT2 but they stop on the gate of OPT1,

    I managed to make it possible by disabling the nat outbound automatic rule generation and by creating a manual rule that says:

    interface OpenVPN -> source -> destination -> translation any

    but it's VERY unreliable, yesterday was pinging, this morning not, I have to restart the vpn each now and then to make it ping again.

    how do I achieve the routing without using NAT at all like you suggested?


  • I forgot to mention that in vpn server 1) ( subnet) I have added the routes to reach its own subnet AND routes to reach the 2) ( one so the push is:

    openvpn[43631]: ipcop/ SENT CONTROL [ipcop]: 'PUSH_REPLY,route,topology net30,ping 10,ping-restart 60,route,ifconfig' (status=1)

    that should be enough but still the peers that connect to this server cannot reach network

  • in the end I put:

    push "route"
    on 1) server


    on 2) server

    and it looks like it works, I can reach subnet from peers but the other way around also, which I would not. if I isolate the push command in a client override it seems that the other way around is restricted at that common name only

    is it the correct way to proceed?

  • use firewall rules to block or reject traffic in one or the other direction

Log in to reply