OpenVPN tunnel through LAN and no WAN



  • I want to set up a pfSense box with one NIC on my LAN and have it open an OpenVPN (client) connection to my data center.  I want it to function as my VPN box to the data center.  I have limited ability to affect the default gateway.

    I have no managed switches capable of VLANs.

    Can this be done?  Anyone have any advice on doing this?



  • I have an example install like this. The real internet comes through a Tp-link ADSL router (also has WiFi builtin) to an internal network - 10.49.120.0/24. The TP-Link is 10.49.120.41/24 and also has its wireless enabled so people with WiFi devices can connect to the LAN. But DHCP on the TP-Link is turned off.

    The pfSense is an Alix box with just the WAN port connected to this internal LAN and has address 10.49.120.250/24, and default gateway 10.49.120.41 (the TP-Link). pfSense DHCP is enabled, it gives out a range of addresses 10.49.120.100-199/24 with itself as the gateway. Manual Outbound NAT is enabled, and a rule added so that traffic from the clients comes into pfSense and then is NAT'd out through the TP-Link to the internet. (see screenshot - last rule) The advantage of this is that the TP-Link sees all the traffic as originating from the pfSense WAN IP 10.49.120.250 - so when traffic comes back in response, it is routed back to the pfSense, which can "unNAT" it and deliver to the original client. This means that pfSense can work properly (traffic flow in both directions goes through it) and you can do whatever filtering there.

    The pfSense has OpenVPN clients connecting out to other offices. The DNS Forwarder has Domain Overrides added to refer internal names to other office DNS Servers for internal resolution. Because the clients on the LAN (which to this pfSense is WAN) are using pfSense completely as their gateway, they can happily talk internally to things across the internal OpenVPN links, or externally to the real internet. The pfSense does all that for them.

    The main requirement is that you have a way to NOT get DHCP from the current default gateway (equivalent of the TP-Link in this example) - either disable DHCP on the current default gateway, or manually configure IP on the clients that you care about, so they use pfSense as their default gateway and DNS.

    (Note: in the screenshot 10.49.122.0/24 is the pfSense LAN port - there is nothing connected to that, but it would work as another routable subnet if needed/useful)



Locked