All traffic pfSense to Linuxbox FW

  • Hello All,
    In the office building we have main firewall based on linux fedora.
    In one of our branch offices we have pfSense.
    I have established OpenVPN connection between them but I have problem with routing the traffic correctly.
    The goal is all traffic from pfSense LAN net to be routed over OpenVPN trough main Fedora firewall.

    Here is OpenVPN server config from linuxbox

    ca keys/ca.crt
    cert keys/xxxxxxxx.crt
    comp-lzo yes
    dev tun1
    dh /etc/openvpn/keys/dh1024.pem
    crl-verify /etc/openvpn/keys/crl.pem
    keepalive 10 120
    key keys/xxxxxxx.key
    mode server
    port 1195
    proto udp
    status /var/log/openvpn-status-wh.log
    log-append  /var/log/openvpn-wh.log
    verb 1

    #Routes pushing to the client section

    push "route"
    push "route"
    push "route"
    push "redirect-gateway def1"
    push "dhcp-option DNS"

    When I use NAT to masquerade whole traffic from to OpenVPN interface. The job is done. But I want not to use NAT, just routing.

    I have attached the topology diagram.
    10x in advance :)

  • and what is in the pfSense client OpenVPN config? Anything to tell the server end that the tunnel to the client is the route back to
    perhaps you can just add that explicitly to the server:


  • In the pfSense client config there is nothing, because I push routes from server side (linuxbox) to client (pfSense),

    I posted this in my first post. This is server config:

    push "route"
    push "route"
    push "route"
    push "redirect-gateway def1"
    push "dhcp-option DNS"

    In the linux config there have been created so many IP addresses for OpenVPN so I don't know which is the gateway for

    ifconfig tells:

    tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:  P-t-P:  Mask:

    netstat -rn tells:

    [8:12:42 PM] Atanas Manoilov HDS: [root@fw ~]# netstat -rn
    Kernel IP routing table
    Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface UH        0 0          0 tun1  U        0 0          0 eth0  UG        0 0          0 tun1  U        0 0          0 eth2  U        0 0          0 eth1        x.x.x.x        UG        0 0          0 eth3

  • In you Linux end OpenVPN server config, just add:


    That should tell it that the link is a route to

  • 10x a lot,
    it was enough for me to understand :)