Openvpn client redirect gateway for 1 network

  • Hi,

    I have set up a vpn client on my pfsense that is up and running (green).
    But I'm having problem with getting my traffic go through, I got 2 lan interfaces and 2 DHCP-servers.
    I got 2 WAN-interfaces, 1 openvpn-interface and 2 LAN-interfaces.
    On Interface1 the network is
    On interface2 the network is

    I want all the traffic on to redirect through the OpenVPN.
    Is it possible? and how do I do it?
    Also i dont want the to reach internet if not its going through the openvpn.
    I have tried to follow the guides that are sticky here but without success.

  • I think this will work:
    a) Use Interfaces->Assign to make an actual interface for the OpenVPN client.
    b) Add a gateway on that OpennVPN interface, pointing at the IP at the other end of the tunnel network.
    c) Add a policy-routing rule on LAN2, source, destination !, gateway from step b.
    The policy route should be in effect all the time, so that traffic will never go to the default gateway - but test that with the OpenVPN down.
    Also, I have a feeling that some of this might be for 2.1 - I haven't done this stuff on 2.0.n for a long time.

  • I will give it a try tomorrow, now its time for sleep :)

    Is there a 2.1 version? i'm on 2.0.2

    // S

  • I have the same kind of setup & problem, and your solution is not working for me, phil.
    I've been reading about this kind of solution all over the internet, but haven't got it working yet. The "Definitive guide to pfSense" book doesn't help me out in this case either :-/.

    Pictures speak louder than words, so here it goes.
    In my setup, I have a physical box with 5 network interfaces: re0 ~ re3 (wired ethernet) + ath0 (wireless minipci):

    • WAN is assigned to re0, which connects to the internet over PPPoE

    • LAN is assigned to re1, using subnet and running a DHCP server

    • LAN2VPN is assigned to re2, using subnet and running a DHCP server

    • Virtual interface "ModemAccess" is assigned to re0, using static IP for access to my VDSL2 modem that lives outside the LAN

    • Virtual interface "VPNme" is assigned to my pfSense OpenVPN client connection on virtual interface ovpnc1, using "none" for IPv4 & IPv6 configuration type

    I have a NAT rule to translate traffic from the LAN subnet ( to the MODEMACCESS subnet (

    And I have a firewall rule in place to allow traffic from the LAN subnet to pass through the MODEMACCESS subnet, and to have everything else be allowed from LAN subnet to *:

    I can browse the internet fine with my laptop connected to LAN on pfSense, and I can also reach the modem:

    Non-authoritative answer:
    Pinging with 32 bytes of data:
    Reply from bytes=32 time=49ms TTL=49
    Ping statistics for
        Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 49ms, Maximum = 49ms, Average = 49ms

    When I connect a network cable between my laptop and the "LAN2VPN" interface, I receive a correct IP from the DHCP server,  but can't resolve DNS, and routes go over my default WAN interface instead of being routed over my VPN'ed interface:

    Pinging with 32 bytes of data:
    Reply from bytes=32 time=1ms TTL=64
    Ping statistics for
        Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 1ms, Maximum = 1ms, Average = 1ms
    DNS request timed out.
        timeout was 2 seconds.
    Server:  UnKnown
    DNS request timed out.
        timeout was 2 seconds.
    Tracing route to over a maximum of 30 hops
      1    <1 ms    <1 ms    <1 ms
      2    25 ms    24 ms    25 ms

    My PPPoE WAN IP is at this time, so routes are not going over the VPNme interface.
    I have a rule specifying to route traffic from the LAN2VPN subnet over the VPNme gateway though:

    I want to get this setup working first to know what I'm doing wrong right now.
    When this will be working, my goal is to setup multiple SSID's on my TP-LINK TL-WR1043ND wireless router where one SSID gets redirected to LAN and another gets redirected to the VPN. I have a managed switch laying around to setup VLAN's on the LAN interface and have OpenWRT running on the router to be able to do some funky sh**, but let's take it one step at a time :-)

    So… if there are any wizards out there who could tell me how to get traffic routing from LAN2VPN over my VPNme interface, I'd be a VERY happy camper :-)
    I'll see how I'll progress from there then.

    Thank you in advance to anyone replying to this topic!

  • I couldnt get it working so I made it easy for my self, i have a esxi-server so i did a pfsense on that one with the openvpn-client as def gateway and that works great.
    Thanks anyway.

  • Well… I did get it working, so for anyone wanting to try this out, here's how:

    1/ make sure you get an OpenVPN client connection working
    2/ assign an interface to this connection via Interfaces->Assign->click the + symbol->assign the interface to your OpenVPN client connection (typically ovpnc1)
    3/ configure the interface: click Interfaces-><your_new_interface>->enable it & give it a sensible name (let's call it "MYVPN" for this example), choose "None" for IPv4 & IPv6, leave all other fields blank
    4/ assign another interface to one of your physical ethernet ports (call this one "SECURELAN" for this example, and let's assume the physical interface is called re1)
    5/ configure it again by enabling it and giving it a static IP ( for this example)
    6/ enable DHCP for this last new interface so your clients can get an IP address: Services->DHCP Server->SECURELAN->enable the interface & specify a DHCP-range (range to for this example)
    7/ click Firewall->NAT->Outbound tab and add a new rule: select "MYVPN" for the interface, source = network, destination = any, translation = interface address
    8/ choose "Manual Outbound NAT rule generation" (IMPORTANT!) & hit save & apply changes
    9/ click Firewall->Rules, pick the "SECURELAN" tab and hit the + symbol to create a new rule: interface = SECURELAN, protocol = any, source = any, destination = any, gateway = choose MYVPN

    And you're done  8)
    Test that everything is working fine by connecting a client to your re1 interface with a LAN cable and doing a traceroute to a url of your choice.

    I'm going to be finetuning this a little more to check for DNS leaks & such, will post again when I've verified this.
    Hope this may help anyone wanting to route some traffic over their OpenVPN client connections. \m/</your_new_interface>

Log in to reply