OpenVPN Client, Server, Multi Subnet - so so confused

  • Hi all,

    Bear with me, this is a little complicated to explain (and I appreciate inelegant)

    I have the following

    1. Internet Connection using Fibre and an ADSL Modem/Router on a static IP
    2. Pfsense Box (Latest 2.1 Alpha)
    3. OpenVPN Client connecting to a 3rd Party VPN provider
    4. OpenVPN Server to allow remote connections

    The current status is

    1. Working
    2. Working
    3. Working
    4. Working internally but not externally

    To describe my system.

    PfSense is set up on an ESXi server with 5 virtual network cards and two physical cards in a HP Microserver. The cards are bound as follows

    External Internet on the modem NAT to internal address.
    WAN - 192.168.0/24
    LAN - 192.168.1/24
    LAN2 - 192.168.10/24
    LAN3 - 192.168.20/24
    LAN4 - 192.168.30/24

    All subnets have .50 as their gateway address.

    I also have

    Opt1 - Used for the VPN Client to connect to the external 3rd party OpenVPN server
    VLAN2 - Bound to LAN2
    VLAN3 - Bound to LAN3
    VLAN4 - Bound to LAN4

    • I have set up the OpenVPN server to listen on bound to the LAN interface.

    • The modem/router is configured to allow through 1194 UDP (in fact firewall is off)  and I can see the connections being allowed and the packets being passed to

    • I have port forwarding on the WAN interface which forwards from 0.50 to 1.32

    • I have Outbound NAT configured to map all LAN traffic to the VPN connection (I suspect this split is part of my problem). However even when I put in a specific rule to map the OpenVPN server traffic back out to the WAN it still doesn't seem to work

    I have also tried to assign a new interface however you can't bind an OpenVPN server to an interface without an IP. So I have also tried allocating to Opt2 (which is what gets created when you configure the Server) and port forwarding to 50.1 but that didn't seem to work either.

    When I try and connect externally, the client tells me that TLS handshake failed. When I Wireshark the connection, I only see packets going out of my network. On the pfSense box itself, I see the packets coming into the external interface on 0.50 and then there is nothing in response.

    After many many hours of reading and getting horribly confused I thought I'd turn to here. Some simple questions to start off

    1. Is it possible to achieve what I am trying to achieve? I just want to have a permanent connection to a external OpenVPN provider for all my normal LAN traffic but allow connections inbound to my own created OpenVPN server. I do appreciate that the traffic to my own OpenVPN needs to be NAT'ed/routed through the Static IP I have and never touch the external VPN the rest of my traffic goes through but with my set up, is this possible.
    2. I have considered getting rid of the ADSL router and plugging the modem directly into the pfSense box. What specific things do I need to do to make this work? Would the Fibre modem just see the pfSense box and work? I've read a lot about it but can see no clear answer to that question.
    3. What else could I do to simplify this whole mess into something that works? I think getting rid of the external modem/double NAT'ing will be a big help but I don't want to mess around doing that unless it will greatly simplify things.

    Just to re-iterate, everything is working with the exception of externally sourced connections trying to connect to my OpenVPN server. Internal connections from 1.100 for example worked and created a tunnel as expected (when the server was listening on 1.32 back when I first tried this)

    Appreciate any help from anyone who works their way through this. It's driving me mental and I just can't figure out what and where it's failing.


  • I have set up the OpenVPN server to listen on bound to the LAN interface.

    "/28" is rather odd - .32 is the bottom end of that subnet (.32 to .47) and it won't be able to talk back to is that just a typo?
    and I don't see why the OpenVPN server (setup on the pfSense box I assume) is listening on .32 - wouldn't you listen on .50, the pfSense IP?
    If you are likely to have multiple WANs/ISPs in future, then port forwarding from WAN to LAN and listening on LAN is good - it will be easy to add WAN2 in future and port forward from that to the OpenVPN server on LAN. But if not, then use the KISS principle and have the OpenVPN server listening directly on WAN

    Port forwarding from your front-end ADSL device should work, I do it a lot to keep the front-end ADSL box configuration simple for small remote sites (then they can buy a replacement consumer ADSL box in the local bazaar and set it up with its built-in wizard in 5 minutes if needed). The double-NAT thing works fine for "ordinary" users and I am actually quite happy if some weird protocol doesn't work - saves me working out how to block it :)

    If possible, I also recommend that now is the time to move away from 192.168.0/24 and 192.168.1/24 - Murphy's Law says that those subnets WILL be used by the first cafe that you go to and try to connect from. That will create confusion with the subnet in the cafe and the subnets behind the OpenVPN server being the same. I go for 10.x.y.0/24 - pick an "x" (e.g. 42) and vary "y" for each of your subnets - …

  • The /28 isn't a typo and now you come to mention it is clearly stupid (one of the reasons I posted was because sometimes you can't see the wood from the trees when you're looking at things). The original thought process was I wanted them to get an IP on my LAN but I wanted them to be allocated an address I know I'd not used.

    The reason the OpenVPN listens on 32 is because it defaults to listen on the first address of the allocated range. So (if my understanding is correct) if I give it a /25 .124 it will listen on 124. I'm not at all sure how that works if you give it a .0/24 though as having a server listening on x.x.x.0 is very bad practice. I've looked and I can't see anywhere in the GUI where I can specify what IP address the server listens on. How do I specify what IP the server listens on?

    The 192.168.0/1 are just habit as the ADSL modems get shipped with that but you're right I should move away from that. Unfortunately it also means moving 10 or so other machines by hand but I guess it's a necessary evil.

    Thanks again. Any other help anyone can give would be appreciated.


  • Maybe there is a misunderstanding here? In the OpenVPN server configuration GUI, you select the interface for your OpenVPN server. It will listen on the pfSense IP address of that interface. So I don't understand how you can make it listen on anything other than on of the existing interface IPs.

    Maybe you are talking about the Tunnel Network? That must be a separate subnet that the OpenVPN server and client/s will make use of between them for routing. Use some other piece of private address space - or whatever. OpenVPN organises the addresses inside that itself - for site-to-site links the server becomes .1 and the client .2 - for server to multi-road-warrior-client the subnet gets carved up into /30 subnets of 4 addresses (0-3, 4-7, 8-11…) and OpenVPN deals with each server/client connection on .5+.6, .9+.10 etc.

    Unfortunately it also means moving 10 or so other machines by hand but I guess it's a necessary evil.

    Good to remove the evil while it is only 10 machines, not 20, 30, 100…
    The more machines you can have using DHCP the better. You can use static mapping in DHCP to make sure they get the same IP address every time (so you can port forward to them, make IP-based rules for them...).

  • The fun I've had this morning ;)

    I bit the bullet and I've removed the router and now have the WAN using PPPOE to connect to the internet. I've moved the wireless router internally and now it just handles WiFi connections.

    Most of the network is already on DHCP or static DHCP so it shouldn't be too much of a pain to make the changes. My external VPN provider uses 10. adresses so to make things easier I'll use 172. ones instead. That way I can be confident to not get any issues.

    So once I've done all that I'll try again.

    I wasn't confused before about the server but I think I am now. In the text below "IPv4 Tunnel Network" it states

    "This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR (eg. The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool) "

    I'd assumed by that it meant the server listened on the first address, which is what I saw when I used .32/28. As it worked and didn't give me any problems I'd assumed I was right. Based on your reply though I suspect not.

    Thanks very much for being a sounding board your help is very much appreciated


  • Updates…

    I have now

    1. Removed the first modem
    2. Connected pfsense WAN directly to the fibre using pppoe
    3. Migrated all the networking over to 172. addresses.
    LAN is 172.17.10/24
    WAN is ISP IP
    LAN2 is 172.17.20/24 VLAN2
    LAN3 is 172.17.30/24 VLAN3
    LAN4 is 172.17.40/24 VLAN5

    OpenVPN server is set up with a tunnel network of 172.17.50/24 and is bound to the WAN interface so it's listening on my ISP provided IP address.

    I am in exactly the same situation as before. If I fire up the packaged OpenVPN client locally, point it at the ISP external IP address it connects fine first time every time, allocates me an IP in 172.17.50 and everything is golden. If I try and connect externally I get nothing other than "p_control_hard_reset_client_v2".

    I have a rule on the firewall to allow Any Source going to the WAN IP on port 1194 UDP. I'm pretty convinced I've missed somehting somewhere still.

    If nothing else at least my networks a lot more sane now...

    Any other ideas?


  • I'm impressed - quickly changed all that network stuff and got it to work again in a reasonable time! The network design looks good.


    Where does that appear?
    Is there anything in the pfSense OpenVPN server logs, indicating at least that a client connect has arrived?
    Is there anything in the Firewall logs with dropped packets to 1194?
    Is the allow rule for port 1194 on the WAN rules tab? (Got to ask, just in case there is a plain old dumb error)
    What does the client log say when trying to connect?
    Does the client log report the correct public IP of the server?

  • Apologies for the slow reply, I've been on site all day today.


    I'm impressed - quickly changed all that network stuff and got it to work again in a reasonable time! The network design looks good.

    Thanks. Despite the "noob" questions I do actually understand most of the technology and I'm pretty handy . What isn't so clear is the pretty dire explanations of things at times. It's all perfectly fine if you need/want an identical setup but useless to understand whats really going on under the hood. However I digress ;)


    We have progress. I'm not quite sure why it's working but it is. I did make a tweak to the rule last night which off hand I can't remember now so it might have been that.

    I now have to figure out why I still can't access the console of my VMware VM's due to the "MKS" error. I expected that to go away as I'm technically on the same LAN as it but seemingly not :(

    Thanks once again


Log in to reply