PfSense as OpenVPN Server behind another firewall

  • Hi all,

    I've placed an old PC-Engines WRAP at a friend's network. He's using another firewall so pfSense has firewall'ing and NAT disabled. I also disabled the WAN interface…

    The Portforwardings on his firewall are working fine and OpenVPN get's connected, additionally there's SSH forwarded so I can always access the WRAP.

    BUT: I can only ping my WRAP but not his network

    Here's how it's setup:

    MacBook (Viscosity) {LAN ->} - INET {OpenVPN} - Firewall - WRAP (pfSense 2.0.1) {}

    Server Config on WRAP:

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto tcp-server
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-config-dir /var/etc/openvpn-csc
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 3
    push "route"
    ca /var/etc/openvpn/
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0

    Viscosity Client Config from "Client Export":

    #-- Config Auto Generated By Viscosity --#
    #viscosity startonopen false
    #viscosity dhcp true
    #viscosity dnssupport true
    #viscosity name Any Name
    remote 1194 tcp-client
    tls-auth ta.key 1
    ca ca.crt
    dev tun
    cert cert.crt
    comp-lzo adaptive
    key key.key
    cipher AES-128-CBC
    tls-remote openvpn.any-name.local
    resolv-retry infinite

    Here's the output of "netstat -r"

    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            firewall           UGS         0    19385   sis0            UGS         0       81 ovpns1           link#8             UHS         0        0    lo0           link#8             UH          0        0 ovpns1
    localhost          link#5             UH          0     3325    lo0       link#1             U           0     9680   sis0
    openvpn            link#1             UHS         0        0    lo0

    Do I need to add a route? But the Dialog for adding one needs a Gateway and the only Gateway available is his firewall… So I expect I'ld need to add the WRAP himself as a Gateway before adding a route... I'm puzzled!


  • The clients on his LAN will be using his "real" firewall router as their gateway. So they do not know about the "special" route to your OpenVPN through pfSense
    a) On the friend's "real" router, add a static route for through, or;
    b) On each device you care about in, add a static route.
    Then those things will know how to reply to you.

  • Hi Phil,

    Sorry I did not make clear that I can't Ping from the MacBook to his LAN…


  • The ping from your MacBook to his LAN probably arrives at the destination. But the destination does have a route back to your MacBook, so the reply to the ping never comes. Stuff on his LAN has to be told that the pfSense router exists on that LAN and is the way (back) to the VPN link and MacBook client.

  • I guess I need a route like this:

    route add -net netmask gw

    Can you confirm this?


  • Yes, assuming is the WRAP pfSense at your friend's house.
    Obviously the particular route command will vary depending on the OS of the client or router that you need to modify.

    Get your friend to run pfSense as his front-end firewall, then you can make a site-to-site VPN between the 2 houses and a "dial-in" road warrior server to either/both houses, pass or block whatever traffic you want,… All much easier if the whole world standardises on pfSense  ;)

  • Thx, I'll give it a shot later today…

    I think he won't release his "Intranator" 800€ hardware box! But yeah that would definitly make things much easier...


Log in to reply