OpenVPN to IP Alias, NAT reflection not working

  • Hello.

    I have a problem where Open VPN clients cannot connect to the public IP of a server behind the pfSense firewall.

    From the Internet, connecting to the public IP is no problem - tells me that 1:1 NAT and IP Alias is working.  From inside the protected network, DHCP clients can connect via the public IP - tells me that NAT reflection is working for those clients.    But for clients connected via OpenVPN, there's no such luck.

    OpenVPN is running on the pfSense firewall itself.  The public IP is not the same as the public IP as the firewall (provider assigned multiple addresses).

    I have two 1:1 Nat entries for this host, using each of the WAN and OpenVPN interfaces.  I also have checked the option to "Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from."

    My outbound NAT rules are automatically generated. (is there a way to view these?)

    What should I set so OpenVPN clients can connect to the Public IP of this server?

    Posted to General because I don't know if this is a NAT, OpenVPN, Alias, or some other problem.

  • Rebel Alliance Developer Netgate

    AFAIK, NAT reflection does not work with OpenVPN-connected networks.

    Have them access it via the internal IP, not the public IP.

  • Thanks for the reply.

    I actually figured out a workaround … I created another 1:1 NAT rule with OpenVPN as the interface.  Otherwise the rule is the same for the 1:1 NAT rule that sends public traffic to the private IP.

    NB: for OpenVPN clients who do not use the "send all traffic over the VPN" option, accessing the public IP is no problem, but for clients who DO send all their traffic over the VPN, this is necessary to connect to public IPs.  In a few critical scripts which we share with our customers the public hostname/IP is configured, so staff who might use those scripts from a hotel/airport/conference while tunneling all traffic to the firewall make this configuration requisite.

Log in to reply