OpenVPN Server, OpenVPN Client and NAT

  • Hi all!

    I have a router with pfSence 2.1-RELEASE (amd64) installed; one WAN and LAN interface. I also have set up an OpenVPN client to the partner site and an OpenVPN server for road warriors.

    OpenVPN server: ovpns2, IP:,…11/24 for road warriors.
    OpenVPN client: ovpnc1, receives a dynamic IP (192.168.10.x) and a route to a network at the partner site.

    I have to set up NAT on ovpnc1 so that the partner site doesn't need to know of our IPs, it knows just 192.168.10.x IP address that was given to our OpenVPN client. So, the Manual Outbound NAT rule was added:

    Interface: OpenVPN
    Source: (our LAN)
    Translation Address: Interface address

    It has generated the following rule (from pfctl -sn)
    nat on openvpn inet from to any -> (openvpn) port 1024:65535 round-robin

    And that is the problem: one half of my outbound connections to the partner site via ovpnc1 interface has source IP address translated to ovpnc1 IP address (that is correct), and the other half has source IP address translated to ovpns2 IP address (, that is incorrect.

    How do I configure pfSense to use only OpenVPN client address in NAT?


  • You could try assigning an actual interface to the OpenVPN client - then it will become OPTn. Then you can put the manual outbound NAT rule/s specifically on this OPTn interface and it should then apply only to the OpenVPN client link, and not be mixed up with the Road Warrior server.