Sanity check for openvpn clients accessing LAN



  • I have it all installed and working fine.  Unfortunately, the LAN servers see the client coming from the special openvpn subnet.  This was annoying because I have a couple of servers locked down to disallow anything from other than the LAN.  I got this working the way I want, by adding a NAT rule telling pfsense 'anything going out the LAN from 10.0.8.0/24, NAT to 10.0.0.254' (the latter is the LAN IP of pfsense.)  It works okay, just want confirmation this is the best way to do this.  Thanks!



  • what defines "the best way" ?

    a possible down-side of that way of working is that the logs in your LAN-server will allways show connections from the pfsense ip ==> no clue who/what/when



  • I should probably have said 'best practice', as there is often (not always) an agreed-on answer to that.  As far as logfile confusion, I am literally the only person who uses this VPN, so that is not a concern…



  • Hi,

    not sure but wouldn't it be the better way to use OpenVPN in TAP (bridging) mode and not TUN (routing) mode?
    Didn't try that so just a suggestion.


  • Rebel Alliance Global Moderator

    NAT would never be best practice ;)

    Why don't you just adjust your server rules to allow the openvpn segments or specific IPs on those segments that get handed out to specific users, etc.  This way you can adjust only the firewalls on the server vpn users need access too.  If you make it look like your vpn users are on the lan - you could have issues with access to stuff they should not have access to from the vpn, etc.  Adjusting the firewall rules to allow only the traffic you want provides way more flexibility than NAT.

    There are always multiple ways to skin the cat, natting should be the last possible choice IMHO!



  • Fair enough.  Like I said, though, I am literally the only person who has access to this VPN.  Thanks, I think I will figure out how to secure access from the VPN subnet just to be safe, and remove the NAT rule…