OpenVPN access to WAN IP over NAT returns real source IP and not vpn ip address

  • I have a pfsense 2.1 setup (apu board) with openvpn installed mainly according to, working as expected.
    WAN access occurs over DSL, single static IP address (80.254.y.z)
    LAN network  is, internal LAN IP address of the pfsense router is
    OpenVPN network  "Force all client generated traffic through the tunnel." active on both server and client, attributed IP here
    OpenVPN Client terminal over cable network, with dynamic IP address 194.x.y.z.

    http://WAN_IP and https://WAN_IP accesses from any external IP are served via NAT by a server running internally under the IP
    I have a test page under which simply returns the value of $_SERVER["REMOTE_HOST"].

    My issue is the fifth line:

    • when accessing  from the LAN, it returns the IP of the client (another address) : ok

    • when accessing http://WAN_IP/ip.php  from outside (internet), it returns the real IP of the client : ok

    • when accessing http://WAN_IP/ip.php  from the LAN, it returns  (the IP of the router) :  still ok  (even if getting the real LAN IP address would be nice)

    • when accessing after activating the VPN client, the page returns from VPN range : ok

    • BUT when accessing http://WAN_IP/ip.php with active VPN, the page returns the real IP address of the client (194.x.y.z), and not 192.168.42.x as I would expect.

    I tried to "fix" this by following,65793.msg359377.html  ("OpenVPN to IP Alias, NAT reflection not working")  or ("OpenVpn and NAT for same subnet"), but I failed until now, even if I guess it might be the right direction. What do you think ?

    Any other suggestion would be more than welcome :)  Many thanks in advance & regards.

  • It sounds like "Force all client generated traffic through the tunnel." is not happening.
    What happens if you bring up the OpenVPN link and browse to
    That should show you the pfSense WAN public IP, because your traffic should be going over the tunnel to pfSense and then get NAT'd out the pfSense WAN.

  • Thanks for your answer Phil !


    It sounds like "Force all client generated traffic through the tunnel." is not happening.
    What happens if you bring up the OpenVPN link and browse to

    It works as expected, showing "Current IP Address: 80.254.y.z". 
    The problem only occurs when trying to access the NAT'ed server over the WAN IP address.

  • Initial issue is still not solved, and today we noticed another problematic phenomena :  if the client initiating the OpenVPN connection has a local IP in the same range as our office LAN (also, it can only access external Hosts over the vpn  (for example, but cannot connect to any office LAN Hosts ( for example).

    This can be fixed by changing the DHCP Range on client side, but is there really no other way ? I thought openvpn would be able to handle this somehow differently.  Otherwise I will probably have to change the range of our office LAN to something "better" dann…

    Merci & regards.

  • Why wouldn't you instead change the IP Tunnel Network?  I thought I remembered reading somewhere that you shouldn't use the same subnet for your OpenVPN clients and LAN clients.  My local LAN is and I have the OpenVPN clients using

  • The private LAN that the client happens to be on needs to have a different subnet from the remote LANs it needs to reach. Because the client does need to talk locally to at least its default gateway to actually send the encrypted OpenVPN packets through real networks from itself to the server on pfSense.
    Yes, change your LAN to some more obscure private subnet.

Log in to reply