OpenVPN connection - unique situation with PfSense router behind ISP router???

  • Hi everyone,

    I've managed to setup an OpenVPN connection successfully with my pfSense router.  The connection is up and appears to be working just fine.
    (connecting to "PIA" VPN provider)

    My problem is getting the pfSense router to actually route traffic over the OpenVPN connection itself.  Once the connection is established, none of my pfSense LAN clients have any internet access at all.

    I've followed several different guides for establishing an OpenVPN client connection to a VPN provider.  For example, the ones stickied at the top of this pfSense OpenVPN forum (Guides: create an OpenVPN client connection to StrongVPN or TUVPN)

    After following these guides, I understand the need to make some settings changes (manual NAT) and some Rules to allow the traffic to route over the VPN connection.  Unfortunately, none of my LAN clients are able to access the internet with the VPN connection established.

    So, my question…

    I think my setup may be a bit unique... and perhaps requires some additional rules or changes that are not described in the guides.  Perhaps my problem is that my pfSense router is actually behind my ISP Modem/Router.  Please see the picture attachment for my setup.

    Does this setup (with a gateway of on my ISP Router) require me to setup some of the pfSense Rules differently than what is shown in the guides?  I believe the guides, as written, assume the WAN connection on the pfSense router goes directly to the internet… whereas mine goes through the ISP router/gateway first.

    I'd love to turn the ISP router into a "modem" only, unfortunately this is not an option with my particular ISP.  I'm stuck using it in this fashion, where it establishes the PPPoE connection and then assigns an IP to the WAN side of my pfSense box.

    Really appreciate any help or ideas you may have.



  • Should be no problem with pfSense behind your ISP router. As long as the PIA VPN link is up you are good.
    Feels like deja vu - sure I have typed this stuff before.
    Make sure PIA VPN client has an interface assigned.
    Make rules on LAN that policy-route traffic to PIA VPN GW.
    Firewall->NAT, Outbound, switch to Manual.
    On 2.1 you will get some rules generated for NATing out the PIA VPN. They should help, press save.
    On 2.1.1 and later, those rules are no longer generated (they were an inconsistent behavior). Add rules yourself to NAT out the PIA VPN GW.

Log in to reply