Pfsense as OpenVPN client, routing issue

  • Hello,

    I try to connect our branch office to our main office using pfsense as a OpenVPN client on the branch office.

    Setup looks like this:

    Main Office:
    Net: 192.168.1.x
    Default GW:
    OpenVPN Server: (Debian 7. PKI/TAP)
    Other Net: 10.1.1.x (routed via .244)

    Branch Office:
    Net: 192.168.2.x
    Ovpn Client IP:

    What I want to accomplish:
    The clients on the branch office should reach the Internet using the branch office's WAN and use the OpenVPN for connections to the main office's networks.

    What does work:
    OpenVPN connects successfully, I can ping from branch to 192.168.1.x and from main to 192.168.2.x. Branch clients also use there WAN for Internet access.

    What doesn't work:

    1. Clients from branch can't ping 10.1.1.x (because they/pfsense do not know about the route there).
    2. Branch clients can't access a webserver on 192.168.1.x Net. (Browser keeps loading forever).

    I think the problem is that connections over OVPN don't use as their GW.

    Routing table on pfsense:

    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            XXX.XXX.XX.113     UGS         0       95    re0          link#4             UH          0        0    lo0     link#8             U           0       51 ovpnc1      link#8             UHS         0        0    lo0    link#2             U           0       46    re1     link#2             UHS         0        0    lo0
    YYY.YYY.YYY.10     XXX.XXX.XX.113     UGHS        0       21    re0
    YYY.YYY.YYY.11     XXX.XXX.XX.113     UGHS        0        2    re0
    XXX.XXX.XX.112/29  link#1             U           0     2787    re0
    XXX.XXX.XX.117     link#1             UHS         0        0    lo0

    Routing table on

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         XXX.XXX.XX.113         UG        0 0          0 red0   UG        0 0          0 green0   U         0 0          0 green0   UG        0 0          0 green0
    XXX.XXX.XX.112 U         0 0          0 red0

    Both problems can be solved by adding the routes to pfsense manually via ssh:

    route del
    route add -net
    route add -net

    I could put these commands in a shell script an let it execute at boot time, but I'm looking for a "clean" solution.

    Is there a way to accomplish this in the webif?


  • You shouldn't use addresses that overlap with either of the LAN nets on the tunnel interfaces. Select a non-overlapping subnet, for example and use the first two addresses (.1 and .2) of it on the tunnel network. That way you can be sure there's never any confusion where a packet should be routed to.

  • Hi kpa,

    thanks for your fast response.
    The VPN is a TAP/bridged one, as fas as I understand there is no tunnel on this kind of vpn, or am I missing something?