How to access local IPs

  • I have set up OpenVPN as per

    I can connect to the VPN and browse but  I can't access any IPs on the internal network.

    How do I set things up so that  I can be routed from my VPN to my normal internal ip range

  • The OpenVPN server is handled as an additional interface in pfSense. So you have to go to Firewall > Rules > OpenVPN in GUI and add appropriate rules to allow access you want.

  • The firewall is fully open .. it looks like a routing issue to me.

  • Post your server1.conf.

  • Maybe have a look at "Firewall" -> "NAT" -> "outbound" tab, if there is an autocreated rule for the openVPN server?

  • No NAT rules


    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/
    client-disconnect /usr/local/sbin/
    client-config-dir /var/etc/openvpn-csc
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route"
    push "dhcp-option DNS"
    push "dhcp-option DNS"
    push "redirect-gateway def1"
    ca /var/etc/openvpn/
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0

  • In your Outbound Nat rule list, has it selected "Automatic" at the top, or manual?

  • Automatic….

  • A couple things:

    1.  You are double NATing. Have you checked the settings on the edge device?
    1a. Personally, I'd move away from double NATing, it's just one more link in the chain that you need to troubleshoot.  Or at least get off the 192.168.1.x subnet,  it's just going to cause issues down the road.

    2.  It appears you do not have a "Peer Certificate Authority" configured.  You will want to add that.

    3.  Add an any/any rule to the openvpn tab.  This appears to be done.

    4.  Turn off the software firewall on your internal resources while testing, so we can rule that piece out.  At this point, do pings still fail?  How does a traceroute look?

    5.  What subnet is the client on when testing?

  • Oh, wait, I just thought of something.. Just to check, when you are running your VPN client are you running it as Administrator? This kind of sounds like the actual routes are being set on the client pc. If you are running it as an admin, would you mind posting a traceroute output going from the client to a machine on the other side of your vpn?

Log in to reply