Why do I need Outbound NAT to go over VPN?

  • I have a site to site OpenVPN setup, partially like described here:


    Besides there is a VPS with OpenVPN server on it

    OpenVPN server ip on VPS is
    OpenVPN client IP is - this is pfSense client
    Both are
    Net behind the pfSense with OpenVPN client is

    Now, there is another pfSense box with identical setup, which pfSense subnet is

    Let's say, I ping from to, it comes as => =====> =====> =>

    If I tcpdump on VPS, it shows that pinging from and I get reply back. And it is Ok, since there is an outbound NAT, =>

    If I disable otbound NAT, I see ping on VPS, from => but no reply back.

    As much as I understand the only reason Outbound NAT in place there is to find a return route to Is there a way to overcome it?
    Both, and are exposed in OpenVPN via iroute. And there is a corresponding route in server's openvpn.conf

    Here are relevant routes on VPS (OpenVPN Server): dev tun1  proto kernel  scope link  src via dev tun1 via dev tun1

    2. Is there a way for a pfSense, to go to VPS services, listening on without outbound NAT? I have no problem accessing it (Server tun IP) with outbound NAT disabled.
    But I need to keep Outbound NAT for #1, to access nets beyond the OVPN VPS
    I cannot just add another VPN server-client for that. Let's if I add one, VPS OVPN,
    Than, if I add return route/iroute back to it won't be added. Why? There is already route on server to via and won't pass:

    /sbin/ip route add via
    RTNETLINK answers: File exists.

    Obviously, this is a duplicate route

    The reason is, I am planning to move SIP Telephones to go over VPN with no NAT involved. Since all parts of private subnet are routable. Ideally, I can manage #1 and #2 so NAT is not needed at all

  • LAYER 8 Netgate

    You don't need or want NAT.  Both LANs on either side of the OpenVPN instance need to have routes to each other.

    You need to push a route for to the site and push a route for to the site.

    Firewall rules on both sites OpenVPN tabs (or assigned interfaces) have to pass incoming connections from the desired sources.

  • Indeed, it worked.

    Starting with tutorial's rules, remote pfSense had OVN net access ( While not for source machine which IP became non-masqueraded by NAT.

    Adding source net rule made everything working, which makes sense.

    Time to clean up the rules and get rid of manual Outbound NAT. Especially, since pfSense 2.2 aliases made things way cleaner.

    Thanks a lot!