Adding route/rules to allow access to VPN client

  • Hello,

    I have a number of embedded devices running the OpenVPN client and a small piece of software.  These clients also serve up a webpage with status information.  I have a VK-T40E that has been configured to run the OpenVPN server.

    I have everything setup successfully, and the clients are calling hope and authenticating.

    I would like to get to the web page that is on each device from the local LAN that the VK-T40E is on.

    I am using the VK-T40E as my router, and have set my gateway to it's LAN ip.  My LAN is and my OpenVPN network is

    I would like to be able to get to the network from the network.  Could someone perhaps shed some light as to how I should go about this?  Here is my entry for the LAN:

    And for OpenVPN:

    I'm at a bit of a loss here, so any assistance on where to start looking would be great.


  • If the clients are connected the web pages should be accessible with the given rules. Aren't they?
    What's the particular problem?

    It would be a good idea to give predefined IPs to the clients, so you can reach each client with a definite IP.

  • I'm curious why you blocked out the source on your LAN rule.  Assuming your LAN rule has "LAN net" as the source it's redundant.  The default "LAN net"/any rule should allow access to your tunnel network.

    e.g. my tunnel network is and when I connect to the VPN from work, I can access all LAN resources… conversely, when I go home I can also access my work PC in the network from my LAN.

    You've stated what you want, but unless I missed it, you haven't stated whether what you want is working or not.  Have you even tried it?

    Check the dashboard for the Virtual IP's from your connected clients, they should have an IP in the range and you should be able to ping them and connect to any open port.

    All this is assuming the server is configured properly, the routing is in place and there is no firewall on the remote devices blocking connections.

    If you cannot ping your devices, post a network map and post your openvpn config (server1.conf).

  • Here is my server config:

    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/
    client-disconnect /usr/local/sbin/
    client-config-dir /var/etc/openvpn-csc
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 100
    push "route"
    push "dhcp-option DOMAIN <redacted>.vpn"
    ca /var/etc/openvpn/
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    topology subnet</redacted> 

    Here is my client config:

    dev tun
    cipher AES-128-CBC
    auth SHA1
    resolv-retry infinite
    remote <redacted><redacted>udp
    lport 0
    verify-x509-name "<redacted>" name
    auth-user-pass <redacted>.pass
    pkcs12 <redacted>.p12
    tls-auth <redacted>.key 1
    ns-cert-type server
    keepalive 10 30</redacted></redacted></redacted></redacted></redacted></redacted> 

    Clients call in fine, and i can ping them from the Diagnostics: Execute command page.  I can even get the http response using telnet when ssh'd into the pfsense box.  What I can not do is ping the clients from my LAN network.

    WAN: a.b.c.d

    I would like to get to the 45.x clients from the 80.x network.  I believe this is a route issue, and not an OpenVPN issue.  Any additional insight is greatly appreciated.



  • The rules at LAN interface have to allow access from LAN host to the VPN client. Since you don't show us the hole rule set, we cannot gauge.

    The next point is the route. If the pfSenses LAN IP is set as default gateway on the LAN machines the VPN clients should be reachable, otherwise you have to set the route.
    If you are unsure show us the routing table of the LAN machine an tell us the pfSenses LAN IP.

  • Thank you very much for sticking with me here.

    I have WAN, DEMO and OPENVPNINTERFACE for my three interfaces.

    DEMO has an IP of, with DHCP for>

    I have set the rules for DEMO to the following:

    I have set the rules for OPENVPNINTERFACE to the following:

    The rules for OpenVPN:

    I have turned on logging on, and can see that my laptop,, is being allowed to (vpn client).

    I have confirmed that the service (ssh in this case) is running on the client.  I am not thinking that this may be a openvpn client configuration issue?? That maybe it isn't allowing connections via the tun0 adapter?



  • What's the OPENVPNINTERFACE? Have you assigned an interface to the OpenVPN server? That's not necessary for your needs.
    You will need that for routing issues only.

  • It appears that this was an issue with the clients being on the same network as the DEMO lan (the clients have more than one network adapter).  After I moved them to a different network, everything worked as expected.

    Thanks for assisting.  This is resolved.