Access to LAN for OpenVPN 'road warriors' when pfSense is not the LAN gateway



  • I am configuring OpenVPN on pfSense to allow remote users 'dial-in' type VPN access (this is to replace legacy PPTP connections).

    This is all working as expected, apart from access to LAN devices is only possible if the LAN device either the has the pfSense LAN IP set as the default gateway, or a route is added for the 'tun'/OpenVPN IP range(s).

    For legacy reasons the pfSense won't be the default gateway for most LAN devices (at least not initially).

    To work around this I have created a Outbound NAT rule on the LAN interface with a Source of my 'tun'/OpenVPN range with a NAT address of the LAN address.

    This appears to work (at least under minimal testing).

    Any reason that this should be not used, or an alternate solution?



  • That's what I would do, and it should work fine.
    The other way is to put a static route on the other router on LAN to tell it to send packets for the Road Warrior subnet to the pfSense box. But then if the other router is also a statefull firewall you might still run into problems because that other router will only be seeing the return traffic.



  • Thanks phil,
    Adding routes to the other firewall(s) did prove overly complex (and not overly successful), as you stated, seemingly due to the stateful inspection.



  • hi, can you pleas post some screenshots for dummies (ie me)  ;) ?

    Thx.

    EDIT:
    in outbound nat rules i create this rule, but still cant access pc that dont have default gateway setup to openvpn server pfsense box:

    @robm:

    I am configuring OpenVPN on pfSense to allow remote users 'dial-in' type VPN access (this is to replace legacy PPTP connections).

    This is all working as expected, apart from access to LAN devices is only possible if the LAN device either the has the pfSense LAN IP set as the default gateway, or a route is added for the 'tun'/OpenVPN IP range(s).

    For legacy reasons the pfSense won't be the default gateway for most LAN devices (at least not initially).

    To work around this I have created a Outbound NAT rule on the LAN interface with a Source of my 'tun'/OpenVPN range with a NAT address of the LAN address.

    This appears to work (at least under minimal testing).

    Any reason that this should be not used, or an alternate solution?



Log in to reply