OpenVPN as a gateway with NAT

  • I have setup an openvpn client as per the tutorial here: It is up and running fine and I can sucsuessfully rule based direct specific LAN based traffic out this path.

    However inbound requests timeout and do not show up in the firewall log. The associated NAT and FIREWALL rules are in place to allow this traffic and ticked to log. Any thoughts on what may be happening that is impeding the inbound requests from NAT'ing?

    According to the firewall logs there has been absolutely no inbound traffic registered on the interface associated to this VPN

    Oh and if it matters…. incoming port based NAT works on the regular WAN (isp direct connection) flawlessly.

    Oh and by viewing the packet sniffer it would appear that the incoming requests are getting to the pfsense end of the vpn. But at that point there is no forwarding of them to the private ip, nor is there any entry in the firewall log for the same interface.

    Anyone able to help?

    2.2.3-RELEASE (amd64)
    Intel(R) Atom(TM) CPU C2758 @ 2.40GHz
    8 CPUs: 1 package(s) x 8 core(s)

  • if you use traffic limiter then it will break NAT … it is bug and not sure when will be fixed.

  • I had a limiter in use…  Deleted and removed it. Still no go....

  • Try to force all client traffic to ovpn to see if it work to internet, reboot pfsense after settings change ovpn, if not work then firewall rules for ovpn need to be rebuild/checks.

  • Ok.

    I did route-nopull for the vpn originally because I do not want all traffic over the VPN. But for test purposes I can do that…

    And how would I rebuild/checks the firewall rules for the ovpn?


  • sorry, since you had this working on 2.2.2 and after update to 2.2.3 it is not working it's not an easy debug … from my opinion you have 2 choices: revert back to 2.2.2 or lose a day and try to reconfigure everything from zero on a clean install 2.2.3 and maybe you will find the problem for your config .... and another bug.

  • I understand…

    FYI, this is a clean install of 2.2.3. When I upgraded from 2.x (when all worked fine) I assumed there was a difference in the config between versions. So like you suggest, I went with a clean 2.2.3 install and have been reconfiguring each service. This is the only one thus far that I have yet to get to work again.

    That said, do you believe I should still restart from scratch?

  • Try to get a confirmation from somebody that use the same ovpn server / config that all is OK so you did not miss something on config and you do not use limiter traffic in this version.
    If you use snort/suricata, of pfblockeer, squid… try to config/enable only after you setup VPN and is working.

    I am using ovpn site to site + ovpn server for clients in this version and all is OK without traffic limiter, with traffic limiter nothing that need NAT is working for me.

  • cool well thanks for your input and guidance n3by! I will poke around a bit more and see if I can narrow down what may be interfering. :)

  • How would I rebuild/checks the firewall rules for the ovpn?

  • Well that solved it. I did a format and clean install 3 times. The first 2 reinstalls progressively got worse. Services wouldnt start, qwarky things happened…  I was about to give up and gave it one last clean install. And VIOLLA!  Everything is working as per the norm.

    Now this realization really makes me question and wonder why..... Is it a corrupted config file??? A dying SSD drive? (its bran new 2months old) like what else could cause such bizarre results???

  • @n3by:

    if you use traffic limiter then it will break NAT … it is bug and not sure when will be fixed.

    And when you say the limiter breaks NAT… Do you mean just the limiter or all traffic shaping?

Log in to reply