OpenVPN Server behind PFSense (ping is possible, web access not)

  • Hi everybody,

    I am totally frustrated. I want to use a OpenVPN Server behind the PFSense and I think there is only one missing action that it works, but I can not solve the problem. I hope you can show me the missing piece in the puzzle.

    My Setup:

    • mobile clients (e.g. Ubuntu Notebook or IPhone) –> Internet --> PFSense --> Ubuntu (VPN-Server) AND Local Network

    • local Network is

    • on the PFSense I also use the OpenVPN Server and it is working perfectly. But I also want to use the VPN-Server behind the PFSense

    • OpenVPN from PFSense - access via port 33334

    • OpenVPN from ubuntu Server - access via port 1194

    Here are the settings:
    client.ovpn (from the ubuntu client)

    dev tun
    proto udp
    remote 37.148.xx.xx (anonymized)
    port 1194
    resolv-retry infinite
    verb 3
    inline ca...
    inline key...
    inline cert...

    server.conf - from the ubuntu openvpn server

    dev tun
    proto udp
    port 1194
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/ionas-server.crt
    key /etc/openvpn/easy-rsa/keys/ionas-server.key
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem
    user nobody
    group nogroup
    status /var/log/openvpn-status.log
    verb 4
    push "route"
    log-append /var/log/openvpn
    keepalive 10 120
    client-config-dir /media/disk/openvpn/user-configs

    on the PFsense I did the following:

    1. I created a port forwarding from port 1194 to the lan-address of the openvpn-server:
    2. automatically there was a rule created in the WAN-Interface
      IPv4 TCP/UDP * * 1194 (OpenVPN) * none   NAT allow wlan

    The situation now:
    I can connect via openvpn to the openvpn server behind the pfsense. The output is

    Sat Aug  1 10:56:38 2015 ROUTE_GATEWAY IFACE=wlan0 HWADDR=00:24:d7:9f:99:bc
    Sat Aug  1 10:56:38 2015 TUN/TAP device tun0 opened
    Sat Aug  1 10:56:38 2015 TUN/TAP TX queue length set to 100
    Sat Aug  1 10:56:38 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Aug  1 10:56:38 2015 /sbin/ip link set dev tun0 up mtu 1500
    Sat Aug  1 10:56:38 2015 /sbin/ip addr add dev tun0 local peer
    Sat Aug  1 10:56:38 2015 /sbin/ip route add via
    Sat Aug  1 10:56:38 2015 /sbin/ip route add via
    Sat Aug  1 10:56:38 2015 Initialization Sequence Completed

    a route -n shows me on the client
         UG    0      0        0 wlan0   UG    0      0        0 tun0 UH    0      0        0 tun0   UG    0      0        0 tun0   U     9      0        0 wlan0

    Hint: is the network at home. is the local network I want to connect to.

    Strange is that I can ping all devices in the network:

    • ping, ping, ping all are possible.
    • but as soon as I want to access e.g. the webserver from there is a network timeout.
    • I can not find anything in the logs of the firewall.

    Now my question is what can I do?

    • I have the felling, that the packages does not find their way back. So do I have to define a gateway? Is the gateway or the wan interface?
    • is there a missing firewall rule?
    • do I need a static rule?
    • is the setting in advanced -> network -> bypass interface .. relevant?

    Thanks for your help.
    Best regards

  • ocal Network is

    I guess you really mean

    Devices in probably have their default gateway set to pfSense LAN IP ( ?)
    In that case when they try to reply to the client on OpenVPN Ubuntu they will send the reply packet to pfSense LAN IP. pfSense will not have a state for it and so will drop it. You will have asymmetric routing. There is an advanced button that helps with that (can't remember the name off the top of my head) out of state stuff. But youwould also need to add a route on pfSense thatsays is reached by going to

    Or on each of the devices you wish to reach from the tunnel, add a route to the device so it knows to use for traffic to

  • Hi phil.davis,

    thanks for your response. the button is called "Bypass firewall rules for traffic on the same interface" and can be found on system -> advanced -> network. But unfortunately this is not working.

    I just want to summarize what you wrote:

    • I have notebook with the local ip: It has also a public ip 91.xx.xx.xx.
    • it connects via the public ip of the pfsense 37.148.xx.xx with port 1194.
    • pfsense has a port forwarding rule for port 1194 and it passes the request to the ip:
    • on ip is listening a openvpn server
    • the connection is authorized and the vpn-tunnel is created
    • the client receives the ip: for the tunnel and receives the route:
    • so the client sends all the requests for e.g. or to the tun0.
    • the openvpn server receives the requests on and passes the requests e.g. to
    • receives the https request and answers with the content of the webpage.

    – now i struggle a little bit.

    • shouldn't the answer go to the origin? That means reqlies to and replies to
    • of cause receives via DHCP form the PFsense that the default gateway is
    • by the way the route on the openvpn server as soon as there is a connection is:
    Ziel            Router          Genmask         Flags Metric Ref    Use Iface         UG    0      0        0 eth0   UG    0      0        0 tun0 UH    0      0        0 tun0   U     0      0        0 eth0

    – I tried the following:

    • I created a gateway in the pfsense with name: openvpnbehindpfsense interface: LAN gateway:
    • and I created a rule on the lan that destination has to use this gateway.
      IPv4 TCP/UDP * * * openvpnbehindpfsense none 
      but this does not solve the problem.

    -- I have another point:

    • we have in our office two WANs. One with a static IP that is used for the openvpn access and one with a dynamic ip. Could that be the problem? that the relies are send to the second wan and not the first one?

    Thanks for your help.
    Best regards

  • LAYER 8 Netgate

  • LAYER 8 Netgate

    • I created a gateway in the pfsense with name: openvpnbehindpfsense      interface: LAN      gateway:
    • and I created a rule on the lan that destination has to use this gateway.
      IPv4 TCP/UDP    *    *    *    openvpnbehindpfsense    none
      but this does not solve the problem.

    No.  That rule on LAN won't do it.

    You want to delete that and go to System > Routing and create a route for to gateway openvpnbehindpfsense.

  • LAYER 8 Netgate

    I see now.  A diagram would have made it instantly obvious.  :P

    The way you have it designed you either need to have a route in all your clients on that tells them to reach via - probably not practical.

    Or you have to hairpin traffic into pfSense (the default gateway) and back out the same interface - which is unsound design. As you're finding out, problems happen.

    A better way would be to put the Linux OpenVPN server on another subnet/pfSense interface. Then all the routing would be done by one router and you wouldn't be stuck trying to make an unsound design work.

  • Hi Derelict,

    thanks for your answer. I think you already told how to achieve the goal but I don't know how. Can you help me in more detail?

    1. I made a diagram of my setup. You find it at:

    2. I think an own interface for the openvpn behind the pfsense is the best way. So I tried to assign a new interface. I created a vlan 666 because vr0 (that is my lan) can not be choosen. Is that correct that I have to use a vlan?
      I took: static ipv4 and the ipv4 address is
      the ipv4 upstream gateway is my previously created gateway

    3. I created a firewall rule for the new interface. It allowes everything and as gateway I took the gateway

    Is that correct? Can you tell me how you would do it?

    Best regards

  • Hi everybody,

    I tried again last night to put the openvpn connection to a server in the lan to an own interface. I didn't reached my goal.
    Can anybody tell me how to do it?

    My main problem is to decide with "network port" I have to select on the page "assign Interfaces". Do I have to choose the vr0 (which is my lan) or do I have to create a VLAN?
    Thanks in advance for any hint.

    Best regards

  • Hi everybody,

    I am still struggling with a openvpn server behind pfsense. Can anybody give me a hint what to do?
    Derelict writes that it would be best to assign an own interface to the server. I tried to do this but what network port do I have to use for this new interface? I have no more real lan port and a virtual one has to be assigned to vr0 = lan or vr2 = dsl line or something virtual…

    I am looking forward to your help.
    Best regards

  • LAYER 8 Global Moderator

    Running a vpn server inside the network is at best a problematic setup.  Why not just run openvpn on pfsense itself?

    You run into routing problems when vpn tunnel endpoint is just some IP in the lan network.  As mentioned already you either need routes on all your hosts that your vpn clients would want to talk, and or you would have to hairpin a connection off pfsense which the the gateway for your lan machines off that network.

    what is your reasoning for running vpn server behind pfsense and not on pfsense?  Your really just making something that is clickity clickity to get up an running into a configuration mess.

  • I use OpenVPN on pfSense for all my remote connections.  Works like a charm and easy to configure.

  • Running a vpn server inside the network is at best a problematic setup.

    OpenVPN servers behind firewalls can work with a port forwarding and a static route so there is no rocket science involved.

    One scenario (that requires OpenVPN server(s) BEHIND pfSense) is when there are multiple OpenVPN servers behind the firewall/pfSense. E.g. for penetration/version or testing and/or high availability.

    It would really help me (and Christoph) if there is some pfSense configuration/setting available who supports this configuration.

    Thanks, regards,


Log in to reply