SOLVED: LAN NAT of remote over OpenVPN

  • Hi folks,

    I have a problem getting LAN traffic to NAT/route over OpenVPN.  Here's my setup:

    Site A

    • has current version of pfSense running OK

    • Is configured with OpenVPN server

    Site B

    • is my laptop

    • has pfSense running in a VM to route all traffic from the laptop and VMs

    • Is configured with OpenVPN client and seems be working per diagnostics

    When the OpenVPN client in the site B's pfSense is stopped/disabled, site B's pfSense works as expected.  When the OpenVPN client is running:

    • I can see the IP ( and DHCP server IP (

    • Diagnostics' traceroute on site B's pfSense shows proper routing when source is from OpenVPN NIC or OpenVPN client

    • Any traffic to the internet on site's B LAN network is not working.  Including diagnostics' traceroute.

    Do I need to add route mapping to site's B pfSense?  To rule out any firewall issue, I've provided 1 rule of allow any source to any destination on both the server's and the client's OpenVPN NICs.

    Here's my site B's (obfuscated) routes:

    Destination Gateway Flags Use Mtu Netif Expire UGS 3 1500 ovpnc1
    default site.b.wan.1 UGS 20950 1500 vtnet0 UGHS 2 1500 ovpnc1 UGHS 2 1500 ovpnc1
    site.b.lan2.0/24 link#3 U 58263 1500 vtnet2
    site.b.lan2.1 link#3 UHS 0 16384 lo0 link#6 UH 1030 16384 lo0 UGS 16 1500 ovpnc1
    site.a.public.ip/32 site.b.wan.1 UGS 88 1500 vtnet0
    site.b.wan.0/24 link#1 U 0 1500 vtnet0
    site.b.wan.1 52:54:00:xx:xx:xx UHS 10512 1500 vtnet0
    site.b.wan.230 link#1 UHS 0 16384 lo0
    site.b.lan1.0/24 link#2 U 20494 1500 vtnet1
    site.b.lan1.1 link#2 UHS 0 16384 lo0 UGS 0 1500 ovpnc1 link#8 UH 8 1500 ovpnc1 link#8 UHS 0 16384 lo0 = Site A's & DHCP IP on the OpenVPN server NIC = Site B's OpenVPN client IP
    site.b.wan.1              = Site B's WAN gateway
    site.b.wan.230          = Site B's WAN IP
    site.b.lan1                  = Site B's LAN 1 network
    site.b.lan2                  = Site B's LAN 2 network

    Thanks in advance,

  • Figured out the root cause.  Changed NAT outbound to hybrid and added the rules for the LAN within site B's pfSense. :D

Log in to reply