Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense as an OpenVPN client - LAN access to the server

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 3 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Deviant0ne
      last edited by

      Hello all,

      I've spent the past day and about 5 different guides I've found here and elsewhere getting my pfSense router to connect to the OpenVPN server [a private VPS] as a client and then routing certain client traffic over that tunnel; that's all working fine now, which I am really excited about.

      What I would like to be able to do is provide LAN access [10.0.1.0/24]  to my VPS using my OpenVPN tunnel [10.30.0.0/24]. I am using "topology subnet" in my OpenVPN server configuration so that the server will be reachable at 10.30.0.1; I have my pfSense router using a static IP address [10.30.0.250] which is being pushed using a CSC entry on the server. Ultimately, I would like to be able to SSH [for example] into my VPS [10.30.0.1] and ping my private LAN clients [10.0.1.10,12,14, etc.] over the VPN tunnel.

      Is this even possible? I have tried various route/iroute statements but have been unsuccessful at getting traffic flowing into my network [the traffic flows through the VPS fine from my LAN]. Any assistance would be greatly appreciated - I am also happy to provide any configuration files, if necessary. Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • D
        Deviant0ne
        last edited by

        Update: I found that I am actually unable to ping my pfSense router [10.30.0.250] from the OpenVPN server [using an SSH connection to the server]. I think the issue may have something to do with a missing firewall rule, but again, I can't find the correct combination of rules to allow traffic to flow back over the VPN.

        Again, any help with this would be greatly appreciated.

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          You need to do a few things:

          • Push a route for the VPS network to your clients

          • If you have control of the remote end, you need to add a return route to your tunnel network on the remote end

          • If you do not have control of the remote end, when traffic is sourced from your tunnel network and destined to your VPS… it will need to be NAT'd to the OpenVPN interface that is facing your VPS.

          1 Reply Last reply Reply Quote 0
          • D
            Deviant0ne
            last edited by

            @marvosa:

            You need to do a few things:

            • Push a route for the VPS network to your clients

            • If you have control of the remote end, you need to add a return route to your tunnel network on the remote end

            • If you do not have control of the remote end, when traffic is sourced from your tunnel network and destined to your VPS… it will need to be NAT'd to the OpenVPN interface that is facing your VPS.

            Thank you very much for your reply;

            1. My VPS doesn't really have a local network associated with it - I am basically just using the public, static IP address and nothing more. There aren't any machines behind the VPS that I want to communicate with, I just want the VPS to be able to communicate with the LAN behind my pfSense router [10.0.1.0/24] through the OpenVPN tunnel [10.30.0.0/24].

            2. I currently have "route 10.0.1.0 255.255.255.0" in my OpenVPN server configuration and "iroute 10.0.1.0 255.255.255.0" in the CSC file for my pfSense router. I would image that the OpenVPN server on my VPS would be pulling the proper route from the pfSense router using these two statements. I do have root access to the VPS, but I was under the impression that the route/iroute statements added the return route for the sever. However, when I run "netstat -nr" on the VPS, I do not see a route back to my LAN network [10.0.1.0/24] through the OpenVPN tunnel. This is part of what leads me to believe that either I am missing some kind of configuration setting in pfSense or there's a firewall rule blocking traffic destined for the 10.0.1.0/24 network through the 10.30.0.0/24 network.

            I do have a rule in my pfSense router that allows all traffic to/from anything on the interface I've created for the OpenVPN tunnel to my VPS. I just don't know what I'm doing wrong. Thanks again for any light you may be able to shine on this!

            1 Reply Last reply Reply Quote 0
            • D
              Deviant0ne
              last edited by

              Update: I've noticed that if I enter a gateway address in the route/iroute definitions, i.e. "route 10.0.1.0 255.255.255.0 10.30.0.1"/"iroute 10.0.1.0 255.255.255.0 10.30.0.1", I can get the LAN network to show in the routing table on my VPS. However, I am still unable to ping any of the machines behind the pfSense router.

              Also, if I use a different topology definition, i.e. net30, the route is automatically added to the VPS' routing table without having the specify a gateway address in the route/iroute statements; again, I still cannot communicate with the machines on the 10.0.1.0/24 network from the VPS.

              1 Reply Last reply Reply Quote 0
              • M
                marvosa
                last edited by

                Can you post a quick network map with ip's listed, so I can visualize what you're trying to do?  I believe I misread your OP, so instead of me making more assumptions… it'd be nice to have a network map to look at.

                1 Reply Last reply Reply Quote 0
                • D
                  Deviant0ne
                  last edited by

                  @marvosa:

                  Can you post a quick network map with ip's listed, so I can visualize what you're trying to do?  I believe I misread your OP, so instead of me making more assumptions… it'd be nice to have a network map to look at.

                  I would be happy to post a diagram; I'll put one together tomorrow morning and post it. Thanks!

                  1 Reply Last reply Reply Quote 0
                  • D
                    Deviant0ne
                    last edited by

                    As promised, here's a basic layout of my network [see attached].

                    Here's my OpenVPN server configuration:

                    # State the type of OpenVPN instance - Server
                    mode server
                    tls-server
                    
                    # Server listening port and protocol
                    port 10001
                    proto udp
                    
                    # Use a TUN adapter
                    dev tun
                    
                    # Set the OpenVPN subnet - 10.30.0.2-199
                    topology subnet
                    push "topology subnet"
                    ifconfig 10.30.0.1 255.255.255.0
                    push "route-gateway 10.30.0.1"
                    ifconfig-pool 10.30.0.2 10.30.0.199 255.255.255.0
                    
                    # Server certificates
                    ca ca.crt
                    cert server.crt
                    key server.key
                    dh dh1024.pem 
                    
                    # Use Blowfish and compress traffic
                    cipher BF-CBC
                    comp-lzo
                    
                    # Allow clients to communicate with other clients
                    client-to-client
                    route 10.0.1.0 255.255.255.0
                    
                    # Used for setting static IP addresses on connected clients
                    client-config-dir /etc/openvpn/static_clients
                    
                    # OpenVPN server logging settings
                    keepalive 10 120
                    status openvpn-sitetosite-status.log
                    verb 3
                    
                    

                    Here's my pfSense CSC file:

                    ifconfig-push 10.30.0.250 255.255.255.0
                    iroute 10.0.1.0 255.255.255.0
                    
                    

                    My pfSense settings are pretty barren, I don't have any strange options set there; I can post a screen of that configuration too, if necessary. Thanks for the help!

                    Network.png
                    Network.png_thumb

                    1 Reply Last reply Reply Quote 0
                    • D
                      divsys
                      last edited by

                      I do have a rule in my pfSense router that allows all traffic to/from anything on the interface I've created for the OpenVPN tunnel to my VPS.

                      Do you have the same "Allow any-any" rule on the OpenVPN tab of the pfSense server?

                      -jfp

                      1 Reply Last reply Reply Quote 0
                      • D
                        Deviant0ne
                        last edited by

                        @divsys:

                        Do you have the same "Allow any-any" rule on the OpenVPN tab of the pfSense server?

                        Yes, I do.

                        I've pretty much determined that what I'm trying to accomplish isn't possible. Now, I've noticed that if I connect to my VPS using SSH on the OpenVPN address [10.30.0.1], the SSH tunnel is originating from the OpenVPN address of my pfSense router [10.30.0.250] - if I could open ports/port forward on the pfSense OpenVPN address/interface, I could accomplish what I want [access to LAN resources on the OpenVPN server] but I haven't been successful at this either.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.