Is there a simple way to setup openvpn on pfsense when it's all on the lan side?



  • I have a fortigate router that I can't replace.
    It is setup in a building with one owner and 2 companies.
    We want then to be a separate as possible for as cheap as possible.
    fortigate is 192.168.104.0/24
    I would like to setup a cheap router to seperate  so… wan would be 192.168.104.100 and lan would be 192.168.11.0/24.

    I would then like to setup pfsense/openVpn to run in hyper-v on a v-switch and keep it all on the local subnet. 
    modem>>fortigate>>cheapRouter>>server2012+hyper-v
    internetIP>>192.168.104.1>>192.168.11.1>>  192.198.11.10(server) 192.168.11.100(pfsense wan side on hyper-v switch) >> to full internal subnet access.

    this might be a very stupid way to go about it, but I really like the openVpn interface on pfsense, and thought if it could just sit on the lan side and only route openVpn traffic to the local lan that would be cool.

    I've gone through what I thought might work but hit a wall.
    This by the way is for 1 to 5 road warriors.

    On a side note would I be better to just install OpenVpn on the server direct (w/tap driver)
    Thanks reading my rant and for any help.


  • Rebel Alliance Global Moderator

    So who controls this fortigate?  Who is going to forward the traffic to whatever is running openvpn?

    If you want to isolate your company from the other company, and you like pfsense.. Just plug it into your network on its wan, so it would get a 192.168.104.x address on is wan.

    You then setup your network behind pfsense on whatever network you want other than that 192.168.104.0/24 network.

    Not seeing the point of the cheap router??  And then pfsense you would have a triple nat then.

    Then you run openvpn on pfsense wan.. Just need someone to forward the ports your using for openvpn to your pfsense wan IP of 192.168.104.X



  • the point of the cheap router is for the nat.  To prevent the IT team who controls the fortigate from having access to our network.  So yes that would be as I understand it a double nat.
    I know instead of a cheap router I could just setup a small pc to run pfsense with openvpn on it, but I was hoping to run pfsense from hyper-v to kinda use it like (openvpn access server).
    I guess I might just install openvpn direct on the server, or build a small pc with pfsense to replace the cheap router.
    thanks for the help  :)


  • Rebel Alliance Global Moderator

    What do you think pfsense does??  It nats just fine..

    You can run pfsense on your hyper-v box, or esxi or plenty of other vm software, and have your network behind that vm.



  • I guess what I really wanted to do was be able to add a pfsense vm without nat, dns, or dhcp to an existing network and use it just as an openvpn appliance with the old router (or in this case fortigate and cheap router ) just port forward to pfsense on the lan side with static ip.
    Thanks for the help.