Open vpn and static routing



  • Hi as we all know PPTP is now deprecated in Pfsense
    I use open vpn to connect with my iphone now.
    The openvpn client network is 192.168.5.0/24
    the pfsense router  is 10.10.10.55/26
    there is a mikrotik router 10.10.10.1/26 that routes to 10.0.0.0/8 and a static route 10.0.0.0/8 at pfsense to 10.10.10.1
    When I connected to pptp I was able to reach networks over the mikrotik route but with openvpn I can only ping 10.10.10.55/26 network.
    Any idea which field I am missing that needs to be configured?The openvpn logs on iphone show 192.168.5.1 as default gateway but I think that pfsense 10.10.10.55 should be the default gateway but how can I change that.
    Any help will be appreciated.



  • No, the OpenVPN server has to be the default gateway if you route any traffic over VPN. So 192.168.5.1 is okay.

    It seems like responses from microtik and networks behind it aren’t routed back to pfSense. So you'll have to add a static route to the microtik router to direct the VPN subnet 192.168.5.0/24 to pfSense.



  • Thanks a lot my friend yes that is an answer I managed to get to the mikrotik but actually the solution is to masquarade all the openvpn subnet to have the ip of pfsense because mikrotik is routing a 10.0 ip range
    Can you tell me how to mask the openvpn addresses to have the pfsense or another ip in the lan range?
    I tried the outbound NAT but cant seem to make it work.Maybe I am missing something.



  • Yes, the outbound NAT does the masquerading in pfSense. It also can be resolved that way.
    You have to switch your outbound NAT rule generation mode to "hyprid" (or manual if you like), then add an outbound NAT rule like:
    Interface: <this one="" which="" is="" in="" common="" subnet="" with="" the="" microtik.="" i="" assume="" it's="" lan="">Source: 192.168.5.0/24 (your vpn tunnel)
    Destination: <the networks="" behind="" the="" microtik.="" you="" can="" also="" use="" any="" here,="" if="" don't="" care="">Translation: Interface address
    Any other options can be left at their defaults.</the></this>



  • Thanks Viragomann I appreciate it this concludes my 2 week search for the masquarade or outbound NAT as u call it in pfsense.
    When I did that and logged to mikrotik from my iphone the ip was that of pfsense therefore I can see all 10.0 networks on the miktrotik.
    Thanks again I hope I can help others who experience issues in this transition from PPTP to Openvpn.I had no idea that the interface address meant the pfsense IP so I was putting my ip as a /32 subnet and didnt work.Also I used source nat openvpn interface instead of LAN so it was 2 mistakes I did.
    Now all that remains is to fix the 2 broken packages that remain on the menus after the upgrade and make me nuts!!!!nut and BandwidthD that return 404 error.
    Yes I know I should have uninstalled them before the upgrade but who reads the fine print right?Especially in Greece!



Log in to reply