0

I am currently doing a test for our OpenVPN setup through Pfsense, we have 2 Pfsense running on the network,

  1. For the default gateway of the LAN Network as Main Firewall.
  2. For the OpenVPN Clients as a secondary Firewall.

Based on my Test, I successfully Connect the OpenVPN client to the Secondary Pfsense however I can't ping the LAN devices except for the OpenVPN Pfsense LAN interface which is 192.168.0.4. I've also put the Ipv4 local networks that will be accessible from the remote endpoint in OpenVPN server setup which is the 192.168.0.0/24 LAN. Right now our LAN devices are pointing to 192.168.0.1 which is the Main pfsense. But when I tried to change the default gateway with one of the LAN devices I can receive a reply when I ping from the OpenVPN client. I also tried adding a static route to the main pfsense and the ISP modem for the OpenVPN Tunnel Network 192.168.3.0/24 and received no reply when pinging from the OpenVPN client.

I would like to ask if putting a static route is possible? or am I missing any configuration? like firewall rules or NAT? or another way?

This is the Topology of the setup:
enter image description here

Please Enlighten my Knowledge.

Thank you

Improve this question
1
  • Minimum information required: OpenVPN server and client configs, OpenVPN related firewall rules
    – JW0914
    Commented Jul 6, 2022 at 2:51

1 Answer 1

Reset to default
0

The ideal way to do it is to configure route for the VPN subnet (192.168.3.0/24) on every LAN hosts with 192.168.0.4 as the gateway / nexthop of that route. (Obviously the easiest way is to announce such route with DHCP.)

You could instead just add that route on MAIN PFSENSE, given that it is the default gateway of all the LAN hosts. But the communication would then be asymmetric, as replies from the LAN hosts will go to MAIN PFSENSE first. (You can set up policy routing to make traffics from the VPN to the LAN hosts go to MAIN PFSENSE first as well. Not sure if there's a point to do so. Either way it's not exactly ideal, but things would probably still work for most of the time.)

Or you could just IP masquerade / NAT the traffics coming from the VPN clients to the LAN hosts, making the traffics look originated from SECONDARY PFSENSE to the LAN hosts. The caveats would be the normal ones that comes with NAT, obviously.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .