News Images MP3 Humour Email Us Webmail Links
Stuff from: Debbie Criggie Daniel Luke Katherine Gladys

OpenVPN routing

I've got a perfectly working pfsense box, with LAN and WAN. I've recently changed jobs, and part of the new role is an OpenVPN connection to work for admin etc.

This email suggests that is possible to have the openVPN connection as a proper NATted link, so from any home machine I can ssh to a work IP. Cool!

However there were a couple hangups. Here's my working version

  1. create a OpenVPN client connection via the pfsense webgui
  2. connect to a shell on your pfsense box and run pfctl -sn > /var/tmp/tempfile to generate a text version.
  3. vi /var/tmp/tempfile I hope you know enough vi to get by...
  4. find your line that resembles this. fxp1 is my WAN interface, is my LAN network and netmask.
    nat on fxp1 inet from to any -> (fxp1) round-robin
  5. add a line below it like this, where tun0 is your openVPN tunnel interface, and is the network at the other end of the OpenVPN link
    nat on tun0 inet from to -> (tun0) round-robin
  6. My tun0 has the IP of and is a POINTOPOINT link to These IPs and networks are not related to the NAT.
  7. read this file in with pfctl -Nf /var/tmp/tempfile
As a final step you need to look at the DNS server in pfsense and tell it to fin d the right server for the domain - basically a split-system. Remember this will be obliterated if you reload the firewall filter rules, or reboot the firewall. Someday this may make it into the webgui. Currently we can't add it in the webgui --> firewall --> NAT --> outbound because you cannot choose tun0 as an interface. And of course not four minutes after I get it going, vacum quotes this link to the devwiki which has all the right answers.

This file last modified Thursday October 11, 2007

If you find something here useful, feel free to donate bitcoin: Donations address: 14LHst9s1UEh8NMem87qaEd9tJWSCiNt1x

Valid HTML 4.01!