Double-hop OpenVPN server with pfsense

Firstly, just wanted to say thanks to Tom for getting me into the world of pfsense. It’s been a learning curve for me moving from Asus Merlin, but an enjoyable one at that.

Anyway, I’ve set up the usual OpenVPN server on my pfsense box that I can happily connect to via Android and MacOS platforms. As expected, once connected, this routes all of my traffic out of my home WAN connection and my WAN IP address appears as though I am at home.

I also have a OpenVPN client running on the box, which connects to a NordVPN server running 24/7 and I am using policy routing for selected VLANs. What I would like to do now is create a second OpenVPN server instance, so that when I connect to this server, my outbound traffic is routed via the NordVPN gateway (instead of the normal WAN interface), i.e. making a second hop to the NordVPN server before going out to the internet.

I’m sure this is possible to do, but would likely involve some carefully placed firewall/NAT rules. Hopefully you will be able to point me in the right direction.

Thanks in advance!

I have not done that type of setup, but I think you would change the outbound gateway via a rule on the OpenVPN interface.

Bingo I used Asus Merlin previously, the OpenVPN server setup is pretty decent.

Done exactly what you want with AirVPN. Pretty straight forward, set up your OpenVPN Server as you like. I’ve setup a rule to allow traffic out for certain ports via the WAN but I’ve stated the gateway as my AirVPN (without this entry traffic goes out the ISP WAN) it’s under advanced settings.
I’ve also got a NAT outbound rule for my OpenVPN server to AirVPN WAN.

There might be other ways but I’ve managed to get this working for me.

Thanks to you both.

I’ve managed to get this to work now by specifying the gateway in the OpenVPN interface as you suggested. In order to have multiple VPN servers instances that use different gateways, you can add the IP tunnel network IP range as the ‘source’ in the firewall rule, this way pfsense knows when to use which specific gateway.

The other thing you can do is to create a gateway group and combine your multiple VPN connections. Can be handy if one of the VPN servers fail, your VPN traffic will still flow.

I’ve just noticed that there is a side effect of this. If the gateway is specified in the OpenVPN interface, I can no longer access any devices on the LAN. Only when the gateway is set to default can I see LAN devices. Not sure that I understand this.

I’m not clear where you are specifying the gateway, the only place I’ve entered the gateway is in the rules.

Here is a screenshot of the two rules, which I’ve added under the OpenVPN tab. When I connect from a remote location (or mobile with wifi off) to the pfsense server 1, it gives me an IP address in the range and therefore traffic uses the OVPNC1 gateway (NordVPN UK server). Similarly, the second rule uses the OVPN2 gateway (NordVPN US server) for server 2.

Only if I set the gateway here to any (*), I can see devices on the local network. I’m surprised that changing the gateway causes this problem with accessing the LAN. Surely it shouldn’t matter what the gateway is set to, as long as I’ve allowed access to the correct networks in the VPN>OpenVPN>Server>IPv4 Local Network setting?

It’s a bit tricky to troubleshoot, however, I have set the source as my OpenVPN server for, that is to say, it will be a openvpn client connecting on say my mobile that is routed. It might be that your source is not actually, it’s coming from where ever on your mobile, connecting via ddns, then going through a tunnel then picking up your LAN address, or something similar.

@Chris_J Based on what you’ve posted, what you describe doesn’t make any sense. I’m kind of in the same camp with you.

In an attempt to diagnose what is happening, after I made the connection to the VPN server via mobile, I clicked the ‘states’ link to see what states were running. When a local IP address is entered (eg. my NAS drive, or gaming server), I get CLOSED:SYN_SENT error, which I believe is no reply.

The only local address that responds is on port 53, which is Unbound resolving a DNS query if I try to open a website.

It’s got me stumped this one.

I just inspected the state on my OpenVPN Server for AirVPN, it has the IP address of my tunnel network, so your source address is likely to be wrong as it stands.

What I’d suggest is setting up a clean OpenVPN Server going through your ISP with a working client. Then make adjustments to go out via your VPN client instead of the ISP.

There is an error somewhere in your configuration …

Maybe you can check this guide. --> nguvu’s pfSense remote access via OpenVPN

1 Like

Thanks, guys.

Managed to solve this by comparing my setting with the link provided above. Essentially, the problem lay with Firewall rules. These needed to be added inside the OpenVPN server interface tab and not the OpenVPN tab. I followed the rules in this image (except for the reject rules at the bottom, which I believe pfsense will do by default).

Now the double-hop VPN works like a charm and I can also access the local LAN. Just to note, all the rules inside the OpenVPN tab needed deleting/disabling before this worked.

Cheers all. Problem solved :slight_smile:

1 Like

You should just check you don’t have any DNS leaks :wink:

Good call. Android seems to handle things correctly, but this reminded me that I need to edit the configuration file for Tunnelblick (OSX) in order to force the DNS server with:

dhcp-option DNS <dns_server_ip_address>