Run OpenVPN double NAT

I currently use Pfsense as a firewall and as an OpenVPN server. Works great. I recently picked up a Unifi Express to learn how the Unifi firewalls work. The Unifi Express is setup behind the Pfsense firewall so it’s double natted. I have everything configured and working well but I wanted to try their OpenVPN server. It’s easy to setup and I made sure to choose a different port than the one on my Pfsense OpenVPN server. I did a port forward on Pfsense to the IP address of the Unifi Express using the new port. After exporting the Unifi Express client ovpn file, making sure to use the WAN IP address from Pfsense, my OpenVPN client does not connect but gives an auth failed message in the OpenVPN client.

Other than the port forward in Pfsense is there anything else I would have to set on Pfsense to allow for the OpenVPN to work on the double natted Unifi Express? This is just an educational exercise so I don’t intend to keep using the OpenVPN server in the Unifi Express.


In a past setup I had with double NAT I used static routes between networks, perhaps give that a go.

Other than opening up the UDP port for OpenVPN in pfsense there is not anything else needed. Auth failed sounds like it’s a bad user/pass.

Works across TCP as well, but starts to get into a bind when one end is on a cellular service, starts to get real slow (being at that point triple or quadruple NAT). I ended up disconnecting because I no longer really had a need, I may work on it over the holidays.

Thinking about this some more…do I need to create an outbound NAT path?

No, only an inbound rule

Well, the solution was pretty simple. When I setup the openvpn server the user password had an accidental space included that was hard to see. So the problem was just a wrong password. Removed the space and all connected up just fine.

Embarrassing stupid error. Live and learn…