pfSense – “reverse VPN” – enable access to networks behind VPN client

This is useful when you can’t use peer to peer (site to site) tunnel. For example, when you don’t have administrative access to a remote network (you can’t open ports, you can only go out – egress). To bypass this and gain access to remote network devices, you can simply install a VPN client on the remote network and make it act as a gateway for your local network. I will not go trough basic OpenVPN server configuration (generating certs, adding users etc), I will only pinpoint the parts that differ from a normal VPN client server setup.

Example:

Remote network: 192.168.10.0/24 (Client side)

Local network: 192.168.1.0/24 (Server side)

1. Go to OpenVPN server settings, under advanced configuration, custom options and enter:

 push "route 192.168.1.0 255.255.255.0";

route 192.168.10.0 255.255.255.0; 

2. Go to OpenVPN client specific overrides tab and add a new rule. Select your OpenVPN server, enter common name (name of the user – VPN client), under IPv4 remote network/s enter: 192.168.10.0/24

3. If you haven’t already, you have to assign an interface to your VPN server. Go to Interfaces, Assignments, Available network ports: ovpns1, click Add and save. Click on your newly created interface, check box Enable interface and add a description: OpenVPN1 (name it however you want), save.

4. Go to System, routing, static routes.

Add a new route, destination network: 192.168.10.0/24

Gateway: OpenVPN1

5. You need to enable NAT and forwarding on a client, this example is for a linux client:

 sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 

6. Connect your VPN client, you should be able to access devices behind the client from your local network.

3 comments

  1. Hi,
    Thanks for sharing this info, great help, by any chance can you share your VPN client config? Screenshot maybe?

    1. You can use any openvpn linux client tutorial on the web to connect to your OpenVPN server. It’s basic client to server connection. The extra thing you do on the client side is only IP forwarding:

      sysctl -w net.ipv4.ip_forward=1
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

      Everything else is done on the OpenVPN server in the PfSense. Just follow my guide + extra step of connecting client to VPN server. PfSense has also an addon package called “openvpn-client-export“. Find it in the menu System -> Package manager -> Available packages and install it.
      You can then access export feature under VPN -> OpenVPN -> Client export menu. Scroll down to OpenVPN clients section, Inline Configurations and click Most Clients. It will download .ovpn file. Use this file on linux OpenVPN client, for example: openvpn –config client.ovpn –auth-user-pass
      This will make a connection to your OpenVPN server and if you followed my steps, you should be able to access network behind VPN client.

  2. Thanks a lot! One question, at your VPN client settings the Accross control is done via NAT or Routing? NAT I guess, right?

Leave a Reply

Your email address will not be published. Required fields are marked *