Cannot communicate with FreeBSD endpoint on OpenVPN TAP VPN

riccardopaolo.bestetti at riccardopaolo.bestetti at
Sun May 14 09:09:46 UTC 2017


I'm trying to set up a "road warrior" VPN for my company.

We have a pfSense firewall (FreeBSD 10.3-RELEASE-p19) which we use for all
our VPN stuff.


The device is configured like so:

- on the LAN interface

- IPsec tunnel VPN with remote network, with NAT 1:1 from to (this is with a SaaS company that won't change
their setup unless strictly necessary)

- The OpenVPN configuration file at the end of this email

- Bridge between the LAN interface and the OpenVPN (ovpns1) interface


The issue is that everything can be reached from the "road warrior" clients
normally, except for the firewall ( and hosts over the IPsec VPN
(which is the entire reason I'm using TAP instead of TUN: I need to keep the
road warrior clients in the same network that can access the IPsec VPN).

The weird thing is that the firewall can be pinged and answers (but I
suspect that's an OpenVPN thing, it's likely not FreeBSD responding), but I
cannot reach its web configuration interface or connect with SSH. Please
note that this is not a binding issue nor a firewall issue, the web
interface binds on 0:443 and the firewall is temporarily set to allow
everything to pass.

Right now I have a second "road warrior" VPN access, using IPsec, which
works with the web interface but still doesn't work with the other IPsec
VPN. I would like to use OpenVPN because IPsec looks pretty hackish to me,
especially how it is implemented on pfSense/FreeBSD.


Best regards,

Riccardo Paolo Bestetti




OpenVPN configuration file:

dev ovpns1

verb 1

dev-type tap

dev-node /dev/tap1

writepid /var/run/

#user nobody

#group nobody

script-security 3


keepalive 10 60




proto udp

cipher AES-256-CBC

auth SHA1

up /usr/local/sbin/ovpn-linkup

down /usr/local/sbin/ovpn-linkdown

client-connect /usr/local/sbin/

client-disconnect /usr/local/sbin/

local [hidden IP address]

engine cryptodev


mode server



auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify [hidden script
parameters]" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls
'server' 1"

lport 1194

management /var/etc/openvpn/server1.sock unix max-clients 8 push


ca /var/etc/openvpn/

cert /var/etc/openvpn/server1.cert

key /var/etc/openvpn/server1.key

dh /etc/dh-parameters.4096

tls-auth /var/etc/openvpn/server1.tls-auth 0 push "route-gateway"

push "route"

push "route"


More information about the freebsd-questions mailing list