pfSense » pfSense Packages

I am running several OpenVPN server instances on our office pfSense system, listening on several ports, and we also have a dual-WAN setup. Per the documentation, I configured each server instance to listen on "localhost", and then created a NAT rule for each WAN interface and each port to redirect to localhost. Everything works fine when I create a separate NAT rule for each port individually by number. However, this became too cumbersome, so I created a port alias for all my OpenVPN ports, and reduced the NAT rules to only two, one for each WAN, using the alias. The OpenVPN clients, using their existing config files, still connect just fine with the new NAT rules.

However, the OpenVPN Client Export package no longer produces correct config files with the Automagic Multi-WAN IP port forward detection. Specifically, no "remote" statements are included in the .ovpn file, meaning no destinations were found. On the other hand, if I change the NAT rules to use a port range instead of the alias, the exported config works for one of the OpenVPN servers, the first one with the lowest port, while the others servers again get no destinations.

I am not good with PHP or git, but I took a look at the code on github, and found the function openvpn_client_export_find_port_forwards. As it evaluates the NAT rules, it looks to me like it expects the translated port to be a single port, not an alias ($natent['local-port'] == $targetport). Also, when it evaluates the destination ports, there is code which expands an alias into an array; but then it just grabs the first array element ( $dports[0] ) instead of iterating through each port.

I imagine some logical finesse is needed, because I think if an alias as used, it has to be the same alias in the destination ports and the redirected ports; while if a port range is used, the NAT can translate the port range up or down, even though only the first port number is entered in the GUI.

Thanks very much for your help!