Internal vpn server and static routes


I am a little bit stuck with static routes, in this case
with an internal openvpn server.

I setted up a vpn server in a machine with one nic in my lan
and according to openvpn site faq, aside of port forwarding the default port
to the server machine, a static route is needed in the gateway.

Can an OpenVPN server be set up on a machine with a single NIC?

Absolutely, as long as you make sure that:

The NAT gateway on the server’s network has a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server machine.
If you are using routing rather than ethernet bridging mode and would like connecting clients to see the whole LAN rather than only the server machine itself, you need to add an internal LAN route to the LAN gateway so that the private OpenVPN subnet (declared in theserver, ifconfig, or ifconfig-pool directives) is routed to the OpenVPN server machine (i.e. its internal address).

I have port forwarding to the server and is working, but I need that clients can see the whole lan, as stated in the faq above. In my case I’m using routing not bridging.

I need help with lan route.

The internal server is and the ip pool for vpn clients is in range, the default of openvpn.

The question is How must I set this in ipfire machine?, using static routes page? and how?

Please help!


presuming I understood your question, the documentation for configuring static routes in IPFire’s web interface is located here.

“Network” would be “” (or /16 or whatever OpenVPN has configured), “gateway” needs to be set to “”, and the “remark” to something meaningful. :slight_smile:

Thanks, and best regards,
Peter Müller

Thank you very much Peter. It’s exactly what I need to know, I assume that I don’t need to set any other rule in firewall besides port forwarding, isn’t it?

Thanks again.


glad to be helpful. :slight_smile:

Not as such. They might be necessary if the clients of the OpenVPN server emit traffic to the internet or any other network zones, unless your firewall default policy already permits that.

Thanks, and best regards,
Peter Müller

Understood Peter, Thank you very much.

1 Like