Hello,
I need help with an OpenVPN connection problem from my local network.
🎯 What I want to achieve:
Connect to OpenVPN server from my mobile phone, whether I'm connected on mobile data (outside) or on my home WiFi VLAN.
✅ What works:
Connection to OpenVPN from the internet (mobile data) works perfectly
OpenVPN server runs on UDP port 2451
Certificate-only authentication (without username/password) works
❌ What doesn't work:
Connection to OpenVPN from home WiFi VLAN - cannot establish connection
Mobile phone is connected to WiFi VLAN which has no access to home LAN (it's isolated)
Trying to connect to WAN IP/hostname of the firewall
🔧 What I have configured:
OpenVPN server configuration:
Protocol: UDP
Port: 2451
Bind address: 0.0.0.0
Client Export configuration:
VPN → OpenVPN → Client Export → Custom config:
proto udp
remote firewall.local 2451
NAT Reflection - I tried:
First attempt: NAT Reflection on specific WiFi VLAN interface
Interfaces → [WiFi_VLAN] → Settings → NAT Reflection
Second attempt: Global NAT Reflection
Firewall → Settings → Advanced → Network Address Translation
✅ "Reflection for port forwards" - enabled
✅ "Reflection for 1:1" - enabled
Result: Neither works - still cannot connect from WiFi VLAN.
💻 My environment:
OPNsense: Tested on both Community Edition 25.7.6 and Business Edition 25.10_2 - same problem on both
OpenVPN server: UDP on port 2451
WiFi VLAN: Isolated from LAN, but has internet access through WAN
❓ Question:
How to properly configure OPNsense so that OpenVPN works when connecting from local WiFi VLAN?
Do I need a special firewall rule? Or different NAT Reflection settings? Or maybe a completely different approach?
Thank you for any advice!
I assume you want to connect to the same DNS name in both cases and that is probably not firewall.local, but a real (DynDNS) name.
NAT reflection does not work particularly good for UDP traffic, which is why you face that problem. If at all possible, it should be avoided.
While you could fix that with an outbound NAT rule for port 2451 redirection, the better approach for this would be to create an Unbound DNS override for your VPN hostname → point to LAN IP and use the same hostname (vpn.example.com) in your OpenVPN client config.
Keep OpenVPN bound to 0.0.0.0. No NAT reflection needed with this approach.
Thank you for your response and recommendations
I'd like to clarify a few things about my configuration:
DNS and hostname:
I'm using internal DNS (firewall.local), I don't have any DynDNS or public domain. I've already created an Unbound DNS override (firewall.local → LAN IP).
Problem resolution:
The problem wasn't NAT Reflection or DNS - the entire issue was a missing firewall rule. The WiFi VLAN was completely isolated and had no access to the firewall, so it couldn't reach the OpenVPN port either. After adding a rule that allows WiFi VLAN → Firewall IP:2000/UDP, everything works.
Security concerns:
Although the problem is solved, I'm not happy with this solution from a security standpoint. By opening a rule from WiFi VLAN to the firewall, I've essentially "punched a hole" in the isolation I originally didn't want.
Original intent:
My goal was to have the WiFi VLAN completely isolated from the local LAN network. Anything from WiFi VLAN that needs access to LAN should only be available through the VPN tunnel. I'm aware that without a valid certificate, nobody can connect to OpenVPN, but I still don't like that WiFi devices have direct access to the firewall IP.