OpenVPN and PF

Hi everyone,

I have been trying to setup OpenVPN for weeks now and I am at a point where I'm a little confused why I can't ping a computer on the network. Here's my setup:

PC->internet-> FW -> OpenVPN with PF -> Linksys Router -> Network

Some Background Info

Linksys Router network:
Linksys Internal Port 4 Connected To OpenVPN on IntNIC

Pf.conf for OPENVPN Box

set skip on lo
scrub in

nat on $ext_if from !($ext_if) -> ($ext_if)

block in log

pass out keep state
pass quick on $int_if no state
pass in on $vpn_if keep state
pass in on $ext_if proto udp to ($ext_if) port 1194
pass out proto icmp keep state
pass in proto icmp keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh

I can establish the VPN connection without any problems.
My tun0 interface is assigned an IP:

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
inet --> netmask 0xffffffff

The\24 network gets pushed to my winblows box:
Active Routes:
Network Destination Netmask Gateway Interface Metric 25 1 30 30 30 1 25 25 25 1 30 25 2 1 1 1
Default Gateway:

From Windows, I can ping the OpenVPN IntNIC and the IP of the Linksys Router ( This is where I'm stumped. I can't ping my rdp server (

My OpenVPN can ping any address in the net. I'm guessing I'm missing a rule or a static route somewhere but I just can't figure it out.

I'm sorry for this large posting and hoping someone can point out my mistake.


I figured it out with the help of logical thinking and tcpdump. With my connection established, I used ping -t [ip of rdp server] from my Windows box and used tcpdump to follow the traffic.

On tun0, I saw:
# tcpdump -n -i tun0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
10:49:53.800375 IP > ICMP echo request, id 1024, seq 8449, length 40

On rl0, I saw:
10:52:25.939253 IP > ICMP echo request, id 1024, seq 47361, length 40

This lead me to believe that I required a static route on the linksys router. I added via and voila, everything worked.

Now it's time for me to go over my pf rules and read up more about OpenVPN to understand the inner workings. I hope this was informative to some.