Solved pf rule to ssh to host via OpenVPN

Hi guys,

I am not sure if this bellong here or in the Installation and Maintenance section of the forum...

I have installed security/openvpn in the aim of allowing ssh access from outside the office ONLY via OpenVPN for security reason.
My main FreeBSD host has a public IP and all my sysutils/iocage jails run on a clone interface lo1
 ## Set gateway
  ifconfig_bce0="inet netmask"  # This server

 ## Set jails aliace interface
  cloned_interfaces="${cloned_interfaces} lo1"  # allows loopback isolation in the jail
I managed to get OpenVPN client to successfully connect to the OpenVPN server and I can ssh to all the jails with no problem but I cannot ssh to the FreeBSD host..
I have tried all sort of push route setting but nothing successfull so far..

To connect to the jail I do ssh admin@10.8.20.xx
To connect to the host I tried:
ssh admin@
and always get
ssh: connect to host port 22: Connection timed out
ssh: connect to host port 22: Connection timed out
Could someone please advise on what to add in order to get ssh access to the host via OpenVPN?
I added my config files bellow and I think I need to add a line in /etc/openvpn/ but not sure what.?

Thank you

# Which local IP address should OpenVPN listen on?

# Which TCP/UDP port should OpenVPN listen on?
port 1194

# PF firewall integration
script-security 2
setenv-safe wan bce0
up /usr/local/etc/openvpn/
down /usr/local/etc/openvpn/

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel,
dev tun

# SSL/TLS certificate
ca  /usr/local/etc/openvpn/keys/ca.crt
cert  /usr/local/etc/openvpn/keys/vpnserver.crt
key  /usr/local/etc/openvpn/keys/vpnserver.key

# Diffie hellman parameters.
dh  /usr/local/etc/openvpn/keys/dh4096.pem

# Configure server mode and supply a VPN subnet

# Maintain a record of client <-> virtual IP address associations
ifconfig-pool-persist ipp.txt

# Push routes to client
push "route"
push "route"

# Assign specific IP addresses to clients
client-config-dir ccd

# The keepalive directive
keepalive 10 120

# Block DoS attacks and UDP port flooding.
tls-auth /usr/local/etc/openvpn/keys/ta.key 0

# Cryptographic cipher.
cipher AES-256-CBC

# Enable compression on the VPN link.

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 2

# Reduce the OpenVPN daemon's privileges
user nobody
group nobody

# Set persist options

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# Set, log messages path
log  /var/log/openvpn/openvpn.log

# Set the log level
verb 3
mute 20


/sbin/ifconfig ${dev} inet6 -ifdisabled

/sbin/pfctl -a ${ANCHOR} -F rules
/sbin/pfctl -a ${ANCHOR} -F nat
/sbin/pfctl -a ${ANCHOR} -f - <<EOT
nat on ${OPENVPN_wan} inet from ${dev}:network to any -> (${OPENVPN_wan}:0) port 1024:65535
pass quick on ${dev} all
pass in quick on ${OPENVPN_wan} inet proto udp from any to (${OPENVPN_wan}) port ${local_port_1}
Hi, you trying to connect to network, not the host (hosts cannot be with a dotted zero at end) - so you are getting
ssh: connect to host port 22: Connection timed out
I suppose you have installed security/openvpn on host machine and hope you have a running sshd daemon - if yes then you should connect to (as openvpn service is running at this ip address) and host sshd daemon running there too.
Hi ab2k ,Yes I have installed security/openvpn on host machine.
I get the same error message when I try ssh admin@
ssh: connect to host port 22: Connection refused
sudo service sshd status
sshd is running as pid 1184
I get the same error message when I try ssh admin@
ssh: connect to host port 22: Connection refused
No, this is NOT the same error message. Please note that there is a clear distinction between a "connection refused" and a "connection timed out".

You get a "connection refused" when the receiving end responds with a RST packet to indicate the port is closed (i.e. there's nothing listening).
You get a "connection timed out" when there's no response at all from the receiving end.
SirDice thank you for pointing it out. I didn't read the error correctly.
So based on that does it mean the firewall is not allowing traffic to this ip address or is it a problem with OpenVPN?
My guess would be that sshd(8) simply isn't listening on that address. If it's firewall related you usually get a "connection timed out".
 Port 22
 AddressFamily inet
My understanding is that if the host is listeneing to something other then self, It causes issue with the jails.. Does this not apply when using OpenVPN?
Should I change to
You can have multiple ListenAddress lines to have it listen on multiple, but specific, IP addresses.
Thank you SirDice
I added the second ListenAddress line and I successfully managed to login:)
Port 22
AddressFamily inet