Sending all traffic through the VPN?

Got a problem with Viscosity or need help? Ask here!


Posts: 9
Joined: Thu Mar 05, 2009 8:40 pm

Post by mutz » Fri Mar 27, 2009 2:18 am

Is it possible to mail or post the following settings?
- OpenVPN config in dd-wrt
- Startup script (under administration -> Commands -> Startup)
- firewall rules (under administration -> Commands -> firewall)
- viscosity's settings (config.conf at ~/Library/Application Support/Viscosity)

you can redact your wan IP with or something ;)
[email protected]



Posts: 18
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Sat Mar 28, 2009 12:23 am
Well, that's the thing. I copied and pasted your configs, so they are identical. Except for this part which I've played around with:
Code: Select all
push "route" 
So you would think it should work.

Can you change the above push/server config so I can see how you'd go about connecting a static IP of (behind a router IP of to the DD-WRT OpenVPN server (, LAN of Wouldn't it be:
Code: Select all
push "route" 
Firewall rules:
Code: Select all
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Posts: 9
Joined: Thu Mar 05, 2009 8:40 pm

Post by mutz » Sat Mar 28, 2009 2:37 am

first of all
I think i need to clarify the ip adress ... this is not a machine but the whole range from ->

push "route"
My internal network is 192.168.80.x my router is on
So basically every machine that has a 192.168.80.x IP adress on my lan is accesible via the vpn tunnel.

Your Lan is 192.168.0.x so push has to be
push "route" (if possible change you're lan to something else like 192.168.70.x in ddwrt network setup)

This is the lan range openvpn will make i would change it to
server cause a lot of networks have a 192.168.1.x address range

iptables -I FORWARD 1 --source -j ACCEPT
This has to be the same IP adress range as your VPNserver so in your case
iptables -I FORWARD 1 --source -j ACCEPT

Every IP has to end with 0, it's to whole range from 1 to 254 thats used.

So to sum up
If you can change you're local LAN to something like 192.168.80.x do it :)
If not use this conf:
push "route"

If you can change you're lan then the conf is:
push "route"

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

viscosity settings:

make a new connection in viscosity
address: you're WAN ip (i use a dyndns adress it's easier to remember)
protcol: UDP (try TCP if something doesn't work you never know)
Device: Tun
DNS: enable DNS support
SSL/TLS client
select the right CA, CERT and key files
TLS-auth leave this one blank
direction default

persist tun checked
persist key checked
no bind checked
pull options checked

hope this clarify a bit... :)

and goodluck


Posts: 4
Joined: Tue Mar 03, 2009 2:03 pm

Post by scubes13 » Fri Jun 19, 2009 3:42 am

Is there any chance you could provide a how to for configuring the pfSense settings to allow my viscosity client machine to push all traffic via the VPN connection?



User avatar
Posts: 2108
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Jul 21, 2009 9:55 pm
Hi scubes13,

The pfSense developers have actually added Viscosity support to the latest build (meaning you can simply download a client file for Viscosity, which all you have to do is double-click and Viscosity will automatically create a new connection to your pfSense box). However I'm not sure when the next full-release will be that includes this.

I can't really go into too much detail, however the gist of setting up a pfSense OpenVPN server is:

1. Create a new OpenVPN Server using the WebGUI
2. Enter an address pool (e.g. I'd recommend making this different from your LAN IP range
3. Enter the IP range for your local network (e.g.
4. I also usually tick the Client-to-client VPN option
5. The Authentication method should be PKI in most cases. You'll need to generate a CA certificate, Server certificate, Server key, and DH parameters locally on your Mac (as well as a certificate and key for Viscosity), and then open these files and copy-paste them into the corresponding fields. To generate these files you'll need to download OpenVPN from the OpenVPN website (you shouldn't need to compile anything), and then follow the "Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients" section in their How To section.
6. Enter a DNS search domain, and a DNS server (typically the internal IP address of your pfSense box)
7. Save the new server
8. Now you'll need to setup NAT to allow traffic from VPN clients to access the internet. To do this go to Firewall->NAT in the WebGUI
9. Under the Outbound tab set to "Manual Outbound NAT rule generation"
10. Add a new rule for your VPN. For example, if you use the IP ranges above: Interface = WAN. Source Type = Network. Source Address = Save the rule
11. Create a new connection in Viscosity. The remote server should be the WAN IP of your pfSense box. Select the client certificates/key you created in the OpenVPN How To guide. Under networking tick "Send all traffic over VPN connection". The defaults for everything else should be fine (although I haven't tested this).
12. Try connecting.

James Bekkema
Viscosity Developer

35 posts Page 4 of 4