Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    site to site to opt1

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @Jarhead
      last edited by

      @jarhead said in site to site to opt1:

      Is there a way to setup a site to site vpn with the client side forced to go to opt1 and no where else?

      pfSense is a firewall, so you can add rules to allow or block whatever you want.

      Since you intend to setup a site to site VPN, that's quite simple, cause there will be only one client on the whole network.

      I was thinking about trying to bridge the wan and opt1 but not sure if that would work.

      Not clear, what you want to do with a bridge in this regard.

      1 Reply Last reply Reply Quote 0
      • J
        Jarhead
        last edited by

        Not sure why you think there will only be one client?

        I want the vpn traffic to go to opt1 and not on the lan of the client side.

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @Jarhead
          last edited by

          @jarhead
          You've mentioned a site to site VPN. This compasses one server and one client.

          Maybe you could give more details about what you want to achieve.

          1 Reply Last reply Reply Quote 0
          • J
            Jarhead
            last edited by

            Ah you meant vpn clients, gotcha.
            I was thinking lan clients.

            So I need to setup a tap site to site. I know, but I already have a tun to the remote site but I need the local subnet to go to the remote site for one server.

            I have the vpn up but it's not passing traffic yet.
            I have the local side bridged to the lan (opt1 and lan with opt1 assigned as the vpn).
            I have the remote site opt1 assigned to the vpn.
            I have the proper port allowed on both wans.
            I have both sites openvpn interface to allow all.
            I have both sites opt1 to allow all.
            Do I need to bridge the remotes opt1 to the wan so the openvpn traffic goes the opt1 or does that happen just by assigning the interface to the vpn?

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @Jarhead
              last edited by

              @jarhead said in site to site to opt1:

              I have the local side bridged to the lan (opt1 and lan with opt1 assigned as the vpn).

              That's quite a bad idea!
              A tun interface gets an IP when the connection is up. Bridging to LAN which has an IP on its own is quite useless.

              You also don't need a tap. A site to site works pretty well with tun.

              I have the proper port allowed on both wans.

              On WAN you just need to allow the VPN access on the server side.

              I need the local subnet to go to the remote site for one server.
              I have the remote site opt1 assigned to the vpn.

              So you need to access a server on the remote site, I guess in LAN, from the LAN clients at the local site. But only this one server IP and nothing else? Is that right?

              For the site to site VPN ensure that you use a /30 tunnel network.

              In the local sites OpenVPN settings enter the remote IP (or network) into the "Remote Networks" field. If its only a single IP, append a /32.

              On the remote site enter the local LAN network into the "Remote Networks" box. (e.g. 192.168.3.0/24)

              1 Reply Last reply Reply Quote 0
              • J
                Jarhead
                last edited by

                I need a server on the remote site to have an ip from the local subnet.
                tun won't do that as far as I know.
                Are you saying it will?

                I also need that server to be on the opt1 interface on the remote site, not on the remote lan.

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @Jarhead
                  last edited by

                  @jarhead said in site to site to opt1:

                  I need a server on the remote site to have an ip from the local subnet.

                  I see. No, this can only be achieved with tap.

                  But I can’t help with that. Never need something like that.

                  Any special reason for this need?

                  1 Reply Last reply Reply Quote 0
                  • J
                    Jarhead
                    last edited by

                    Xenserver's with everRun.
                    EverRun will only work on the same subnet unless you buy the split site license which is a lot more than just a license.

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @Jarhead
                      last edited by

                      @jarhead
                      I don't know this software, but I assume, you will be right. You will need to have both, server and clients, in an L2 network.
                      The only way to achieve this with OpenVPN is to run it in tap mode. Then you can assign an interfaces to it and bridge it to LAN or any other interface you need to.

                      How to do this is described in the docs: Bridging OpenVPN Connections to Local Networks

                      You have to bridge both sites VPN interface with the respective server or clients interface to have both in an L2.

                      J 1 Reply Last reply Reply Quote 0
                      • J
                        Jarhead @viragomann
                        last edited by

                        @viragomann Right, so that was my question. Do I have to bridge the client side to the wan port? Can't bridge it to anything else.
                        Or does assigning the vpn an interface do that already?
                        I need to connect to opt1

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @Jarhead
                          last edited by

                          @jarhead
                          You have to establish an layer 2 connection between server and clients.
                          L2 between different network interfaces can be achieved with a bridge. So you have to create a bridge at both sites.

                          I didn't get where your clients and the server are connected to. The concerned interface have to be bridged with the VPN interface.
                          So at both sites you have to use tap mode OpenVPN and assign an interface to the VPN instance. Then you can bridge these interfaces with the respective server or client interface.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.