site to site to opt1

viragomann

Is there a way to setup a site to site vpn with the client side forced to go to opt1 and no where else?

pfSense is a firewall, so you can add rules to allow or block whatever you want.

Since you intend to setup a site to site VPN, that's quite simple, cause there will be only one client on the whole network.

I was thinking about trying to bridge the wan and opt1 but not sure if that would work.

Not clear, what you want to do with a bridge in this regard.

Jarhead

Not sure why you think there will only be one client?

I want the vpn traffic to go to opt1 and not on the lan of the client side.

viragomann

@jarhead
You've mentioned a site to site VPN. This compasses one server and one client.

Maybe you could give more details about what you want to achieve.

Jarhead

Ah you meant vpn clients, gotcha.
I was thinking lan clients.

So I need to setup a tap site to site. I know, but I already have a tun to the remote site but I need the local subnet to go to the remote site for one server.

I have the vpn up but it's not passing traffic yet.
I have the local side bridged to the lan (opt1 and lan with opt1 assigned as the vpn).
I have the remote site opt1 assigned to the vpn.
I have the proper port allowed on both wans.
I have both sites openvpn interface to allow all.
I have both sites opt1 to allow all.
Do I need to bridge the remotes opt1 to the wan so the openvpn traffic goes the opt1 or does that happen just by assigning the interface to the vpn?

viragomann

@jarhead said in site to site to opt1:

I have the local side bridged to the lan (opt1 and lan with opt1 assigned as the vpn).

That's quite a bad idea!
A tun interface gets an IP when the connection is up. Bridging to LAN which has an IP on its own is quite useless.

You also don't need a tap. A site to site works pretty well with tun.

I have the proper port allowed on both wans.

On WAN you just need to allow the VPN access on the server side.

I need the local subnet to go to the remote site for one server.
I have the remote site opt1 assigned to the vpn.

So you need to access a server on the remote site, I guess in LAN, from the LAN clients at the local site. But only this one server IP and nothing else? Is that right?

For the site to site VPN ensure that you use a /30 tunnel network.

In the local sites OpenVPN settings enter the remote IP (or network) into the "Remote Networks" field. If its only a single IP, append a /32.

On the remote site enter the local LAN network into the "Remote Networks" box. (e.g. 192.168.3.0/24)

Jarhead

I need a server on the remote site to have an ip from the local subnet.
tun won't do that as far as I know.
Are you saying it will?

I also need that server to be on the opt1 interface on the remote site, not on the remote lan.

viragomann

@jarhead said in site to site to opt1:

I need a server on the remote site to have an ip from the local subnet.

I see. No, this can only be achieved with tap.

But I can’t help with that. Never need something like that.

Any special reason for this need?

Jarhead

Xenserver's with everRun.
EverRun will only work on the same subnet unless you buy the split site license which is a lot more than just a license.

viragomann

@jarhead
I don't know this software, but I assume, you will be right. You will need to have both, server and clients, in an L2 network.
The only way to achieve this with OpenVPN is to run it in tap mode. Then you can assign an interfaces to it and bridge it to LAN or any other interface you need to.

How to do this is described in the docs: Bridging OpenVPN Connections to Local Networks

You have to bridge both sites VPN interface with the respective server or clients interface to have both in an L2.

Jarhead

@viragomann Right, so that was my question. Do I have to bridge the client side to the wan port? Can't bridge it to anything else.
Or does assigning the vpn an interface do that already?
I need to connect to opt1

viragomann

@jarhead
You have to establish an layer 2 connection between server and clients.
L2 between different network interfaces can be achieved with a bridge. So you have to create a bridge at both sites.

I didn't get where your clients and the server are connected to. The concerned interface have to be bridged with the VPN interface.
So at both sites you have to use tap mode OpenVPN and assign an interface to the VPN instance. Then you can bridge these interfaces with the respective server or client interface.