Open VPN Site to Site working, but?
-
I have a site to site VPN setup.
Site A Local 192.168.1.0/24 VPN 10.0.1.0/24
Site B Local 192.168.2.0/24 VPN 10.0.3.0/24I can log in to the VPN Site A with a laptop and ping and see all machines.
With the Client setup on the site B side the only way to ping the machines on Site A side is to open manual outbound NAT
Same with the reverse on Site B.
The site B side is CPU bound somewhat. So I would like to only have a client instance on the site B side, leaving site B server running for VPN access to site B.
Would it work on the site A to put push 192.168.1.0/24 and the client on Site B push 192.168.2.0/24?
-
What do 10.0.1.0/24 and 10.0.3.0/24 represent there? The tunnel network should be the same on both sides. Server gets .1 and client gets .2.
-
Right now that represents the server on the Site B site, my friend uses it the same way I do for remote access to his home network. I am running a client on my end to access his server. He is running a client on his end to access my server. We use this for off site backups of critical data.
His end Site B has CPU limited transfers, so I was hoping I could alter the config so he was only using his server for remote access once in awhile. My end would continue to run server and provide two way access to both 192.168.1.0 and 192.168.2.0
Can this be done by push 192.168.1.0 on Site A custom options and push 192.168.2.0 on the client Site B side custom options?
-
One of you should be running a server and one should be connecting to that. Zero need for two.
If you are using SSL/TLS the server can push "remote" networks to the client. If using pre-shared key just put reciprocal Local/Remote networks on each side.
Then make sure the connections he wants to allow into his network from you are passed by the firewall rules on his OpenVPN tab. Likewise for your side for connections from him.
I would leave the remote access servers alone and make another Peer to peer client/server for the LAN-to-LAN traffic.
-
One of you should be running a server and one should be connecting to that. Zero need for two.
If you are using SSL/TLS the server can push "remote" networks to the client. If using pre-shared key just put reciprocal Local/Remote networks on each side.
Then make sure the connections he wants to allow into his network from you are passed by the firewall rules on his OpenVPN tab. Likewise for your side for connections from him.
I would leave the remote access servers alone and make another Peer to peer client/server for the LAN-to-LAN traffic.
Thanks for the info. I will definitely do that.
So to push the remote Lans through the site to site server / client. That is done with push 192.168.1.0 on the server side and push 192.168.2.0 on the client side?
-
Just set the local and remote networks. Let pfSense do all the route / route push config.
-
Just set the local and remote networks. Let pfSense do all the route / route push config.
Thanks I found those options when I chose SSL/TLS instead of SSL/TLS+Remote Auth.
