Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open VPN Site to Site working, but?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mguebert
      last edited by

      I have a site to site VPN setup.

      Site A Local 192.168.1.0/24 VPN 10.0.1.0/24
      Site B Local 192.168.2.0/24 VPN 10.0.3.0/24

      I can log in to the VPN Site A with a laptop and ping and see all machines.

      With the Client setup on the site B side the only way to ping the machines on Site A side is to open manual outbound NAT

      Same with the reverse on Site B.

      The site B side is CPU bound somewhat. So I would like to only have a client instance on the site B side, leaving site B server running for VPN access to site B.

      Would it work on the site A to put push 192.168.1.0/24 and the client on Site B push 192.168.2.0/24?

      VPN.png
      VPN.png_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        What do 10.0.1.0/24 and 10.0.3.0/24 represent there? The tunnel network should be the same on both sides. Server gets .1 and client gets .2.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M Offline
          mguebert
          last edited by

          Right now that represents the server on the Site B site, my friend uses it the same way I do for remote access to his home network. I am running a client on my end to access his server. He is running a client on his end to access my server. We use this for off site backups of critical data.

          His end Site B has CPU limited transfers, so I was hoping I could alter the config so he was only using his server for remote access once in awhile. My end would continue to run server and provide two way access to both 192.168.1.0 and 192.168.2.0

          Can this be done by push 192.168.1.0 on Site A custom options and push 192.168.2.0 on the client Site B side custom options?

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            One of you should be running a server and one should be connecting to that. Zero need for two.

            If you are using SSL/TLS the server can push "remote" networks to the client. If using pre-shared key just put reciprocal Local/Remote networks on each side.

            Then make sure the connections he wants to allow into his network from you are passed by the firewall rules on his OpenVPN tab. Likewise for your side for connections from him.

            I would leave the remote access servers alone and make another Peer to peer client/server for the LAN-to-LAN traffic.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M Offline
              mguebert
              last edited by

              @Derelict:

              One of you should be running a server and one should be connecting to that. Zero need for two.

              If you are using SSL/TLS the server can push "remote" networks to the client. If using pre-shared key just put reciprocal Local/Remote networks on each side.

              Then make sure the connections he wants to allow into his network from you are passed by the firewall rules on his OpenVPN tab. Likewise for your side for connections from him.

              I would leave the remote access servers alone and make another Peer to peer client/server for the LAN-to-LAN traffic.

              Thanks for the info. I will definitely do that.

              So to push the remote Lans through the site to site server / client. That is done with push 192.168.1.0 on the server side and push 192.168.2.0 on the client side?

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Just set the local and remote networks. Let pfSense do all the route / route push config.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M Offline
                  mguebert
                  last edited by

                  @Derelict:

                  Just set the local and remote networks. Let pfSense do all the route / route push config.

                  Thanks I found those options when I chose SSL/TLS instead of SSL/TLS+Remote Auth.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.