Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing issue between Site-to-Site and Remote Access OpenVPNs

    OpenVPN
    2
    3
    447
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NetComrade
      last edited by NetComrade

      Cross-posted with ubiquiti forums.
      I followed another thread to setup a site-to-site OpenVPN between my 'home' Edge X and 'AWS cloud' pfSense.

      My pfSense (in AWS) has 3 OpenVPN services: 2 for Remote Access (Dial in) + 1 site-to-site to home Edge X.

      The idea is to dial into AWS and to access home Edge X (and also hide my real IP for web access)

      Devices behind Edge X will need to access things on AWS network (e.g. file shares)

      the config is pretty straight fwd, tunnel establishes, and some of the network flows work as expected:

      I can ping/access any IP from my Edge X CLI (192.168.1.1) on my AWS (10.0.50.*)

      I can ping/access 10.0.50.* IPs from my desktop when connected to home network (main router being Edge X 192.168.1.1)

      I can ping any IP on 192.168.1.1 from pfSense CLI (and I can get onto pfSense via private 10.0.50.x network when dialed in)

      I cannot ping/access 192.168.1. IPs from my desktop when dialed into OpenVPN (using a different internet connection to simulate remote access)*

      So main issue is access to 192.168.1.x from pfSense clients when dialed into it via other OpenVPN servers (servers being virtual services on pfSense)

      I have tried "push route" (see below), and while route gets pushed to the client, neither ping nor http(s)/ssh request go anywhere (I can ping 10.3.203.1 and 10.3.203.2 but not 192.168.1.x). I am also not sure it produces the right gateway. I tried specifying the gateway and the route would then get ignored alltogether (e.g. not show up on client route table)

      push "route 192.168.1.0 255.255.255.0"

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @NetComrade
        last edited by

        @NetComrade said in Routing issue between Site-to-Site and Remote Access OpenVPNs:

        My pfSense (in AWS) has 3 OpenVPN services: 2 for Remote Access (Dial in) + 1 site-to-site to home Edge X.

        I don't think, that a consumer grade router can handle this properly without masquerading the packets with the virtual VPN IP on the remote device aside from the proper routes. It would work with pfSense though.

        So for masquerading, on the AWS pfSense assign an interface to the site-to-site VPN instance and enable it. State a friendly name, for example home-VPN

        Then go to Firewall > NAT > Outbound and activate the hybrid mode if it's in automatic mode.
        Then add a rule:
        interface: home-VPN
        source: any
        destination: your home subnet (192.168.1.0/24)
        translation: interface address

        N 1 Reply Last reply Reply Quote 1
        • N
          NetComrade @viragomann
          last edited by

          @viragomann

          I would call the Ubiquiti/EdgeOS at least a mid-tier product.

          My opinion aside, this seems to have worked.

          I can send you a gift card?

          Thanks

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.