Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Site to Site: Route traffic from server's LAN via client's Internet

    OpenVPN
    2
    3
    582
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gdi2k
      last edited by

      I am trying to do "Routing Internet Traffic Through A Site-To-Site OpenVPN Tunnel" as documented in the Netgate Docs:
      https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-route-internet-traffic.html

      But I am trying to do it backwards - rather than route branch office (OpenVPN client) traffic via the HQ (OpenVPN server), I am trying to route traffic of some hosts on the server's LAN via the client's Internet connection. Reason: The client sits behind a NAT I don't control, so it cannot be a server as I can't reach its IP publicly, but I need to route out of it due to geo IP restrictions on the server's IP.

      I have successfully created the OpenVPN tunnel as per the Netgate Docs "OpenVPN Site-to-Site Configuration Example with SSL/TLS":
      https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html#recipe-openvpn-s2s-tls-examplesettings

      I have also been able to set up a test where I route from a site to site client via the server successfully and I have copied the Firewall and NAT configs exactly. However, when trying to route traffic from the server via the client it doesn't work.

      Should this work (maybe I just have it misconfigured) or is this a limitation of OpenVPN? Can this be done with IPSEC or something else instead?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @gdi2k
        last edited by

        @gdi2k
        You can do this with a /30 tunnel network though, but this is not compatible with DCO and therefore not recommended anymore.
        I've never done it with a larger tunnel subnet, however.

        With a /30 tunnel the direction doesn't matter basically. This site-to-site OpenVPN is just a transit network with two unique gateways, where traffic can go in both directions.

        I am trying to route traffic of some hosts on the server's LAN via the client's Internet connection.

        So you have to do this with policy routing rules.

        I assume, you're already able to access resources on the servers LAN from the clients LAN.

        To configure this (/30 tunnel network, no CSO needed), on the client:

        • You need to switch the outbound NAT into the hybrid mode and add a rule to the WAN interface for the source of the server sites LAN.
        • Assign an interface to the OpenVPN client instance in Interfaces > Assignments. At "available network ports select the client instance, e.g. ovpnc1, hit Add and enable the interface. You also might want to state a friendly name.
        • Then you get a tab for it in Firewall > Rules. Add a pass rule to it for allowing access to any destination or whatever you need.
          Remove any pass rule from the OpenVPN tab.

        On the server:

        • Assign an interface to the concerned OpenVPN server instance in Interfaces > Assignments. Same as above, but the server instance is called e.g. ovpns3. I'll call it s2s here.
        • Add all IPs, which upstream traffic you want to direct over the VPN to an alias.
        • Also create an alias for RFC 1918 networks and add all private networks to it, if you haven't one already.
        • On the LAN or whatever interface the concerned devices are connected to, add a pass rule to the top of the rule set. At at source use the devices IP alias, at destination address check "invert match" and enter the RFC 1918 alias.
          Open the advanced options, go down to gateway and select the s2s gateway.

        With a larger tunnel subnet, maybe you can add the clients IP, which you've stated in the CSO, as a gateway on the server and use this one for policy routing.

        1 Reply Last reply Reply Quote 0
        • G
          gdi2k
          last edited by

          @viragomann thank you for taking the time to take a look at my issue and provide these steps. It took me a couple of days of fiddling and reading to realize what you meant by a /30 tunnel. This documentation is key:
          https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-server-tunnel.html

          Once I set the subnet tunnel to /30, I also had to manually add remote subnet and tunnel subnet to the client's OpenVPN settings (this isn't required for larger subnets) everything just worked.

          Awesome, thanks again.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.