Connect VPN Clients to Local network behind other client...

andre1979

Hi Everybody!

I´m struggeling with setting up pfsense as a VPN Server....

I have my main pfsense running in a VM on Proxmox with 2 network interfaces connect. One for WAN and the other one for LAN. I setup a OpenVPN server in Remote Access (SSL/TLS). All the requiered certs and CA is working. So the basic setup is working. I´m using the /30 topology and client specific overrides to make sure all users will get the same IP any time they connect. This is also working fine.
The 3 clients are Windows/MAC machines with OpenVPN client and 3 pfsense boxes running on ALix Board.

But here is my problem....

Let my explain my structure first:

Location: Homeoffice

Location: Office 2 (pfsense running on ALix)

Internet: dynamic IP with DDNS Service
|
|
Router: IP 192.168.20.1
|
|wan - 192.168.20.10
pfsense box 1--------------------------------------------------------- connected to VPN Server with 10.10.1.6
|lan - 192.168.2.1 |opt1 - 192.168.1.1

Location: Office 3 (pfsense running on ALix)

Internet: dynamic IP with DDNS Service
|
|
Router: IP 192.168.30.1
|
|wan - 192.168.30.10
pfsense box 2--------------------------------------------------------- connected to VPN Server with 10.10.1.10
|lan - 192.168.3.1 |opt1 - 192.168.1.1

Location: Office 3 (pfsense running on ALix)

Internet: dynamic IP with DDNS Service
|
|
Router: IP 192.168.40.1
|
|wan - 192.168.40.10
pfsense box 3--------------------------------------------------------- connected to VPN Server with 10.10.1.14
|lan - 192.168.4.1 |opt1 - 192.168.1.1

connect from different Locations via DSL or LTE:

User-01: --------------------------------------------------------- connected to VPN Server with 10.10.1.18

User-02: --------------------------------------------------------- connected to VPN Server with 10.10.1.22

User-03: --------------------------------------------------------- connected to VPN Server with 10.10.1.26

All 3 pfsense boxes do connect to the VPN server in the homeoffice without any problem and receiving same IP address any time they connect.

All the user connected through PC/Mac are also getting a unique IP anytime they connect.

I can see all pfsense boxes and users connected in my main pfsense webinterface.

Here is where I want to get to:

I want User-01 only to reach/ping the local net behind OPT1 on pfsense box1,
User-02 only to reach/ping the local net behind OPT1 on pfsense box2,
User-03 only to reach/ping the local net behind OPT1 on pfsense box3

The local networks behind OPT1 are all in the same range (192.168.1.0/24) and this could not be changed because there are running machine with fixed IP addresse in this range.

I´m pretty sure, that this will need some routes and firewall rules, but I really have no idea where to start with.

Would be fine if someone could give me a idea about where to start......

Thank you!!

Rico

Conflicting Subnets are nasty and you should avoid them and renumber.
Anyway here is some workaround for your problem https://www.netgate.com/docs/pfsense/vpn/openvpn/connecting-openvpn-sites-with-conflicting-ip-subnets.html

-Rico

andre1979

Hi Rico,

thank you for your answer. I had a look to your link. I think this would work, but if the subnet on LAN on the pfsense boxes is changed I need to reconfigure everything.

Is there no option like:

On the VPN Server:
Route ALL traffic from User-01 to VPN network of pfsense box1

On the Pfsense Box side:
Route ALL traffic on VPN network to OPT1 network

Sorry for my question, but I´m a beginner with OpenVPN and pfsense...

Thank you so much for your support.