[SOLVED] OpenVPN site to site SSL with NAT

  • Hey all-

    This forum has been awesome and through searching I've solved almost all of my issues thus far. However, this one has me totally stumped.

    I'm deploying remote site pfsense virtually for customers as a call-home device building a site to site between that virtual network and my datacenter monitoring network. I am running into the issue where the occaisional customer has built out an internal network that matches one of my internal networks and I need to be able to hide my network behind a NAT so that the customer's monitoring devices can successfully route back to my network instead of dumping out into theirs.

    Here is a diagram of what I'm doing:

    The VPN is up and operational in that I can ping from However, I can't get to any of the addresses on the right hand side because the pfsense on the left assumes that traffic (rightly so) belongs locally off the WAN port.

    What I would like to do is insert a NAT on the right hand side that presents as a routable network and any time one of those IPs is connected to from the left side the right hand side passes them off to the corresponding IP address.

    I've done this before on Cisco over a site to site and that was ages ago. I've found a lot of references searching that "oh yeah, you can do it with OpenVPN but not with IPSec" and haven't been able to find exactly how to do it.

    Thanks in advance!

    To clarify, I need on the customer side (left) to talk to (and others) on my network side (right). To do that, I'd like to put a NAT in place in between them so thinks it is talking to when it is actually talking to

    While I'll likely only need a handful of addresses mapped this way, I'd prefer to just set it up dynamically so I don't have to worry about mapping new servers as they come up.

  • Seems Photobucket is having issues. Attached my network diagram here.

    I've also tested a 1:1 with the attached settings:

    Interface: VPN
    External Subnet (one I'm spoofing)
    Internal IP: (in the picture it is, but that is my test environment).
    Destination IP: *** EDIT ***I left this blank in this case, but I've since changed it to be just the source subnet I want to NAT.

    What happens in this case is the client can ping the spoof address of, but the response claims to be

    HOWEVER, if I ping a different IP that isn't the default gateway, it returns with the right response.

    In short:

    I've solved my problem with a really simple 1:1 NAT (guess I should've tried it before asking).

    Hopefully anyone needing this can find it.

    ![network settings.PNG](/public/imported_attachments/1/network settings.PNG)
    ![network settings.PNG_thumb](/public/imported_attachments/1/network settings.PNG_thumb)
    ![SSL VPN.jpg](/public/imported_attachments/1/SSL VPN.jpg)
    ![SSL VPN.jpg_thumb](/public/imported_attachments/1/SSL VPN.jpg_thumb)

Log in to reply