OpenVPN: how to set up a reverse site-to-site?
-
My goal is to access a remote network (which has a dozen or so subnets). I am running pfSense locally, and the VPN tunnel must be made from the remote network (because only my end has the ability to open inbound ports).
In other words, I want a linux openvpn command-line client to connect to my pfSense, but I want to then route traffic from my LAN through that tunnel in the reverse direction to all the remote subnets.
In other words,
VPN connection: [linux client, behind some firewalls] ==(public internet)==> [pfSense]
Desired Traffic: [my LAN] -> ( [pfSense] -> [linux client] ) -> [remote LAN with many subnets]It's not clear which configuration is ideal for this, and for my attempt I tried a Site-to-Site static key configuration. I was able to establish a connection but could not route traffic. Here is what I tried:
pfSense: Created a server config as follows:
- IPv4 Tunnel Network: 198.18.0.0/24 (this subnet is not used anywhere else locally or remotely)
- IPv4 Remote Networks look like this: 10.0.0.0/8,122.181.160.40/29,157.189.192.0/23,157.189.196.0/23,172.16.175.0/24,172.20.1.0/24,172.20.11.0/24,172.20.52.0/24,172.29.0.64/26,172.30.0.0/16,172.31.0.0/16,192.168.0.0/16,193.26.192.0/23,193.26.196.0/27,193.26.196.128/25,193.26.196.64/27,193.26.196.96/27,193.26.197.0/25,193.26.197.128/26,193.26.197.200/31,193.26.197.204/30,193.26.197.208/28,193.26.197.224/27,193.26.201.0/24,193.26.206.0/24,195.20.210.128/25,208.79.149.0/24,53.0.0.0/10,53.64.0.0/11
- Added a WAN Rule: IPv4 UDP * * This Firewall 12345 * none
- Added an OpenVPN Rule: IPv4 * * * * * * none
- LAN already had a * rule.
- Cipher: AES-256-CBC
Client: Created an openvpn conf file:
dev tun
remote my.pfsense.domain 12345
ifconfig 198.18.0.2 198.18.0.1
secret static.key
cipher AES-256-CBC
verb 3The connection is established and the new route looks like this on the client:
198.18.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0And on the pfSense end:
Destination Gateway Flags Use Mtu Netif Expire
10.0.0.0/8 198.18.0.2 UGS 3 1500 ovpns2
53.0.0.0/10 198.18.0.2 UGS 0 1500 ovpns2
53.64.0.0/11 198.18.0.2 UGS 0 1500 ovpns2
122.181.160.40/29 198.18.0.2 UGS 0 1500 ovpns2
157.189.192.0/23 198.18.0.2 UGS 28 1500 ovpns2
157.189.196.0/23 198.18.0.2 UGS 0 1500 ovpns2
172.16.175.0/24 198.18.0.2 UGS 0 1500 ovpns2
172.20.1.0/24 198.18.0.2 UGS 0 1500 ovpns2
172.20.11.0/24 198.18.0.2 UGS 0 1500 ovpns2
172.20.52.0/24 198.18.0.2 UGS 0 1500 ovpns2
172.29.0.64/26 198.18.0.2 UGS 0 1500 ovpns2
172.30.0.0/16 198.18.0.2 UGS 0 1500 ovpns2
172.31.0.0/16 198.18.0.2 UGS 0 1500 ovpns2
192.168.0.0/16 198.18.0.2 UGS 0 1500 ovpns2
193.26.192.0/23 198.18.0.2 UGS 0 1500 ovpns2
193.26.196.0/27 198.18.0.2 UGS 0 1500 ovpns2
193.26.196.64/27 198.18.0.2 UGS 0 1500 ovpns2
193.26.196.96/27 198.18.0.2 UGS 0 1500 ovpns2
193.26.196.128/25 198.18.0.2 UGS 0 1500 ovpns2
193.26.197.0/25 198.18.0.2 UGS 0 1500 ovpns2
193.26.197.128/26 198.18.0.2 UGS 0 1500 ovpns2
193.26.197.200/31 198.18.0.2 UGS 0 1500 ovpns2
193.26.197.204/30 198.18.0.2 UGS 0 1500 ovpns2
193.26.197.208/28 198.18.0.2 UGS 0 1500 ovpns2
193.26.197.224/27 198.18.0.2 UGS 0 1500 ovpns2
193.26.201.0/24 198.18.0.2 UGS 0 1500 ovpns2
193.26.206.0/24 198.18.0.2 UGS 0 1500 ovpns2
195.20.210.128/25 198.18.0.2 UGS 0 1500 ovpns2
198.18.0.2 link#8 UH 0 1500 ovpns2
208.79.149.0/24 198.18.0.2 UGS 0 1500 ovpns2Am I even going in the right direction? Should this be working at this point? (I tried from my LAN machines and via ping in pfSense, no go)