OpenVPN: how to set up a reverse site-to-site?



  • My goal is to access a remote network (which has a dozen or so subnets).  I am running pfSense locally, and the VPN tunnel must be made from the remote network (because only my end has the ability to open inbound ports).

    In other words, I want a linux openvpn command-line client to connect to my pfSense, but I want to then route traffic from my LAN through that tunnel in the reverse direction to all the remote subnets.

    In other words,
    VPN connection:  [linux client, behind some firewalls] ==(public internet)==> [pfSense]
    Desired Traffic: [my LAN] -> ( [pfSense] -> [linux client] ) -> [remote LAN with many subnets]

    It's not clear which configuration is ideal for this, and for my attempt I tried a Site-to-Site static key configuration.  I was able to establish a connection but could not route traffic.  Here is what I tried:

    pfSense: Created a server config as follows:

    • IPv4 Tunnel Network: 198.18.0.0/24 (this subnet is not used anywhere else locally or remotely)
    • IPv4 Remote Networks look like this: 10.0.0.0/8,122.181.160.40/29,157.189.192.0/23,157.189.196.0/23,172.16.175.0/24,172.20.1.0/24,172.20.11.0/24,172.20.52.0/24,172.29.0.64/26,172.30.0.0/16,172.31.0.0/16,192.168.0.0/16,193.26.192.0/23,193.26.196.0/27,193.26.196.128/25,193.26.196.64/27,193.26.196.96/27,193.26.197.0/25,193.26.197.128/26,193.26.197.200/31,193.26.197.204/30,193.26.197.208/28,193.26.197.224/27,193.26.201.0/24,193.26.206.0/24,195.20.210.128/25,208.79.149.0/24,53.0.0.0/10,53.64.0.0/11
    • Added a WAN Rule: IPv4 UDP * * This Firewall 12345 * none
    • Added an OpenVPN Rule: IPv4 * * * * * * none
    • LAN already had a * rule.
    • Cipher: AES-256-CBC

    Client: Created an openvpn conf file:
    dev tun
    remote my.pfsense.domain 12345
    ifconfig 198.18.0.2 198.18.0.1
    secret static.key
    cipher AES-256-CBC
    verb 3

    The connection is established and the new route looks like this on the client:
    198.18.0.1      0.0.0.0        255.255.255.255 UH    0      0        0 tun0

    And on the pfSense end:

    Destination Gateway Flags Use Mtu Netif Expire
    10.0.0.0/8 198.18.0.2 UGS 3 1500 ovpns2
    53.0.0.0/10 198.18.0.2 UGS 0 1500 ovpns2
    53.64.0.0/11 198.18.0.2 UGS 0 1500 ovpns2
    122.181.160.40/29 198.18.0.2 UGS 0 1500 ovpns2
    157.189.192.0/23 198.18.0.2 UGS 28 1500 ovpns2
    157.189.196.0/23 198.18.0.2 UGS 0 1500 ovpns2
    172.16.175.0/24 198.18.0.2 UGS 0 1500 ovpns2
    172.20.1.0/24 198.18.0.2 UGS 0 1500 ovpns2
    172.20.11.0/24 198.18.0.2 UGS 0 1500 ovpns2
    172.20.52.0/24 198.18.0.2 UGS 0 1500 ovpns2
    172.29.0.64/26 198.18.0.2 UGS 0 1500 ovpns2
    172.30.0.0/16 198.18.0.2 UGS 0 1500 ovpns2
    172.31.0.0/16 198.18.0.2 UGS 0 1500 ovpns2
    192.168.0.0/16 198.18.0.2 UGS 0 1500 ovpns2
    193.26.192.0/23 198.18.0.2 UGS 0 1500 ovpns2
    193.26.196.0/27 198.18.0.2 UGS 0 1500 ovpns2
    193.26.196.64/27 198.18.0.2 UGS 0 1500 ovpns2
    193.26.196.96/27 198.18.0.2 UGS 0 1500 ovpns2
    193.26.196.128/25 198.18.0.2 UGS 0 1500 ovpns2
    193.26.197.0/25 198.18.0.2 UGS 0 1500 ovpns2
    193.26.197.128/26 198.18.0.2 UGS 0 1500 ovpns2
    193.26.197.200/31 198.18.0.2 UGS 0 1500 ovpns2
    193.26.197.204/30 198.18.0.2 UGS 0 1500 ovpns2
    193.26.197.208/28 198.18.0.2 UGS 0 1500 ovpns2
    193.26.197.224/27 198.18.0.2 UGS 0 1500 ovpns2
    193.26.201.0/24 198.18.0.2 UGS 0 1500 ovpns2
    193.26.206.0/24 198.18.0.2 UGS 0 1500 ovpns2
    195.20.210.128/25 198.18.0.2 UGS 0 1500 ovpns2
    198.18.0.2 link#8 UH 0 1500 ovpns2
    208.79.149.0/24 198.18.0.2 UGS 0 1500 ovpns2

    Am I even going in the right direction?  Should this be working at this point?  (I tried from my LAN machines and via ping in pfSense, no go)


Log in to reply