OpenVPN 1 server Many Clients



  • Hello,

    And thank you in advance for taking the time to read and hopefully help or provide some useful tips and recommendations.  :)

    I have the following Topology:

    Pfsense –- WAN ---- Real IP-A ( Real IP-B as Virtual IP )
    |
    |----------- VPN0 ( Server peerTopeer )  10.0.0.1/24
    |
    |----------- VPN1 ( Server peerTopeer )  10.0.1.1/24  <------------- Cloud Server 1 ( connected via openvpn ) 10.0.1.2/24
    |
    |----------- VPN2 ( Server clientaccess )  10.0.2.1/24  <-------------  Pfsense ( at home as client ) 10.0.2.2/24
                                                                                                        |
                                                                                                        |-------- LAN1 ( 172.16.1.254/24 ) -------- Switch ------

    What i am trying to accomplish is a cloud network, 1 pfsense as gateway/firewall with multiple Real IP addresses used to accept vpn connections, and also publish services of cloud servers connected to VPN1 interface ( VPN1 acting as a LAN interface ).

    The Cloud servers redirects all traffic through vpn, and 1:1 NAT rule for each server to translate to a real ip, and filewall rules for services such as emails and webservers on wan interface to allow access.

    Everything till now is working flawlessly, services are accessible from the outside.

    The problem i am having is, i created a new VPN which is VPN2, just for admin purposes ( to manage the cloud services ), the other side of the tunnel is another pfsense box acting as client, the connection is up, peers can ping each others properly, however LAN1 on pfsense 2 cannot reach VPN1 on pfsense 1, unlesse i NAT on pfsense 1.

    My problem is if i do NAT, i wont be able to use restrcitive rules based on ips, since any LAN will be translated to the VPN ip of pfsense 2, hence no restrictions could be applied.

    After more researching i understand that routing via OpenVPN needs to be inside the configuration files ( remote  and locale subnets ) however i do not have any local subnets behind my cloud servers, i need to route the vpn ip itself.

    I need subnet 172.16.1.0/24 to reach 10.0.1.0/24 using the following route:
    172.16.1.1 ---> 172.16.1.254 --> 10.0.2.2 --> 10.0.2.1 --> 10.0.2.2

    My questions:
    1- do i need to have static routes on both ends? pfsense 1 and 2?
    2- do i need to have gateways added on both pfsenses's? if yes what the gateway pfsense 2 should be, its own vpn interface ip or the vpn interface ip of pfsense 1?
    3- how would i go by using remote and local routes? any popper tutorial explaining those 2 fields will be most welcomed.

    thank you again and looking forward for any suggestions.