Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Portforwarding through OpenVPN (Peer-To-Peer)

    Scheduled Pinned Locked Moved NAT
    8 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hello together,

      I have the following Setup:

      Internet <-> Site A PFSense <-> OpenVPN (Peer-2-Peer) <-> Site B PFSense <-> Site B LAN (ServerB)

      In this Szenario, I want one UDP (or TCP) port from Site A forwarded to a specifc Server of a server on Site B.
      The OpenVPN connection is established and stable (I can access the ServerB from Site A LAN). But when I configure the NAT Forward Rule, the connection can not be established.

      I tried OpenVPN with tun and tap device, no difference.

      Does anyone have an idea, what to do to do this?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @yakuraku:

        But when I configure the NAT Forward Rule, the connection can not be established.

        So you probably did something wrong.

        Use tun device for this.
        You have to give more details. What's your vpn settings, tunnel network, server interface and port? Are the route fine, so that you can access site A LAN devices from site B LAN devices?
        What exactly do you want to forward? Interface, Port?

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          I try to make a more detailed picture of the scenario:

          Everything is IPv4

          [Internet] <-> [WAN A]/[OpenVPNServer]/[LAN A] <-> [OpenVPN Peer2Peer] <-> [WAN B]/[OpenVPNClient]/[LAN B]

          Which OpenVPN Settings do you need to help me with this? "Device Mode: tun" "Protocol: UDP" "Server Mode: Peer2Peer SSL/TLS" "Topology: Subnet - One IP address per client in a common subnet" "Interface WAN" (<- for Client & Server)
          On the OpenVPN Server are the "Client Specific Overrides" defined. "Local Network: LAN A", "Remote Network: LAN B", no other options checked.

          LAN A is able to access LAN B, tested via ping and curl.

          The basic scenario is to forward a HTTPs Server via port 8443 WAN A to Port 8443 of a server in LAN B.

          I tried to define a Gateway for the LAN B on the PFSense A, but I couldn't add the OpenVPN-Interface as Gateway.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            On the site B you have to assign an interface to the vpn instance and enable it. Nor further settings needed. After that you should move the filter rules from the OpenVPN interface to the new one.
            Maybe this solve your issue already by adding the "reply-to"-flag to packets arriving on the vpn interface.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              ^^ that

              Assigned interface on OpenVPN on the destination side (site B).

              Rules that pass the traffic into OpenVPN on site B MUST NOT match on the OpenVPN tab and MUST MATCH on the assigned interface tab.

              Reply-to will send the reply traffic back through OpenVPN instead of trying to send it out the default gateway.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                @Derelict:

                Rules that pass the traffic into OpenVPN on site B MUST NOT match on the OpenVPN tab and MUST MATCH on the assigned interface tab.

                Does it behave really this way?
                I thought, the OpenVPN interface is handled as an interface group and rules on this tab would be applied also.

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by

                  Thanks for the advice so far.

                  I assigned the interface for OpenVPN, but I simply don't find, where to set the "Reply-To" Flag. :/

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    It happens automatically as long as the traffic on the target side is matched by the rules on the assigned interface tab and NOT by the rules on the OpenVPN group tab.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.