Portforwarding through OpenVPN (Peer-To-Peer)



  • Hello together,

    I have the following Setup:

    Internet <-> Site A PFSense <-> OpenVPN (Peer-2-Peer) <-> Site B PFSense <-> Site B LAN (ServerB)

    In this Szenario, I want one UDP (or TCP) port from Site A forwarded to a specifc Server of a server on Site B.
    The OpenVPN connection is established and stable (I can access the ServerB from Site A LAN). But when I configure the NAT Forward Rule, the connection can not be established.

    I tried OpenVPN with tun and tap device, no difference.

    Does anyone have an idea, what to do to do this?



  • @yakuraku:

    But when I configure the NAT Forward Rule, the connection can not be established.

    So you probably did something wrong.

    Use tun device for this.
    You have to give more details. What's your vpn settings, tunnel network, server interface and port? Are the route fine, so that you can access site A LAN devices from site B LAN devices?
    What exactly do you want to forward? Interface, Port?



  • I try to make a more detailed picture of the scenario:

    Everything is IPv4

    [Internet] <-> [WAN A]/[OpenVPNServer]/[LAN A] <-> [OpenVPN Peer2Peer] <-> [WAN B]/[OpenVPNClient]/[LAN B]

    Which OpenVPN Settings do you need to help me with this? "Device Mode: tun" "Protocol: UDP" "Server Mode: Peer2Peer SSL/TLS" "Topology: Subnet - One IP address per client in a common subnet" "Interface WAN" (<- for Client & Server)
    On the OpenVPN Server are the "Client Specific Overrides" defined. "Local Network: LAN A", "Remote Network: LAN B", no other options checked.

    LAN A is able to access LAN B, tested via ping and curl.

    The basic scenario is to forward a HTTPs Server via port 8443 WAN A to Port 8443 of a server in LAN B.

    I tried to define a Gateway for the LAN B on the PFSense A, but I couldn't add the OpenVPN-Interface as Gateway.



  • On the site B you have to assign an interface to the vpn instance and enable it. Nor further settings needed. After that you should move the filter rules from the OpenVPN interface to the new one.
    Maybe this solve your issue already by adding the "reply-to"-flag to packets arriving on the vpn interface.


  • Netgate

    ^^ that

    Assigned interface on OpenVPN on the destination side (site B).

    Rules that pass the traffic into OpenVPN on site B MUST NOT match on the OpenVPN tab and MUST MATCH on the assigned interface tab.

    Reply-to will send the reply traffic back through OpenVPN instead of trying to send it out the default gateway.



  • @Derelict:

    Rules that pass the traffic into OpenVPN on site B MUST NOT match on the OpenVPN tab and MUST MATCH on the assigned interface tab.

    Does it behave really this way?
    I thought, the OpenVPN interface is handled as an interface group and rules on this tab would be applied also.



  • Thanks for the advice so far.

    I assigned the interface for OpenVPN, but I simply don't find, where to set the "Reply-To" Flag. :/


  • Netgate

    It happens automatically as long as the traffic on the target side is matched by the rules on the assigned interface tab and NOT by the rules on the OpenVPN group tab.