Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to route site-to-site vpn through pfSense to peer-to-peer?

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boeingpilot
      last edited by boeingpilot

      I'm sure this is possible, just that I'm not figuring it out.

      Here is the scenario. Site A is IP address segment 192.168.10.x Site B is IP address segment 192.168.50.x. Site A is an OpenVPN client to a OpenVPN host at Site B with a site-to-site OpenVPN host.

      Right now I have no issues passing traffic between both sites. Since Site A is on a dynamic IP, and the ISP is using private address space, there is no way to setup up a direct peer-to-peer VPN into Site A.

      Site B currently has a peer-to-peer OpenVPN host. When connecting a client (phone, PC) there is no problem accessing Site B (192.168.50.x) resources.

      What I'd like to be able to do is to open a peer-to-peer session into Site B, and then use that connection to access resources at site A. Seems to be a routing issue, but not sure how to do this.

      Diagram --
      PC Client ------ tunnel network 10.0.23.0/24 ------ Site B (192.168.50.x) ------ tunnel network 10.0.22.0/24 ----- Site A (192.168.10.x)

      Thoughts anyone?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If it is a TLS OpenVPN setup, add 10.0.23.0/24 to the Local Networks on the OpenVPN server on Site B.

        If it is a shared key OpenVPN setup, add 10.0.23.0/24 to the Remote Networks at Site A.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        B 1 Reply Last reply Reply Quote 0
        • B
          boeingpilot @Derelict
          last edited by

          @derelict

          Thank you

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Did it work?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              boeingpilot
              last edited by

              Yes.

              Another question.

              Same network. Is it possible to NAT from the the outside IP of site B thru the site-to-site VPN to a specific machine on site A?

              I tried a simple NAT (port 80) to the outside IP on router B to an IP on Site A, but no luck.

              Thanks again.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Yes.

                Fairly advanced OpenVPN concept though.

                You have to assign an interface to the OpenVPN client instance at Site A and be sure that the port-forwarded traffic does not match the firewall rules on the Site A side's OpenVPN tab and only matches a firewall rule on the assigned interface tab at Site A. This gets reply-to working there preventing the reply traffic from the port-forward target host from being routed out the default gateway at Site A and routing back through the tunnel instead.

                I am not certain this specific use case was covered but you might do well to watch this:

                https://www.youtube.com/watch?v=ku-fNfJJV7w

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.