How to route site-to-site vpn through pfSense to peer-to-peer?



  • I'm sure this is possible, just that I'm not figuring it out.

    Here is the scenario. Site A is IP address segment 192.168.10.x Site B is IP address segment 192.168.50.x. Site A is an OpenVPN client to a OpenVPN host at Site B with a site-to-site OpenVPN host.

    Right now I have no issues passing traffic between both sites. Since Site A is on a dynamic IP, and the ISP is using private address space, there is no way to setup up a direct peer-to-peer VPN into Site A.

    Site B currently has a peer-to-peer OpenVPN host. When connecting a client (phone, PC) there is no problem accessing Site B (192.168.50.x) resources.

    What I'd like to be able to do is to open a peer-to-peer session into Site B, and then use that connection to access resources at site A. Seems to be a routing issue, but not sure how to do this.

    Diagram --
    PC Client ------ tunnel network 10.0.23.0/24 ------ Site B (192.168.50.x) ------ tunnel network 10.0.22.0/24 ----- Site A (192.168.10.x)

    Thoughts anyone?


  • Netgate

    If it is a TLS OpenVPN setup, add 10.0.23.0/24 to the Local Networks on the OpenVPN server on Site B.

    If it is a shared key OpenVPN setup, add 10.0.23.0/24 to the Remote Networks at Site A.



  • @derelict

    Thank you


  • Netgate

    Did it work?



  • Yes.

    Another question.

    Same network. Is it possible to NAT from the the outside IP of site B thru the site-to-site VPN to a specific machine on site A?

    I tried a simple NAT (port 80) to the outside IP on router B to an IP on Site A, but no luck.

    Thanks again.


  • Netgate

    Yes.

    Fairly advanced OpenVPN concept though.

    You have to assign an interface to the OpenVPN client instance at Site A and be sure that the port-forwarded traffic does not match the firewall rules on the Site A side's OpenVPN tab and only matches a firewall rule on the assigned interface tab at Site A. This gets reply-to working there preventing the reply traffic from the port-forward target host from being routed out the default gateway at Site A and routing back through the tunnel instead.

    I am not certain this specific use case was covered but you might do well to watch this:

    https://www.youtube.com/watch?v=ku-fNfJJV7w