Openvpn SITE 2 SITE Portforwarding



  • Hello

    Where can i find a complete guide on this?, they only thing i can find is a mess.



  • Why do you need port forwarding? That's normally used with NAT, which you wouldn't likely be using with a VPN.



  • Hello

    What i need is example

    open a port on site A thats points to a server at siteB

    wan > siteA > siteB > server



  • Port forward SiteA
    0_1536271505052_Portforward siteA.png

    Openvpn interface siteA
    0_1536271579054_Openvpn interface SITEA.png
    Firewall rule siteA

    0_1536271658164_Firewall rule siteA.png

    Openvpn interface siteB
    0_1536271721378_Openvpn interface siteB.png

    Firewall rule siteB
    0_1536271808295_Firewall rule siteB.png

    I hope it helps



  • Okay tested some more, as soon as i enable the interfaces for the wanvpn the tunnel dies cant ping across it


  • Netgate

    You have to bounce the OpenVPN tunnel after you assign the interface. This is said everywhere that talks about assigning interfaces to OpenVPN tunnels.

    What rules are on the OpenVPN tab next to WANWPN?

    I assume that is the side of the tunnel where the target server is homed and LAN there is 10.0.0.0/24?



  • Hey

    there is no rules in the openvpn tab on both sites

    Lan at the siteB (client) is 10.0.0.0/24 i want to open port 8006 on 10.0.0.2
    Lan at siteA (server) is 10.8.10.0/24

    both sites got an ip in the interface tap after i restarted openvpn.


  • Netgate

    Then you probably need to check on the server why it is not responding. Looks like everything is in place that needs to be (assuming there really are no rules on the OpenVPN tab at Site B).

    Attempt a connection then do Diagnostics > States on the Site B side and filter on 8006. What do you see?

    Packet capture on Site B LAN filtering on address 10.0.0.2 and port 8006 and attempt a connection. What do you see?

    What do the server logs on 10.0.0.2 say?

    The LAN network at Site A is not a party to this traffic.



  • 0_1536275105378_state.png

    0_1536275163578_openvpntap.png



  • But i should still be able to reach site A from site B aka ping 10.8.10.1 form 10.0.0.1 right?

    nevermind that works

    Reply from 10.8.10.1: bytes=32 time=23ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=22ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=23ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=23ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=22ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=22ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=23ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=22ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=24ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=22ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=23ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=23ms TTL=63
    Reply from 10.8.10.1: bytes=32 time=22ms TTL=63
    


  • GOT IT WORKING!!!!

    before i was trying from my desktop located at 10.0.0.204 that did not work, then i took my laptop and connected to my phone hotspot and boom there was connection

    lets say i setup a mail server port 25, now i know to get incoming stuff but what about outgoing via vpn?


  • Netgate

    You would have to policy route those connections on the local interface out the OpenVPN gateway and the other side would need to perform Outbound NAT for that traffic out its internet connection.



  • Okay

    So a firewall rule on siteB?
    And outbound nat siteA?



  • From what i can Google
    Make firewall rule with source 10.0.0.2 port 25 and under the Advance tap select the VPN GW? Right?



  • Do anyone know how i should do this?



  • Hello

    okay i got it working now :)