Connect VPN Clients to Local network behind other client...



  • Hi Everybody!

    I´m struggeling with setting up pfsense as a VPN Server....

    I have my main pfsense running in a VM on Proxmox with 2 network interfaces connect. One for WAN and the other one for LAN. I setup a OpenVPN server in Remote Access (SSL/TLS). All the requiered certs and CA is working. So the basic setup is working. I´m using the /30 topology and client specific overrides to make sure all users will get the same IP any time they connect. This is also working fine.
    The 3 clients are Windows/MAC machines with OpenVPN client and 3 pfsense boxes running on ALix Board.

    But here is my problem....

    Let my explain my structure first:

    Location: Homeoffice

    Internet: dynamic IP with DDNS Service
    |
    |
    Router: IP 192.168.178.1
    |
    |
    pfsense: IP 192.168.178.10
    |
    |
    OpenVPN Server with 10.10.1.0/24 tunnel network

    Location: Office 2 (pfsense running on ALix)

    Internet: dynamic IP with DDNS Service
    |
    |
    Router: IP 192.168.20.1
    |
    |wan - 192.168.20.10
    pfsense box 1--------------------------------------------------------- connected to VPN Server with 10.10.1.6
    |lan - 192.168.2.1 |opt1 - 192.168.1.1

    Location: Office 3 (pfsense running on ALix)

    Internet: dynamic IP with DDNS Service
    |
    |
    Router: IP 192.168.30.1
    |
    |wan - 192.168.30.10
    pfsense box 2--------------------------------------------------------- connected to VPN Server with 10.10.1.10
    |lan - 192.168.3.1 |opt1 - 192.168.1.1

    Location: Office 3 (pfsense running on ALix)

    Internet: dynamic IP with DDNS Service
    |
    |
    Router: IP 192.168.40.1
    |
    |wan - 192.168.40.10
    pfsense box 3--------------------------------------------------------- connected to VPN Server with 10.10.1.14
    |lan - 192.168.4.1 |opt1 - 192.168.1.1

    connect from different Locations via DSL or LTE:

    User-01: --------------------------------------------------------- connected to VPN Server with 10.10.1.18

    User-02: --------------------------------------------------------- connected to VPN Server with 10.10.1.22

    User-03: --------------------------------------------------------- connected to VPN Server with 10.10.1.26

    All 3 pfsense boxes do connect to the VPN server in the homeoffice without any problem and receiving same IP address any time they connect.

    All the user connected through PC/Mac are also getting a unique IP anytime they connect.

    I can see all pfsense boxes and users connected in my main pfsense webinterface.

    Here is where I want to get to:

    I want User-01 only to reach/ping the local net behind OPT1 on pfsense box1,
    User-02 only to reach/ping the local net behind OPT1 on pfsense box2,
    User-03 only to reach/ping the local net behind OPT1 on pfsense box3

    The local networks behind OPT1 are all in the same range (192.168.1.0/24) and this could not be changed because there are running machine with fixed IP addresse in this range.

    I´m pretty sure, that this will need some routes and firewall rules, but I really have no idea where to start with.

    Would be fine if someone could give me a idea about where to start......

    Thank you!!


  • Rebel Alliance

    Conflicting Subnets are nasty and you should avoid them and renumber.
    Anyway here is some workaround for your problem https://www.netgate.com/docs/pfsense/vpn/openvpn/connecting-openvpn-sites-with-conflicting-ip-subnets.html

    -Rico



  • Hi Rico,

    thank you for your answer. I had a look to your link. I think this would work, but if the subnet on LAN on the pfsense boxes is changed I need to reconfigure everything.

    Is there no option like:

    On the VPN Server:
    Route ALL traffic from User-01 to VPN network of pfsense box1

    On the Pfsense Box side:
    Route ALL traffic on VPN network to OPT1 network

    Sorry for my question, but I´m a beginner with OpenVPN and pfsense...

    Thank you so much for your support.