How to route VPN traffic accross multiple LAN subnets

  • Good day,

    I have two physically separate sites each with their own lan subnets.

    The primary site where the server is has subnet The second site is

    The sites are connected with a Ubiquiti wireless bridge using a separate subnet

    To achieve routing I have a pfSense VM on each site. So far the terminals on site B can communicate with the server on site A and visa versa. But now I need to connect a remote vpn client to a OpenVPN AS server at site B and have it communicate with the server at site A.

    The graphic gives a bit a clearer picture. 2nd VPN.jpg
    I am using static routes to facilitate communication between subnet and over

    Now my VPN client and server has an IP address from

    My question is where should I put what static routes to facilitate communication from the VPN client to the server and visa versa?

  • Not clear how the routing is working here. Static routes have to be set on the default gateway to get it work without additional configurations. However, it doesn't seem that the pfSense doing your routing between the sites are the default gateways.

    Anyway, if it works for the to sites it should work for the VPN as well.
    But that requires that pfSense2 has a route to the VPN client tunnel network.

    On the VPN server push the routes for both local networks, and to the client.
    On site A add a route for the VPN tunnel subnet to pfSense pointing to pfSense2.

    Otherwise you have to offer more infos about your actual routing.

  • LAYER 8 Global Moderator

    why would you not just run the vpn server on pfsense on host 1? This makes it much easier.

    Now you just need to add your remote to your local networks in your vpn server setup on pfsense.

    As long as pfsense1 uses pfsense 2 as it default route, or has a route to get to your vpn tunnel network 192.168.10, or you source nat it to your 192.168.0/24 transit.

  • @viragomann
    Thanks for the assist I think I got it.

    pfSense1 is the default gateway for
    it has a static route to where the gateway is (the OPT1 address of pfSense2)

    pfSense2 is the default gateway for and it has a static route to where the gateway is (the OPT1 address of pfSense1)

    I did add a static route to pfSense2 where the gateway is (the eth1 address of the VPN AS server) with that I was able to ping my VPN client

    I then added a static route to pfSense1 where the gateway is again
    and I added a static route to both the VPN AS server and VPN client where the gateway is (the LAN address of pfSense2)

    Lastly I added a static route to the server where the gateway is LAN port on pfSense1.

    And obviously set the appropriate firewall rules and I got a ping. So thank you for the help.

  • @johnpoz

    I do have VPN AS server on host 1. But the other day the ISP connection went down on that site so I needed an alternate connection. The VPN client just so happens to be the CEO of the company so telling him he can't work cause the internet is down on one site is not an option.

  • LAYER 8 Global Moderator

    You have pfsense on the HOST, why would you not just let it host your vpn? Its FREE vs openvpnas - which other than the 2 free licenses you have to pay for.

  • @johnpoz
    I use IPSec to create a site-to-site tunnel should the wireless bridge go down. (Hilariously, this is no longer working, but that is a different problem for a different day).

    I wanted to use the pfSense for the VPN clients but had too much problems setting it up with the win 10 clients. I only have two VPN clients so it is not really a problem at the moment.

    But I will probably sit and redesign the whole network. Or I should just get some hardware routers. The win 10 hosts are giving me hell as well.