Route traffic of local IP through OpenVPN site-to-site client?

  • I have 2 pfsense with site-to-site OpenVPN set up. Site A is primary, and Site B is remote. Site B is sitting behind NAT, so it had to be the client to connect to Site A's OpenVPN server and forming the site-to-site. I want to route the traffic of certain client IPs at Site A through to Site B. How do I configure NAT/routing at Site A to accomplish this?

  • Assign an interface to the OpenVPN instances and activate it on both sites if you haven't already done.
    This effects that pfSense creates a gateway for the VPN using the remote host IP.

    That gateway can then be used for policy routing.
    To do so, add all IPs you want to route over the VPN to an alias. Then add a firewall pass rule to the interface the traffic is coming in, at source use the alias, at destination set the destination IP you want or any if you want to direct the whole traffic from the source devices to the other site.
    Expand the advanced options, go to gateway and select the appropriate OpenVPN gateway.

    If the destination is in the internet you need additionally an outbound NAT rule for these source network at site B.

  • For the interface, do I need to add it on both sides? What IP do I give the gateway after adding the interface, or is it arbitrary?

  • Yes, interfaces should be assigned on both site.
    There no interface configuration needed, only assign it to the OpenVPN instance, enable it and set a friendly name if you want.
    The IP configuration is done by OpenVPN.

  • Well I went added, then deleted the interface on site B for the site-to-site OpenVPN, now I lost the ability to connect to it completely. I can still see it connect to the pfsense at Site A, but I cannot route to Site B's pfsense IP...

  • Tried to restart the box at site B?

    Basically adding an interface to the VPN instance should do nothing than induce pfSense to add the reply-to flag to packets coming in that interface.
    However, if you only direct internal traffic from A to B and have set that source in the "Remote Network" at B, the interface is not necessary.

  • Yea that fixed it. I didn't have to add a gateway on the pfsense at site B. I added the interface/gateway on site A side and created rules in LAN tab to route IPs in alias over to site-to-site interface gateway. Then pushed the routes to site B in the site-to-site OpenVPN server configuration on site A. On site B, I only needed to create NAT outbound rules so that packets would be able to get out to the internet.

Log in to reply