Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route traffic of local IP through OpenVPN site-to-site client?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 858 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      eroji
      last edited by

      I have 2 pfsense with site-to-site OpenVPN set up. Site A is primary, and Site B is remote. Site B is sitting behind NAT, so it had to be the client to connect to Site A's OpenVPN server and forming the site-to-site. I want to route the traffic of certain client IPs at Site A through to Site B. How do I configure NAT/routing at Site A to accomplish this?

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        Assign an interface to the OpenVPN instances and activate it on both sites if you haven't already done.
        This effects that pfSense creates a gateway for the VPN using the remote host IP.

        That gateway can then be used for policy routing.
        To do so, add all IPs you want to route over the VPN to an alias. Then add a firewall pass rule to the interface the traffic is coming in, at source use the alias, at destination set the destination IP you want or any if you want to direct the whole traffic from the source devices to the other site.
        Expand the advanced options, go to gateway and select the appropriate OpenVPN gateway.

        If the destination is in the internet you need additionally an outbound NAT rule for these source network at site B.

        1 Reply Last reply Reply Quote 0
        • E Offline
          eroji
          last edited by

          For the interface, do I need to add it on both sides? What IP do I give the gateway after adding the interface, or is it arbitrary?

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann
            last edited by viragomann

            Yes, interfaces should be assigned on both site.
            There no interface configuration needed, only assign it to the OpenVPN instance, enable it and set a friendly name if you want.
            The IP configuration is done by OpenVPN.

            1 Reply Last reply Reply Quote 0
            • E Offline
              eroji
              last edited by

              Well I went added, then deleted the interface on site B for the site-to-site OpenVPN, now I lost the ability to connect to it completely. I can still see it connect to the pfsense at Site A, but I cannot route to Site B's pfsense IP...

              1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann
                last edited by

                Tried to restart the box at site B?

                Basically adding an interface to the VPN instance should do nothing than induce pfSense to add the reply-to flag to packets coming in that interface.
                However, if you only direct internal traffic from A to B and have set that source in the "Remote Network" at B, the interface is not necessary.

                1 Reply Last reply Reply Quote 0
                • E Offline
                  eroji
                  last edited by eroji

                  Yea that fixed it. I didn't have to add a gateway on the pfsense at site B. I added the interface/gateway on site A side and created rules in LAN tab to route IPs in alias over to site-to-site interface gateway. Then pushed the routes to site B in the site-to-site OpenVPN server configuration on site A. On site B, I only needed to create NAT outbound rules so that packets would be able to get out to the internet.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.