Port forwarding through site2site OpenVPN
-
Hi,
I have 2 sites:- Site A 192.168.2.0/24 (vpn server)
- Site B 192.168.4.0/24 (vpn client)
VPN network is 10.0.8.0/24
I have a web server(192.168.2.51) working fine in Site A Lan with ports 80 and 443 forwarded on Pfsense box on site A.
So far so good.What I'm trying to achieve is to port forward the same ports 80 and 443 from Site B pfsense to that server located in site A.
The goal is to be able to access the WEB server(located in Site A Lan) via Site B's external IP address.
Hope this makes sense.
-
@grateful said in Port forwarding through site2site OpenVPN:
Hope this makes sense.
????
Why are you port forwarding? This should be plain routing. You only worry about port forwarding if you're going through NAT.
-
@JKnott Thanks for the reply.
As I mentioned my goal is to be able to access the WEB server(located in Site A Lan) via Site B's external IP address.
I do not really care how I'll achieve it. Can you please elaborate on how to do the routing?To avoid misunderstanding I guess I should paint the bigger picture as well.
Site A and the Web server on it work fine and I can access all my websites just fine via Site A public IP. But for the purposes of SEO I need to my new sites to resolve their domain names to a different public IP address. So I thought that I can point the DNS to my Site B external IP and Google will see the new sites as hosted somewhere else (different than Site A IP) and in the same time they will be served by the same Web server as my old sites. So basically avoiding the cost of new webserver located on site B.
Makes more sense?... or even less? :)
-
@grateful said in Port forwarding through site2site OpenVPN:
As I mentioned my goal is to be able to access the WEB server(located in Site A Lan) via Site B's external IP address.
That's not what the original post said. I assume you're using NAT. Then when you set up port forwarding, you set up the target address to whatever the destination address is, just like always. However, since the other server is on a different subnet, you need to enable appropriate routing and possibly firewall rules.
-
@JKnott said in Port forwarding through site2site OpenVPN:
That's not what the original post said.
... well If you look at it again you'll see that's exactly what the original post said. I literally copy-pasted it from there, penultimate line. Never mind.
If I understand correctly you suggest a simple port forwarding from Site B to Site A local address. This was the first thing I tried but it doesn't work.
"you need to enable appropriate routing and possibly firewall rules." -> can you elaborate on this please?
-
You need a simple port forwarding rule on site B to do that.
Consider that connections across the VPN may have a higher latency.If you haven't already done, add an interface to the OpenVPN instance at least on A.
Also ensure the the access is permitted by firewall rules as @JKnott already mentioned. It must be allowed at site B WAN and at A on the VPN interface (you've created before).
-
@grateful said in Port forwarding through site2site OpenVPN:
"you need to enable appropriate routing and possibly firewall rules." -> can you elaborate on this please?
When a packet comes onto your LAN, it can access anything on that LAN. However, if you want to go to another network, then routing is involved. This means you have to configure routing in pfSense, so that it knows how to forward packets to the other network. You'll also need to do the same for the return traffic. A router only knows about networks it's directly connected to. So, it would know about the VPN link, but nothing beyond. So, you have to tell it, by configuring the routing. As for firewall rules, other than going out to the Internet, the norm is to block everything and then open what you need. So, you will have to do that to allow the incoming traffic to reach the other site.
-
@JKnott Thank you for explaining this to me. It makes sense. The only problem is that I am completely unaware where to set the routing you mentioned.
I've just assigned interface for the VPN conection and put new firewall rule to pass all on this interface. But when I go to Site B System-> Routing i am lost. Or should I be setting up routing on Site A..
I really like to learn and never want to just set it up without understanding but... You can see how lost I'm here. Sorry. -
@grateful
I was assuming the routing between the two sites is already working, isn't it?
You have only to enter the site A's LAN into the "Remote Networks" box in the OpenVPN settings at site B and vice versa.With the interface assigned to the OpenVPN instance at A and the forwarding at B it should already work.
Edit:
The interface introduces pfSense to tag the packets coming from in the VPN interface wtih "reply-to". With that pfSense automatically directs responses from the destination device back to site B. -
@viragomann Thank you for your reply.
"I was assuming the routing between the two sites is already working, isn't it?
You have only to enter the site A's LAN into the "Remote Networks" box in the OpenVPN settings at site B and vice versa."
This is set correctly and sites A and B communicate fine."With the interface assigned to the OpenVPN instance at A and the forwarding at B it should already work."
Unfortunately still no.I've made some screenshots, hopefully you'll be able to spot a mistake of mine?
Interface setup on Sita A (where the Web server is)
.
.
.Fire wall rule at site A (where the web server is)
.
.
.
Port forwarding WAN interface on Site B to Web server on Site A.
.
.
Firewall log on Site B, passing to site A
.
.
Where do you reckon should I look to further follow the packets and see where they stop?Thanks for your time!
-
@grateful
Ensure that rule on the OVPNTRAP interface at site A is applied to the traffic from the other site. So check the firewall log at A to see, which rule is permitting it.Consider that "OpenVPN" is an interface group including all OpenVPN interfaces and so OVPNTRAP as well. Rules on interface groups have priority over rules on interfaces.
However, traffic which is handled by rules on interface groups is not tagged with the reply-to, what is essential for routing response packets back to site B.
The same applies to floating rules.So you may have to remove rules from the OpenVPN tab or edit them.
-
@viragomann said in Port forwarding through site2site OpenVPN:
So you may have to remove rules from the OpenVPN tab or edit them.
You sir just made my day!
It worked! As I have 5 vpn servers running on the Site A pfsense I assigned each one of them an interface and created pass rules each interface, then removed all pass rules from the interface group OPENVPN and it worked straight away! Apparently it was all about the reply-to tags. I didn't know about them and now I learned from you. You can not imagine how happy I am! I've got 5 remote sites and I'll set up port forwarding to the same web server on all sites.
Thank you!
-
@grateful
Thanks for reply. Glad to hear that it works now as it should do.