Site to Site VPN with split tunneling

apu4fire

I own a psSense box which connects my home network to the internet. There is a remote site that I want to connect to my home network occasionally for the following reasons:

1. Synchronize data between the remote site and my home network
2. Offer technical support to the users at the remote site when they can't resolve an IT problem themselves

I haven't figured out all the details yet, but I figure a VPN would be the best solution for this use case. I intend to setup an OpenVPN server on my pfSense box in my home network. Then I need to place a new pfSense box at the remote site and configure it in such a way that it connects to my home network OpenVPN server.
Then I should be able to reach the machines on the remote site network from my home network and the other way around.

Now here comes the twist. I want to use split tunneling in such a way that only the relevant data is routed via the tunnel and all the regular internet traffic is excluded from the VPN tunnel. The synchronization of data for example should go trough the tunnel.
I have made a synchronization script which is run periodically that I want to use.

What happens however when the VPN server is offline?
What happens when the VPN tunnel is unavailable at the remote sites pfSensebox?
Will this result in an unreachable host or will pfSense attempt to route it with the regular internet traffic instead?

viragomann

@apu4fire said in Site to Site VPN with split tunneling:

Now here comes the twist. I want to use split tunneling in such a way that only the relevant data is routed via the tunnel and all the regular internet traffic is excluded from the VPN tunnel.

That's the default behavior in a common site to site configuration.

You have to tell OpenVPN which network you want to access on the remote site and it set the routes accordingly.

@apu4fire said in Site to Site VPN with split tunneling:

What happens however when the VPN server is offline?
What happens when the VPN tunnel is unavailable at the remote sites pfSensebox?
Will this result in an unreachable host or will pfSense attempt to route it with the regular internet traffic instead?

The remote network won't be reachable.

apu4fire

@viragomann said in Site to Site VPN with split tunneling:

You have to tell OpenVPN which network you want to access on the remote site and it set the routes accordingly.

I am not sure if I understand you correctly. The OpenVPN server runs on my home network. I want the remote site to connect to the OpenVPN server on my home network.

When the remote site connects to my OpenVPN server it gets a network ip-range issued by OpenVPN right?
Then what do I have to tell OpenVPN to allow bi-directional traffic between the two networks?
The network address as it has been issued by OpenVPN or something else?

Rico

Generally speaking in a site-to-site scenario the OpenVPN network (tunnel network) doesn't really matter to the clients on both sites, it's transparent for them. It's used by OpenVPN internally and routes the traffic to your real networks on both sites.
There is a LOT really good official documentation around for VPNs:
https://www.netgate.com/resources/videos/site-to-site-vpns-on-pfsense.html
https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html
https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html
https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html

-Rico