Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Accessing Client Side VLANs While Connected As Remote VPN Client

    Scheduled Pinned Locked Moved OpenVPN
    openvpn clientopenvpn vlanclient vlanlocal vlanlocal vlans
    10 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hieroglyph
      last edited by

      I maintain a server at my parents house. They have OpenVPN server running on their pfSense box which I remote into using my laptop. My laptop is on VLAN10 at my house.

      Often I find myself needing to access my server to reference something I have already done. My server is on VLAN14 at my house. But I cannot access my server until I disconnect from their VPN.

      I am pretty sure it behaves this way because the "Redirect IPv4 Gateway" option is checked, which forces all traffic thru the OpenVPN server. This is something we want to keep checked as the VPN is used by my parents to access their home network when they are away, and they want all of their traffic sent thru the home router.

      So, without adding a network card to my server to physically put it on VLAN10; how can my laptop on VLAN10 access my server on VLAN14 while my laptop is connected as a VPN client?

      i.e. How can I access the red line while still connected to the green line?

      N JKnottJ 2 Replies Last reply Reply Quote 0
      • N
        netblues @hieroglyph
        last edited by

        @hieroglyph Make a client override rule for your connection common name and don't push default gateway redirect.

        Just add the remote networks you need on same page like this
        push "route 192.168.18.0 255.255.255.0"; and it will be fine.

        1 Reply Last reply Reply Quote 1
        • JKnottJ
          JKnott @hieroglyph
          last edited by

          @hieroglyph

          Connections between VLANs is just regular routing. In this respect, there's no difference between a VLAN and a regular interface.

          BTW, why is the laptop on a different VLAN from the server? Why are you using VLANs at all? It looks like you're making things more complicated than you have to.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Why are you running vpn client on your pc at all? Why would you not just run site to site vpn between your pfsenses?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • N
              netblues
              last edited by

              What if the laptop is also used elsewhere?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Well then elsewhere you use the vpn client on the laptop.. You could even set it up so that you vpn once while your remote with this laptop and you have access to both networks.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                N 1 Reply Last reply Reply Quote 0
                • N
                  netblues @johnpoz
                  last edited by

                  @johnpoz Its obvious that the op hasn't dive deep (yet)
                  In any case a remote access setup is something that can be accomplished by following canned instructions. A site 2 site vpn with subnets AND remote access is kinda custom...

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    There are canned instructions for a S2S as well. Either ipsec or openvpn.

                    For such a setup a s2s would be better than using client on the laptop.. Be it he just uses it at the one location or he travels with it.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • H
                      hieroglyph
                      last edited by

                      @netblues This works. I should have thought to do this. Thank you.

                      OpenVPN Server Settings: Unchecked "Redirect IPv4 Gateway". And kept 192.168.18.0/24 in "IPv4 Local Network/s".

                      For my laptop: Created a client specific override for my common name. In the client specific override settings "IPv4 Local Network/s" added 192.168.18.0/24 and kept "Redirect Gateway" unchecked.

                      For my parents devices: Created a client specific override for each of their common names. And in the client specific override settings checked "Redirect Gateway".

                      @JKnott The laptop is my everyday device that is on my critical-VLAN along with my cellphone, and the girl friends everyday devices, etc... The server is a media server and is on the media-server-VLAN along with a few odroids and video wall controllers. I know I don't necessarily need VLANs for my home network, but I enjoy learning how to use them.

                      @johnpoz Lack of knowledge is part of the answer to your question. I am not always home when I need to remote into my parents network. I thought a road warrior VPN was the right tool for the job. It sounds like there other better options.

                      I did some reading on Site to Site VPNs. From what I understand this is like having an always open tunnel between the pfSenses. Which is cool, it would at least save the time of having to double click the shortcut and type in the root password every time I needed to do something on their network. It appears the two most mentioned are a S2S IPSEC and S2S OpenVPN Server-Client. I do not yet understand how I would utilize the site to site if I am not at home. Is one more preferred over the other for maintaining a remote server both from home and when travelling?

                      @netblues I do use this laptop everywhere I go. And may not be home when I need to access my parents network.

                      N 1 Reply Last reply Reply Quote 0
                      • N
                        netblues @hieroglyph
                        last edited by

                        @hieroglyph With an established s2s vpn you could connect remotely to the server side of the vpn and access both sites with one connection, concurrently.

                        But this adds unecessary points of failure. And since these are home networks, you could be better off with two openvn servers listening at each site , and connect to each as needed.
                        A site to site vpn could also co exist, so you don't have to do anything when at home.

                        of course you can have it all. S2s, two openvpn listening at both sites, and access to everywhere no matter where you connect.

                        Happy tweaking.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.