OpenVPN mutihop custom configuration guidance request.


  • Hi team,

    First time poster, long time reader. I wish to use pfSense to build my own custom multihop OpenVPN solution. I have two unique VPN providers and I would like to know if pfSense can achieve the following. Some VPN Vendors offer this in their clients, I wish to achieve it between two vendors instead of a multihop within one vendor only.

    alt text

    Excuse the crude diagram above, hopefully it makes it clear. I want have normal WAN traffic coming into the pfSense box. From there, I want to establish an OpenVPN connection to Vendor A.

    After that connection is live, I wish to establish a connection to Vendor B. However; the outbound gateway for Vendor B is actually delivered via Vendor A.

    At the end, I wish route data from Vendor B out to LAN for clients to consume.

    I can achieve this in two messy ways:

    1. Two Debian 10 instances, the 2nd instance has the gateway of the first instance.
    2. Two pfSense instances, again the 2nd instance has the gateway of the first pfSense instance.

    Ideally, I'd like to achieve this in one pfSense instance.

    I'd also like a Kill switch - so that in the event of any of the VPN connections dropping, wan connection on the 10.2.1.0/24 subnet is blocked.

    I have performed a search internally and I have seen the following posts:
    https://forum.netgate.com/topic/104874/openvpn-multi-hop
    https://forum.netgate.com/topic/105149/multi-hop-with-openvpn-clients

    It seems this has come up a few times but a clear explanation has been lacking. Is there any interest beyond myself in this solution? I'm forever in your debt.
    Thanks!

    Topology.png