OpenVPN Site to Site: Route traffic from server's LAN via client's Internet

gdi2k

I am trying to do "Routing Internet Traffic Through A Site-To-Site OpenVPN Tunnel" as documented in the Netgate Docs:
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-route-internet-traffic.html

But I am trying to do it backwards - rather than route branch office (OpenVPN client) traffic via the HQ (OpenVPN server), I am trying to route traffic of some hosts on the server's LAN via the client's Internet connection. Reason: The client sits behind a NAT I don't control, so it cannot be a server as I can't reach its IP publicly, but I need to route out of it due to geo IP restrictions on the server's IP.

I have successfully created the OpenVPN tunnel as per the Netgate Docs "OpenVPN Site-to-Site Configuration Example with SSL/TLS":
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html#recipe-openvpn-s2s-tls-examplesettings

I have also been able to set up a test where I route from a site to site client via the server successfully and I have copied the Firewall and NAT configs exactly. However, when trying to route traffic from the server via the client it doesn't work.

Should this work (maybe I just have it misconfigured) or is this a limitation of OpenVPN? Can this be done with IPSEC or something else instead?

viragomann

@gdi2k
You can do this with a /30 tunnel network though, but this is not compatible with DCO and therefore not recommended anymore.
I've never done it with a larger tunnel subnet, however.

With a /30 tunnel the direction doesn't matter basically. This site-to-site OpenVPN is just a transit network with two unique gateways, where traffic can go in both directions.

I am trying to route traffic of some hosts on the server's LAN via the client's Internet connection.

So you have to do this with policy routing rules.

I assume, you're already able to access resources on the servers LAN from the clients LAN.

To configure this (/30 tunnel network, no CSO needed), on the client:

• You need to switch the outbound NAT into the hybrid mode and add a rule to the WAN interface for the source of the server sites LAN.
• Assign an interface to the OpenVPN client instance in Interfaces > Assignments. At "available network ports select the client instance, e.g. ovpnc1, hit Add and enable the interface. You also might want to state a friendly name.
• Then you get a tab for it in Firewall > Rules. Add a pass rule to it for allowing access to any destination or whatever you need.
  Remove any pass rule from the OpenVPN tab.

On the server:

• Assign an interface to the concerned OpenVPN server instance in Interfaces > Assignments. Same as above, but the server instance is called e.g. ovpns3. I'll call it s2s here.
• Add all IPs, which upstream traffic you want to direct over the VPN to an alias.
• Also create an alias for RFC 1918 networks and add all private networks to it, if you haven't one already.
• On the LAN or whatever interface the concerned devices are connected to, add a pass rule to the top of the rule set. At at source use the devices IP alias, at destination address check "invert match" and enter the RFC 1918 alias.
  Open the advanced options, go down to gateway and select the s2s gateway.

With a larger tunnel subnet, maybe you can add the clients IP, which you've stated in the CSO, as a gateway on the server and use this one for policy routing.

gdi2k

@viragomann thank you for taking the time to take a look at my issue and provide these steps. It took me a couple of days of fiddling and reading to realize what you meant by a /30 tunnel. This documentation is key:
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-server-tunnel.html

Once I set the subnet tunnel to /30, I also had to manually add remote subnet and tunnel subnet to the client's OpenVPN settings (this isn't required for larger subnets) everything just worked.

Awesome, thanks again.

mphnwg

@gdi2k I am trying to do this same thing and am not that familiar with networking. I have everything working and can route client lan traffic out over the server wan but can't go backwards. I have a tunnel network /24 and not 100% following the why I need to change to /30 subnet? By chance can you share the exact step by steps? Why do we need to remove the pass rule from the OpenVPN tab? I did add the pass rule on the Tunnel interface I created for that VPN tunnel. Why do we invert match and add all private networks, I don't understand that part. Sorry, I'm not so good at routing. Thanks in advance!

JKnott

@viragomann said in OpenVPN Site to Site: Route traffic from server's LAN via client's Internet:

You can do this with a /30 tunnel network though

Actually, you only need a /31 for a point to point network.

mphnwg

Actually got it all working, thanks guys!