Site-to-site VPN assistance



  • Calling all pfSense gurus.

    I have two pfSense boxes and I want to build a VPN between them.  I know how to do that (basic stuff).

    What I want is a single PC (IP address) at site A to send all traffic and surf through Site B.  So not only does the VPN terminate to Site B (pfSense B), but I want it to hairpin through it and go out that Internet circuit.

    What VPN or Firewall rules would I configure to make that happen?  I want a single node at Site A to look like it's accessing the Internet via Site B.

    All the other nodes at Site A can access the Internet through their own pfSense box and onto the Internet.

    Thanks.


  • Rebel Alliance Developer Netgate

    If you only want this to happen for one PC, it would be best to do this as an OpenVPN remote access setup, not as a site-to-site. There are some OpenVPN remote access tutorials on here and in the doc wiki.

    The easiest (but not the most secure) would be to use PPTP for this.

    In both cases, after setting up the VPN, you'll probably have to switch to manual outbound NAT at site B and add the VPN subnet to the list of networks there so it will have NAT applied when it leaves the WAN at site B.



  • I still need a site-to-site VPN because the other devices at Site A & Site B talk to each other on their respective subnets, but they just don't need it the way this single PC does.

    I have a customer which allows us to access them from a single public address.  It was already defined by the pfSense IP at Site B.


  • Rebel Alliance Developer Netgate

    Ah, then OpenVPN would be perfect. You could define a route in the OpenVPN config so that it would route traffic to that IP over the tunnel. You could restrict who can go there by adding a firewall rule on LAN that passes from the approved IP, and then block from all others (both going to that same destination.)

    I do just this on my home router, since I have to access a bunch of machines for a place I work with via certain IPs.



  • Well, my "need" is only that one IP, but my "want" is to make a particular PC (internal IP on Site A) access the entire Internet from Site B, not just that customer.  I already thought of your way when just needing a single destination IP, but in this case it's a single source IP and Any destination which I want to try build.


  • Rebel Alliance Developer Netgate

    That is a bit trickier, but it might be doable on 2.0, though not on 1.2.3.

    You could just setup a second OpenVPN instance that particular workstation could use and it can use openvpn's directive to redirect the default gateway, but you can't do it selectively if you use the site-to-site tunnel at the router.



  • @jimp:

    That is a bit trickier, but it might be doable on 2.0, though not on 1.2.3.

    You could just setup a second OpenVPN instance that particular workstation could use and it can use openvpn's directive to redirect the default gateway, but you can't do it selectively if you use the site-to-site tunnel at the router.

    I was afraid of that.  OK, thanks.


  • Rebel Alliance Developer Netgate

    What's to be afraid of?

    It doesn't hurt anything and it it's better to have remote access clients using a PKI setup anyhow, and keep the site-to-site setups as shared key.



  • The node in question is not always going to be a PC with access to OpenVPN.  It might be a IBM 4690 POS system.


  • Rebel Alliance Developer Netgate

    That gets a bit harder to do then. Again, it should be possible in 2.0 but not in 1.2.3

    In 2.0 you'd just assign the OpenVPN interface as an optional interface, then add a gateway that says it's on that interface, with an IP of the other side of the OpenVPN tunnel.

    Then add a rule on the LAN side that matches the IP(s) of the devices to re-route, with a destination of any, with that gateway chosen.


Log in to reply