Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-site VPN assistance

    Scheduled Pinned Locked Moved IPsec
    10 Posts 2 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • valnarV
      valnar
      last edited by

      Calling all pfSense gurus.

      I have two pfSense boxes and I want to build a VPN between them.  I know how to do that (basic stuff).

      What I want is a single PC (IP address) at site A to send all traffic and surf through Site B.  So not only does the VPN terminate to Site B (pfSense B), but I want it to hairpin through it and go out that Internet circuit.

      What VPN or Firewall rules would I configure to make that happen?  I want a single node at Site A to look like it's accessing the Internet via Site B.

      All the other nodes at Site A can access the Internet through their own pfSense box and onto the Internet.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you only want this to happen for one PC, it would be best to do this as an OpenVPN remote access setup, not as a site-to-site. There are some OpenVPN remote access tutorials on here and in the doc wiki.

        The easiest (but not the most secure) would be to use PPTP for this.

        In both cases, after setting up the VPN, you'll probably have to switch to manual outbound NAT at site B and add the VPN subnet to the list of networks there so it will have NAT applied when it leaves the WAN at site B.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • valnarV
          valnar
          last edited by

          I still need a site-to-site VPN because the other devices at Site A & Site B talk to each other on their respective subnets, but they just don't need it the way this single PC does.

          I have a customer which allows us to access them from a single public address.  It was already defined by the pfSense IP at Site B.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Ah, then OpenVPN would be perfect. You could define a route in the OpenVPN config so that it would route traffic to that IP over the tunnel. You could restrict who can go there by adding a firewall rule on LAN that passes from the approved IP, and then block from all others (both going to that same destination.)

            I do just this on my home router, since I have to access a bunch of machines for a place I work with via certain IPs.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • valnarV
              valnar
              last edited by

              Well, my "need" is only that one IP, but my "want" is to make a particular PC (internal IP on Site A) access the entire Internet from Site B, not just that customer.  I already thought of your way when just needing a single destination IP, but in this case it's a single source IP and Any destination which I want to try build.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                That is a bit trickier, but it might be doable on 2.0, though not on 1.2.3.

                You could just setup a second OpenVPN instance that particular workstation could use and it can use openvpn's directive to redirect the default gateway, but you can't do it selectively if you use the site-to-site tunnel at the router.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • valnarV
                  valnar
                  last edited by

                  @jimp:

                  That is a bit trickier, but it might be doable on 2.0, though not on 1.2.3.

                  You could just setup a second OpenVPN instance that particular workstation could use and it can use openvpn's directive to redirect the default gateway, but you can't do it selectively if you use the site-to-site tunnel at the router.

                  I was afraid of that.  OK, thanks.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    What's to be afraid of?

                    It doesn't hurt anything and it it's better to have remote access clients using a PKI setup anyhow, and keep the site-to-site setups as shared key.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • valnarV
                      valnar
                      last edited by

                      The node in question is not always going to be a PC with access to OpenVPN.  It might be a IBM 4690 POS system.

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        That gets a bit harder to do then. Again, it should be possible in 2.0 but not in 1.2.3

                        In 2.0 you'd just assign the OpenVPN interface as an optional interface, then add a gateway that says it's on that interface, with an IP of the other side of the OpenVPN tunnel.

                        Then add a rule on the LAN side that matches the IP(s) of the devices to re-route, with a destination of any, with that gateway chosen.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.