Tunnel all, with IP from remote net

XIII

Heres what I want to have happen:

all traffic is tunneled through pfSense, with access to remote resources and if possible remote computer gets an IP thats on the remote network (I saw on another post that jimp said you must have an ip out of the remote nets range so this may not be possible), need this as I have few devices/programs that will not work unless remote computer has an IP on the local net (I can change this for some but not all devices)

Heres what I have tried:

I got it to tunnel all, with the following settings (using shrew client):
Local Host Address: virtual IP address, set the ip to a range of my remote network
policy set to 0/0

Local Host Address: virtual, set to an ip of my remote network
policy: remote net

it works (tunnels all)but cant access local resources, so i tried a combination of  changing those two settings:

this enables access to remote resources but doesnt tunnel all, remote network only
Local Host Address: use local
policy: remote net

this enables access to remote resources but nothing else
Local Host Address: use local
policy: 0/0

Edit: Can OpenVPN do this?

jimp

You'd probably have more luck with OpenVPN because with OpenVPN you could NAT traffic into the local network like so:

Main Site LAN: x.x.x.1/24
Remote LAN: x.x.y.1/24

On the main site box, you can NAT traffic going out the LAN interface from x.x.y.1/24 to an IP (or 1:1 to several, etc) so that for devices on the x.x.x.0/24 network, they will see the traffic coming from an x.x.x.0/24 network.

With PPTP you can VPN directly into the local network (it can overlap) but that does not work for site-to-site tunnels, only remote access from single clients.

XIII

I read somewhere that you cant have both an IPSec tunnel and an OpenVPN tunnel, is that just for site to site or is that for everything (ie site-site=IPSec, remote clients=OpenVPN?)

jimp

You can use both, just not for the same subnet at the same time.

If a subnet matches an enabled IPsec tunnel, it will always try to go over IPsec.

XIII

I have seen this setup before, it was with a Cisco IPSec VPN client, thought maybe it was possible with shrew. I will setup OpenVPN later today and give it a try.