Passing traffic from host on one side of tunnel out to Internet on the other
-
Hey guys,
I've been trying to do some digging in regards to how I want to do this/how it should properly be setup, but I'm still running into some problems. Currently, I have an OpenVPN tunnel between myself and a friend of mine on our pfsense boxes. I'm in the 10.0.0.x range, his network is 10.0.100.x. I've enabled it basically so we can pass things "locally" to each other and do encrypted Windows drive shares between file servers, etc. This is working perfectly, but now I'm adding another variable to the mix. He has a machine on his end that he wants to be able to access the Internet through my end instead of his. Basically all traffic from only that host and not his entire site needs to access the public Internet through me to gain my WAN IP. In our current setup, I'm the OpenVPN server and he's the client.
I know that I'll need to statically set (or at least make a DHCP reservation for) an IP within his 10.0.100.x range to that host, but obviously can't set the gateway to that machine of 10.0.0.1 (my router) since they're not on the same network for traffic to pass correctly. One person recommended that I'd need to do a route push in the "advanced" section on his end in order to accomplish this, but I'm still a little stumped. Would NAT come into play here, additionally?
Looking for a push in the right direction as this is royally stumping me for some reason. I'd appreciate any help! Thanks!
-
On his end, assign an interface to the OpenVPN site-to-site link. Leave the IPv4 type as "none" (the system will organise the existing IP of the OpenVPN link…). Then a gateway should appear that goes to the other end of the site-to-site link. Add a firewall rile on his LAN selecting the relevant source IP, destination all, and in the advanced section select the gateway for the site-to-site link.
At your end you probably need to:
a) make sure the OpenVPN link has a pass rule allowing the special source IP, destination any.
b) NAT the traffic from him heading to the internet (automatic outbound NAT is only going to do it for traffic from your LAN to WAN)
Others, what have I forgotten? -
On his end, assign an interface to the OpenVPN site-to-site link. Leave the IPv4 type as "none" (the system will organise the existing IP of the OpenVPN link…). Then a gateway should appear that goes to the other end of the site-to-site link. Add a firewall rile on his LAN selecting the relevant source IP, destination all, and in the advanced section select the gateway for the site-to-site link.
At your end you probably need to:
a) make sure the OpenVPN link has a pass rule allowing the special source IP, destination any.
b) NAT the traffic from him heading to the internet (automatic outbound NAT is only going to do it for traffic from your LAN to WAN)
Others, what have I forgotten?This did the trick! Makes sense now. I think I was making it out to be a little more complex than it turned out to be. Thanks for the info!