Site to site VPN with one static IP possible in 2.1?



  • Hi, is it possible to run site to site VPN where only one site has static wan IP?



  • Yes, put the VPN server at the static IP. Then the client can connect from any IP (as long as you make a rule on the server WAN to pass source any to destination WAN IP, port "VPN server port".
    For a bit of extra security, register for DynamicDNS with a dynamic DNS provider. Make the client register a dynamic DNS name so it translates to the current client end dynamic public IP.
    On the server, make an alias for that dynamic DNS FQDN. Put that in the WAN pass rule source.
    Then connects will only be allowed from the known client end IP. pfSense at the server end will check the name every 5 minutes and update the table/rule in pf. So it will take 5 minutes after the client gets a new dynamic DNS from the ISP, for the server end to realise and start allowing it access.



  • For the benefit of other readers, the server end can also be a dynamic IP, with a dynamic DNS name kept up-to-date automatically from the server end pfSense. The client connects to this name + VPN port.
    As long as the server end has a public IP, you should be in business. The client end can even be on a crappy ISP somewhere that gives private IPs or carrier-grade NAT IPs to its customers.



  • @phil.davis:

    Yes, put the VPN server at the static IP. Then the client can connect from any IP (as long as you make a rule on the server WAN to pass source any to destination WAN IP, port "VPN server port".
    For a bit of extra security, register for DynamicDNS with a dynamic DNS provider. Make the client register a dynamic DNS name so it translates to the current client end dynamic public IP.
    On the server, make an alias for that dynamic DNS FQDN. Put that in the WAN pass rule source.
    Then connects will only be allowed from the known client end IP. pfSense at the server end will check the name every 5 minutes and update the table/rule in pf. So it will take 5 minutes after the client gets a new dynamic DNS from the ISP, for the server end to realise and start allowing it access.

    ok, i have tested this with one Sonicwall in client site and pfsense in office site, the problem was that i could set up site to site on pfsense on the office without pointing to a static ip on the client. But i will test this with two pfsense boxes, thanx.



  • Tested it, its not possible to have blank gateway on the IPSec on the home office site, so still not possible to make a site to site VPN (not client to office, but site to site) with two pfsense boxes where only one has a static IP, or?



  • All my comments above are specifically valid for OpenVPN. Not being an IPsec user, I can't comment on the flexibility or otherwise of Ipsec configurations - so others can jump in now…



  • Is it possible to run site to site with OpenVPN?  i need the pfsense box on the home office site to connect to the pfsense on the office and that the PCs behind the home office pfsense get ip from the DHCP server on the office site. I dont need to use IPSec, if its possible with OpenVPN i could use that.



  • I'm running a Fortigate 80C @ work and have a site to site ipsec VPN connecting my home office to it. I've yet to try openvpn, as the ipsec config "just worked" for me. Office is a static, home is dynamic. So yeah, totally doable with ipsec.



  • @mauirixxx:

    I'm running a Fortigate 80C @ work and have a site to site ipsec VPN connecting my home office to it. I've yet to try openvpn, as the ipsec config "just worked" for me. Office is a static, home is dynamic. So yeah, totally doable with ipsec.

    Yes, i know its doable, but not with pfsense on the work/office since pfsene NEED a static IP on your home box. I have setup other solutions and many boxes dont need to have a IP for the home box. I think it is made this way so the office could connect to the home, but if home had a stay alive checkbox there isnt any reason to use static ip on both places.


Log in to reply