Site to Site with OpenVPN and one static IP?



  • Hi, is this possible with OpenVPN

    Main Office:
    pfsense box with static IP on WAN, NAT and DHCP on LAN

    Home Office
    pfsense box with dynamic IP on WAN, VPN connection in to main office, clients on LAN on Home Office get IP from DHCP server on Main Office, clients should NOT have any VPN software/clients, its the two boxes that should have site to site VPN connection. Stay alive on VPN since home office have dynamic IP on Wan and if main office need access to something on home office (printers).


  • Rebel Alliance Developer Netgate

    Sure that works fine. OpenVPN doesn't check the source IP of the traffic, only that the keys and/or certificates match. You can restrict access to the VPN process with firewall rules if you wish.

    Most limitations of dynamic IPs can be sidestepped with Dynamic DNS if you want to still be somewhat strict.



  • I have the "home office" pfSense register a Dynamic DNS name (e.g. homeoffice1.dyndns-ip.com)
    On the "main office" pfSense, add an alias "HomeOffices" that has "homeoffice1.dyndns-ip.com" (and however many home office client-end pfSense you need). Add a firewall rule on WAN that permits access only from "HomeOffices" to WAN IP and the port you have the OpenVPN server listening on. (I choose a different port to the default)
    When the dynamic IP of a home office changes, it takes a few minutes until the dynamic DNS name is updated and the main office end rechecks the name and loads the new IP address into the alias. Then the next home office client connect attempt is allowed in.
    This scheme means that random port scanners from other places do not get any response on the main office OpenVPN server listening port.



  • @jimp:

    Sure that works fine. OpenVPN doesn't check the source IP of the traffic, only that the keys and/or certificates match. You can restrict access to the VPN process with firewall rules if you wish.

    Most limitations of dynamic IPs can be sidestepped with Dynamic DNS if you want to still be somewhat strict.

    any place to find some documentation to do this? I cant get the clients behinde the home pfsense to get ip from the DHCP server on office.


Log in to reply