[SOLVED] OpenVPN Site-to-Site Incoming Port Forward

  • I am trying to port forward WAN from site-A to a client on Site-B and wondering if it is possible.  I already have on both sites the Interface assigned so they show up as gateways on the sites, but can't seem to figure out how to make this all work :(

    So, example would be…

    Site A:
        External IP: & & (Have 3 External WAN IP Addresses)
        Internal IP: 10.40.163.XXX
        Tunnel Network: (Currently setup as the Client VPN)

    Site B:
        External IP:
        Internal IP: 10.40.162.XXX
        Tunnel Network: (Currently setup as the Server VPN)

    If you go to I want it to point to
    If you go to I want it to point to

    Is this possible?


  • Perhaps I'm missing something, but I don't see where OpenVPN comes into play at all.

    Can't you just go to to "Firewall->NAT-Port Forward" and setup the forwarding you need?

  • divsys, my thoughts exactly.  Requests for and are going to go over the internet.  Just set up a simple NAT.

  • I tried this and it doesn't work for some reason.

    It won't open ports through the VPN…  I can only open ports to a client on the local side.  So in this case, only a client on 10.40.163.XXX side.

    If I put in a client on the VPN side (10.40.162.XXX), it fails.  So I figured there has to be something else that has to be done for this to work :(

    Also, if I look at Firewall Status, it shows it is blocking the following:

    If: WAN
    Proto: IGMP


  • I still think there's some basic confusion about what you're trying to accomplish here.

    Let me try a simple diagram of what I believe your setup looks like:

    10.40.163.x(LAN)->SiteA60.50.40.30\                          / 10.40.162.x
                                              (WAN2) >    Internet    <                                  |
                                              (WAN3)                        \                                  |
                                          (Client VPN)<–---------------> OVPN)

    Your initial question was:

    If you go to I want it to point to
    If you go to I want it to point to

    From this I presume you have two webservers (or equivalent) running on devices at and at Site A.

    To enable the forwarding on (WAN1), you would typically go to "Firewall->NAT->PortForwarding", click on "+" to add a new rule and fill in:

    Destination->WAN address
    Destination port range from:->HTTP
    Destination port range to:->HTTP
    Redirect target IP->
    Redirect target port->HTTP

    Click "Save" and the "Apply Changes".

    After you've done this, any traffic to port 80 (HTTP) at will be redirected to port 80 on  This will work for anyone trying from the internet, it doesn't depend on the VPN connection at all.

    The one possible exception would be if some other device on the SiteA LAN (say were to try to reach WAN1.  Since that device is already inside the firewall the NAT translation will not work properly unless you enable the "NAT reflection" flag on the port forward rule.

    That's all that's typically required.

    Also, if I look at Firewall Status, it shows it is blocking the following:

    If: WAN
    Proto: IGMP

    This has nothing to do with your port forward attempts and is likely caused by some other device(s) associated with your setup.  For know they can safely be ignored.

    If you're still having trouble, post a screen shot of your PortForward rule(s).

  • You are close.  The only thing that looks off is you said I have two web servers at site A…  The problem is, they are actually at Site B.  Site A is 10.40.163.XXX...  Site B is 10.40.162.XXX.  So you have the correct IP addresses, just wrong Site name.

    Below is my NAT forwarding as you requested.  This screenshot is taken from SiteA's pfSense Box.  I have no problems opening ports for local side.  Meaning (WAN) & Site A to 10.40.163.XX (Client at Site A).  The problem is, I want a WAN on Site A to point to a client at Site B.

    Thanks for your help!!!

  • Ah, I see what you're trying to accomplish now.  You're forwarding from outside one router back through the VPN conx into a box behind the 2nd router.

    This is doable (though I haven't set it up myself).  I tracked down a previous thread that may be helpful.

    Take a look at this one https://forum.pfsense.org/index.php?topic=57970.msg310044#msg310044

  • Thanks for your help.  I have looked at that forum and still unable to get it working :(

    I'm glad to hear it's doable, now if only I knew how :(


  • LAYER 8 Netgate

    The target servers at site B will have to know to forward ALL traffic back through the VPN and not out their default gateway/WAN at Site B.

  • Ok.  That worked.  I set my default gateway for the client to use the VPN.  Now all internet on that client though goes through the VPN :(.

    Is there anyway around this?  For example, I have an HTTP server on that machine.  So I have to do all port 80….  But I don't want all 80 traffic going through the VPN.

    Is there a way to tell it only if the request is coming from the VPN to return back through the VPN?


  • LAYER 8 Netgate

    That's going to be a trick since your web clients can be anywhere on the internet.

    I was thinking you could create a gateway pointing at the VPN interface at the other end, then use a firewall rule on the interface the web servers are on to direct traffic sourced from port 80 through the VPN but I don't think that'll work because it won't be a SYN packet and the states are already being established.  Big brains feel free to chime in.

    Maybe there's a way to mark the state on ingress and use the mark on egress to point the traffic in the right direction?  Just guessing here.

    Why not put the web server at the other site?  Or use site B's internet since the traffic's going over it anyway?

  • Ok.  I will play around with it.  Either way, it works and I got it doing what I wanted to!  Thanks again for your help!

  • LAYER 8 Netgate

    I just watched the recent gold hangout with jimp and this very topic was addressed.  I haven't done it and don't really understand it but there's a way to get reply-to working to put the return traffic back over the VPN and not out the default gateway.  The hangout is kind of a deep dive covering a lot so I'm not quite sure exactly what he's talking about…yet.

Log in to reply