[SOLVED]: Route some traffic over site B gateway

  • Hi,

    I've successfully created a link between my virtualised pfSense firewall in Germany and my home router (dd-wrt) using a seperate openvpn config. Germany = Site A, home = Site B

    WAN Site A:
    WAN Site B:
    LAN Site A:
    LAN Site B:

    Third party ip:

    Openvpn tunnel using: (Site A is using and Site B is using

    Both private lans are able to talk to each other :-).

    on a second openvpn config I am connecting from Denmark (lots of country's, I know ;-) ).
    It's a cert based config using as range. All traffic is routed through the Site A gateway (bypassing firewalls and stuff), which seems to work perfectly.

    I added the following iptables rule on Site B to allow traffic from to LAN site B

    route add -net netmask gw

    and pings from 10.0.1.x to 192.168.22.x are flowing like a charm.

    Now I want to achieve the following:

    route some traffic from through the gateway of Site B. ( only allows traffic from the ip At the moment all traffic from 10.0.1.x leaves through…

    I already found out that by adding to the "IPv4 Remote Network/s" the traffic get's routed to so traffic arrives at my DD-WRT router...

    But it seems to block there...

    Anyone any suggestions?

  • In principle, the DD-WRT home router (site B) has to:

    1. Allow incoming packets on the OpenVPN link from site A addresses (at least including too (or as big a range of destination IPs as you like)
    2. NAT those packets out on WAN (it should already route them out WAN by default, since the destination is an ordinary public IP)

    The NAT is necessary, otherwise the source IP will not be the home router (site B) and so reply traffic will not come back.

    Not being a DD-WRT guy, I leave it up to you or others as to how to implement the above.

  • Thank you so much, the final piece of the puzzle has been found ;-)

    The NAT table was something i completely forgot to check ;-).

    Rules that made my day:

    iptables -I FORWARD -i tun0 -o vlan2 -j ACCEPT
    iptables -t nat -A POSTROUTING -s -o vlan2 -j SNAT --to-source $(nvram get wan_ipaddr)

    The first one to allow packets from the tunnel to go to the wan interface and the second to activate the natting for those packets ;-)

Log in to reply