Routing Between OpenVPN servers

rckalex

I would like to set up the pfsense device as follows:

pfsense hosts OpenVPN servers A, B, C

psense server LAN subnet 10.0.1.0/24
Client 1 with LAN subnet 10.0.2.0/24 connects to server B – virtual OpenVPN subnet is 172.16.2.0/24 -- cannot interact with any subnets other than its local
Client 2 with LAN subnet 10.0.3.0/24 connects to server C -- virtual OpenVPN subnet is 172.16.3.0/24 -- cannot interact with any subnets other than its local

User connects to server A -- virtual OpenVPN subnet is 172.16.1.0/24 -- can interact with local to the pfsense, Client 1, and Client 2 (subnets 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24)

Is this possible?

Derelict

Yes.  The connections allowed into a pfSense node from the other end of an OpenVPN connection are on Firewall > Rules, OpenVPN tab.

So on the pfSense server, you would simply not pass connections from 10.0.2.0/24 or 10.0.3.0/24.  On Clients 1 & 2 you would pass connections from 10.0.1.0/24.

You can also assign interfaces to OpenVPN servers so you can have a firewall rule tab for each server, instead of all OpenVPN servers combined.  This gives you a little more granularity and lets you do things like NAT out a VPN tunnel, etc.

It doesn't have to be three different servers either.  You could do it with one Remote Access (At least I think that's what you're describing as Server A) and one Site-to-Site (to go to Clients 1 & 2).