Remote dial in and site to site at the same time



  • I have pfsense 2.2 both at home, and at my office. Both are currently configured for remote dial in open VPN users. I do keep different subnet assignments for all the work and home subnets. At home I use subnets of 192.168.0., 192.168.1., and 192.168.3.. At the office I use 192.168.2. and 192.168.6.. I use openvpn subnets of 10.8.0. at home for remote dial in, and 10.8.1.* at the office for remote dial in. I am wondering if it is also possible to maintain a site to site VPN so I can share resources back and forth. Will this conflict with the remote dial in servers running in any way? Sorry if that's kind of a n00b question. I just don't want to mess with a working config if what I'm trying to do isn't possible. I can do remote dial in to either no problem from anywhere. But it would be awesome to be able to connect to one, and hit resources on both. Or also to just be able to access home LAN from work LAN and vice versa. What's the best way to go about this?



  • The way I normally do this is to add a second OpenVPN instance in the "Main" or "Server" pfSense box (I'm guessing that's the office) and set it up as a Site-Site server.
    Just make sure to use a different port than the existing RoadWarrior server on the same box and add a new Firewall->Rule to allow incoming traffic on the new port.  The other pfSense box is setup as a Site-Site client.

    I run a number of these setups and they work very well, the two OpenVPN instances on each box coexist very nicely.
    You should be able to add the Site-Site configuration without touching the RoadWarrior setups at all.
    Just make sure when you do final testing that you Don't have a RoadWarrior connection established from the same machine that you're using to test the Site-Site (or you won't be testing what you think you're testing)

    Let us know how it goes…..



  • Just create a new OpenVPN instance for the site to site, as divsys described. That won't impact your existing setup.



  • Thanks! I think I understand exactly what you mean. And the way you had described is exactly how I would try to it. I wanted to run the server of the site to site, on the office pfsense box, as it's nicer hardware. So just run them on different ports, and create firewall rules to route between the subnets? It's really as simple as that? That's great to hear.



  • Agreed, thats the only way you could do that.


Log in to reply