Site to Site plus remote user

  • Hi

    I've built a network with the following:

    Main site:

    • LAN=
    • OpenVPN Server1 to backup site
    • OpenVPN Server2 for remote users

    Backup site:

    • LAN=
    • OpenVPN client connected to Main Site

    Remote User:

    • Linux machine using OpenVPN client

    Everything works, almost!  The two sites are essentially bridged; everything on at MainSite can see everything at BackupSite, and vice versa.  Remote user connected to MainSite can see everything on the LAN.

    However, I would like to have the remote user see everything in the LAN as well.  I thought this was easy enough by adding that range into the "IPv4 Local Network/s" field under the tunnel settings, but no luck.

    I'm sure this is either a routing issue or a rule issue, but can't figure it out.  Any suggestions on where to look?

    I could set up a VPN server on the Remote Site, but would like to only have the user make on VPN connection.


  • You also need to tell the Backup Server how to reach the Remote User's network.
    When the Remote user connects to the Main site, they get a Tunnel IP address, NOT an IP from the Main site.

    Add the IP tunnel network of the Remote<->Main connection to the networks available to the Backup<->Main connection.

  • That fixed it!

    Thanks a bunch for the help.  pfSense is a great product, with a great community!

  • OK, there's one tiny issue left…

    From a machine at BackupSite (client end of tun), I can ping a machine at MainSite (server end of tun).  But from MainSite, I can't ping anything at BackupSite.  Not a huge deal since other things I really need (ssh, nfs, http, smb, etc.) seem to work just fine.

    Is that how it is, or can I do something about it?

  • If everything else is working, then it's very possibly a firewall issue on the BackupSite PC you're trying to reach. Win machines are notorious for ignoring ping requests from "unknown" subnets.

  • Assuming the remote end is allowing ICMP thru and the Backup site machines are running Windows, it's because Windows denies ICMP echo replies to IP's outside of its local subnet by default.  You either have to disable the software firewall or add an exception to the firewall.

Log in to reply