OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Route single IP through Site-to-Site-VPN

https://forums.openvpn.net/viewtopic.php?t=35687

Page 1 of 1

Route single IP through Site-to-Site-VPN

Posted: Wed May 03, 2023 10:04 am
by dakapo
Hello everybody!

I have two locations (Home-Office, Main-Office) connected through a Site-to-Site-VPN between two pfSense-devices.

From my home-office I have several servers I want to connect to through the VPN and through the WAN-IP of the main-office.

It goes like this:
Home-Office (192.168.121.0/24) <---- OpenVPN (192.168.123.0/30) ----> Main-Office (192.168.122.0/24) <----> WAN

For building up the route to the different Destination-IPs (e.g. 1.1.1.1) I added the following command to my OpenVPN-Client on the pfSense in the Home-Office:

Code: Select all

route 1.1.1.1 255.255.255.255;
After that the packets are going out through the WAN of the pfSense in the Main-Office.
But no packets seem to come back to my client in my Home-Office.

I checked the Firewall and nothing seems to be blocked. I think I might have a routing-problem somewhere.

Normal connections between the two LANs of Home-Office and Main-Office are working fine.

Can anybody help me with this?

Thank you!
Daniel

Re: Route single IP through Site-to-Site-VPN

Posted: Wed May 03, 2023 12:28 pm
by dakapo
The routing-table of pfSense 1 (Home-Office, 192.168.121.1)

Code: Select all

Internet:
Destination        Gateway            Flags   Nhop#    Mtu      Netif Expire
default            109.205.200.1      UGS         7   1500        ix0
109.205.200.0/24   link#5             U           5   1500        ix0
109.205.200.1      link#5             UHS         4   1500        ix0
***.***.***.***    link#5             UHS         6  16384        lo0
127.0.0.1          link#9             UH          2  16384        lo0
192.168.120.0/24   192.168.120.2      UGS        10   1500     ovpns1
192.168.120.1      link#13            UHS         9  16384        lo0
192.168.120.2      link#13            UH          8   1500     ovpns1
192.168.121.0/24   link#1             U           1   1500       igc0
192.168.121.1      link#1             UHS         3  16384        lo0
192.168.122.0/24   192.168.123.1      UGS        13   1500     ovpnc3
192.168.123.1      link#14            UH         11   1500     ovpnc3
192.168.123.2      link#14            UHS        12  16384        lo0
1.1.1.1     192.168.123.1      UGHS       14   1500     ovpnc3
213.196.148.12     link#5             UHS         4   1500        ix0
213.196.149.12     link#5             UHS         4   1500        ix0

The routing-table of pfSense 2 (Main-Office, 192.168.122.1)

Code: Select all

Internet:
Destination        Gateway            Flags       Use    Mtu      Netif Expire
default            213.196.128.1      UGS    185021789   1500       igb0
127.0.0.1          link#5             UH      5659087  16384        lo0
192.168.121.0/24   192.168.123.2      UGS         842   1500     ovpns2
192.168.122.0/24   link#3             U      7353864632   1500       igb2
192.168.122.1      link#3             UHS           0  16384        lo0
192.168.123.1      link#8             UHS           0  16384        lo0
192.168.123.2      link#8             UH           16   1500     ovpns2
192.168.124.0/24   link#2             U             0   1500       igb1
192.168.124.1      link#2             UHS           0  16384        lo0
192.168.125.0/24   192.168.125.2      UGS     3276461   1500     ovpns1
192.168.125.1      link#9             UHS           0  16384        lo0
192.168.125.2      link#9             UH            0   1500     ovpns1
213.196.128.0/24   link#1             U             0   1500       igb0
213.196.128.1      **:**:**:**:**:**  UHS           0   1500       igb0
***.***.***.***      link#1             UHS           0  16384        lo0
213.196.148.12     **:**:**:**:**:**  UHS        3953   1500       igb0
213.196.149.11     **:**:**:**:**:**  UHS        3953   1500       igb0

Re: Route single IP through Site-to-Site-VPN

Posted: Wed May 03, 2023 2:37 pm
by dakapo
Okay. A first problem has been solved. A friend of mine found out that a Outbound-NAT-Rule was missing for the 192.168.123.0/30-Tunnel on the Firewall in the Main Office.

Now I can reach the IP-Adresses from the pfSense in the Home-Office.

What's still not working is reaching the IP-Adresses from the Clients in the LAN of Home-Office.

Code: Select all

> pfctl -s nat
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on igb0 inet from 192.168.122.0/24 to any -> ***.***.***.*** port 1024:65535
nat on igb0 inet from 192.168.125.0/24 to any -> ***.***.***.*** port 1024:65535
nat on igb0 inet from 192.168.123.0/30 to any -> ***.***.***.*** port 1024:65535
no rdr proto carp all
rdr-anchor "tftp-proxy/*" all
rdr-anchor "miniupnpd" all

Re: Route single IP through Site-to-Site-VPN

Posted: Thu May 04, 2023 6:50 am
by dakapo
I solved the last part of the problem too. I had to add another Outbound-NAT-Rule for the LAN-Subnet (192.168.121.0/24) of Home-Office to the pfSense in Main-Office.

Re: Route single IP through Site-to-Site-VPN

Posted: Thu May 11, 2023 6:14 am
by Anasabdullah
You should be able to solve this problem by configuring a route on the pfSense in the Main-Office to the Home-Office. This route should tell the pfSense in the Main-Office to route any traffic from the Home-Office to the WAN.

To do this, you can use the following command:
CODE: SELECT ALL

route 192.168.121.0/24 192.168.123.2

Where 192.168.123.2 is the IP of the OpenVPN interface on the pfSense in the Home-Office.

Once you have set this routing rule in the Main-Office, your setup should be working as expected.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/