pfSense Forum

pfSense English Support => OpenVPN => Topic started by: buomque on December 06, 2017, 02:01:37 pm

Title: OpenVPN Routing Site-to-Site tunnel to Remote Access VPN tunnel
Post by: buomque on December 06, 2017, 02:01:37 pm
Main Office Configuration:
Local network: 192.168.10.1

Main Office Site-To-Site VPN server:
IPv4 Tunnel Network: 192.168.90.0/24
IPv4 Remote network(s): 192.168.110.0/24, 192.168.111.0/24

Main Office Remote Access VPN server:
IPv4 Tunnel Network: 192.168.80.0/24
IPv4 Local network(s): 192.168.10.0/24, 192.168.110.0/24, 192.168.111.0/24

Satellite Facility #1 Configuration:
Local network: 192.168.110.1

Satellite Facility Site-To-Site #1 VPN Client:
IPv4 Tunnel Network: 192.168.90.0/30
IPv4 Remote network(s): 192.168.10.0/24, 192.168.80.0/24

Satellite Facility #2 Configuration:
Local network: 192.168.111.1

Satellite Facility Site-To-Site #2 VPN Client:
IPv4 Tunnel Network: 192.168.90.0/30
IPv4 Remote network(s): 192.168.10.0/24, 192.168.80.0/24

I create a new interface for 192.168.90.0/24 tunnel, called Site-To-Site
I create a new interface for 192.168.80.0/24 tunnel, called Remote Access

From Main Office Site-To-Site VPN server:, I can access both 192.168.110.0/24 and 192.168.111.0/24

My laptop is connecting to Remote Access tunnel. How can I do routing, so that my laptop can get to all LAN networks which are accessible from Main Office Site-To-Site VPN server:?



Title: Re: OpenVPN Routing Site-to-Site tunnel to Remote Access VPN tunnel
Post by: marvosa on December 07, 2017, 06:58:03 pm
At a high level, you would need to push each LAN you want to access to out to your clients and then enter the remote access tunnel network in the config of each remote location.

You also don't need to create interfaces unless you're doing policy routing.
Title: Re: OpenVPN Routing Site-to-Site tunnel to Remote Access VPN tunnel
Post by: buomque on December 07, 2017, 07:46:27 pm
Thanks for the info Marvosa!

One more question, is there a way to route all available LANs from site-to-site tunnel to Remote Access tunnel? Or pushing each LAN is a more proper way to do?