pfSense Support Subscription

Author Topic: Remote GW Routing  (Read 58 times)

0 Members and 1 Guest are viewing this topic.

Offline landonc

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Remote GW Routing
« on: December 06, 2017, 12:24:05 pm »
OpenVPN Remote GW Routing

Hello,

I've started working on creating a VPN setup that I can host at family homes, allowing me to avoid regional limitations. Luckily I have this option!

For ease of control, etc, my plan is to host a PFSense OpenVPN server at my home and PFSense OpenVPN clients at the family homes.

My desire is to control when to use the VPN as the default route, and through which client (remote home), via policy based routing (source IP?)... Or some other (and better) (and easy to manage) method. 

Host 1 ---> Home PF / OPVN Server <--[WAN]--> (Tunnel 1 or 2) <--[WAN]-->  Remote Home / PF / OPVN Client

First, I'm trying to prove things out locally by leveraging VirtualBox, within which I have setup 4 virtual hosts.

1. My Home
- Pfsense 2.4.2
- OpenVPN Server
- LAN: 10.0.1.0/24
- Tunnel:  10.0.0.0/24

2. Host 1 / Local Host on Home LAN
- Testing with Ubuntu 16.04 server
- IP: 10.0.1.3

3. Remote Home
- Pfsense 2.4.2
- Client to Home OPVN
- LAN: 192.168.2.0/24
--- Or can treat the addresses across all sites as a single /8 subnet with configured IP range of 10.0.2.0/24 here

4. Another Remote Home
- Pfsense 2.4.2
- Client to Home OPVN
- LAN: 192.168.3.0/24 (or 10.0.3.0/24)

One of my thoughts was that non-overlapping IP address space is needed (as seen above!).

My desired final picture seems to be different than the examples I've found thus far, since I'm not wanting to route client traffic through the server, but all traffic from a host on the server's LAN through either client's WAN.

I think the preference is to do it in "tun" mode.  Easier to setup.  Less overhead. Etc.

But I'm not having any luck getting things to work based on source IP.  I've also thought some combination of NAT & IP Alias or ProxyARP may provide a working solution, but what that combination is I have not figured out.

Explicit routing works. I can ping each PFS client's LAN IP (GW) from Host 1, but I cannot force/route Host 1's traffic to go down a specific tunnel on demand.

Suggestions?

Thanks!