Hairpining setup from Client VPN to a S2S

Started by viquezjose, March 18, 2025, 06:28:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 18, 2025, 06:28:01 PM
Hello,

I'm a little bit new with OPNSENSE. I'm trying to setup a Hairpining between a VPN client and and endpoint in Site A.

The topology is

VPN client ---> C2S ----> OPNSENSE ---> Site to site --- 3rd Party Device --- ONPREM

I was able to bring the VPN's but looks like there is missing some NAT configuration because I can see packets in on the CLIENT VPN but nothing out over the S2S, if I try to generate from ONPREM I see packets out but not in.

Any help will be really appreciated.
March 18, 2025, 10:51:35 PM #1
Quote from: viquezjose on March 18, 2025, 06:28:01 PMbecause I can see packets in on the CLIENT VPN but nothing out over the S2S
Which packets?

Quote from: viquezjose on March 18, 2025, 06:28:01 PMbif I try to generate from ONPREM I see packets out but not in.
What? Where?

Some more details are required. It's not claear, how you have to configured your network and what you try to achieve.
March 20, 2025, 07:13:16 PM #2
The achievement is try to communicate a vpn client to onprem server, the cliento connects using a VPN client to the OPNsense and the OPNsense establish a site to site VPN to onprem in where the server lives.  Wen I say, I'm able to see packets I refer to bites in (no bites out) on the VPN client and bites out (no bites in) on the Site to Site, this make me believe it is a NAT or FW rule missing in the opnsense.

If we stand up a server in a LAN segment connected to the OPNsense we are able to communicate the vpn client to/from the server in the LAN (This is using the VPN client) and also the onprem server to/from the LAN (using the site to site).

In cisco there is a feature called inter and intra security zone that allows the hairpining between the VPN client and the S2S but I'm not sure if something similar needs to be done on the OPNsense.
March 20, 2025, 07:42:57 PM #3
Quote from: viquezjose on March 20, 2025, 07:13:16 PMWen I say, I'm able to see packets I refer to bites in (no bites out) on the VPN client and bites out (no bites in) on the Site to Site, this make me believe it is a NAT or FW rule missing in the opnsense.
Yes, it can be done with nat if a route on the remote site (onprem here) is no option.

I assume, you have already assigned an interface to the s2s VPN instance.

Then go to Firewall > NAT > Outbound and enable the hybrid mode. Then add a rule:
interface: s2s vpn
source: VPN access server tunnel network
destination: s2s remote network or a single IP with a /32 mask
translation: interface address
Print
Go Up Pages1
User actions