Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Forward traffic from one VPN to another
« previous
next »
Print
Pages: [
1
]
Author
Topic: Forward traffic from one VPN to another (Read 912 times)
yurka
Newbie
Posts: 10
Karma: 0
Forward traffic from one VPN to another
«
on:
July 21, 2023, 07:59:52 pm »
Hi,
I have two sites with WireGuard VPN in between them (SiteA, SiteB). Users connect to SiteA with OpenVPN clients, but in need to communicate with PCs in SiteB too. Is it possible to do so? Route data from OpenVPN to WireGuard when destination is SiteB?
Thanks
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Forward traffic from one VPN to another
«
Reply #1 on:
July 22, 2023, 09:42:04 am »
Yes, absolutely. You need everybody to agree on routing both ways and you need to allow the protocol/port in your firewall policy
Logged
yurka
Newbie
Posts: 10
Karma: 0
Re: Forward traffic from one VPN to another
«
Reply #2 on:
July 22, 2023, 12:20:16 pm »
Nice, now how to do so?
Let's assume:
SiteA - 10.0.1.0/24
SiteB - 10.0.2.0/24
WireGuard Tunnel - 10.200.0.0/24
OpenVPN Tunnel - 10.50.0.0/24
How and where can I setup routing?
I did created allow rules for following interfaces:
SiteB-WireGuard: Allow
Source: 10.50.0.0/24, 10.200.0.0/24, Dest: 10.0.2.0/24,
Source: 10.0.2.0/24 Dest:10.50.0.0/24, 10.200.0.0/24
SiteA-WireGuard: Allow
Source: 10.50.0.0/24, Dest: 10.0.2.0/24
Source: 10.0.2.0/24, Dest: 10.50.0.0/24
SiteA-OpenVPN: Allow
Source: 10.50.0.0/24, Dest: 10.0.2.0/24
Source: 10.0.2.0/24,10.200.0.0/24 Dest: 10.50.0.0/24
This is not working. I see in Logs, on interface OpenVPN access allow. The I see on SiteA-WireGuard access allow, but on SiteB I do not see the package at all. Nor in Deny and not in Allow.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Forward traffic from one VPN to another
«
Reply #3 on:
July 22, 2023, 03:26:03 pm »
OpenVPN clients need a route to Site A and B as well as the tunnel. Add these lines to your OpenVPN conf file (or set them manually on each client)
push "route 10.0.1.0 255.255.255.0"
push "route 10.0.2.0 255.255.255.0"
push "route 10.200.0.0 255.255.255.0"
If the WireGuard endpoints are default gateways for Sites A and B, you just need a static route on Site B for 10.50.0.0/24 to go via te WireGuard IP address of the firewall in Site A
Logged
yurka
Newbie
Posts: 10
Karma: 0
Re: Forward traffic from one VPN to another
«
Reply #4 on:
July 22, 2023, 06:35:49 pm »
1. My gateways for WireGuard on SiteA and SiteB wasn't properly configured. I needed to add the WireGuard's Local Tunnel Address for each Site.
2. Then I configured on SiteA route for 10.0.2.0/24 to WireGuard gateway
3. On SiteB's WireGuard Endpoint I added the OpenVPN range (10.50.0.0/24) to Allow IPs
Now it working as planned.
10x
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Forward traffic from one VPN to another