Pfsense Openvpn client specific subnet

Hi all,

Previously I posted about my Site 2 Site VPN connection. It is working perfect now!
Now something changed. The client has a new ISP and has an IPv4 CG-NAT. That’s not a problem per se for the site 2 site connection, as they are the client and I am the server, but they can’t access their network anymore from their own VPN connection.

Now I want to give them acces to my VPN server, so they can tunnel via my network, over the site2site VPN, to theirs.

The problem is that I don’t want them to be able to access my subnets. I only want them to tunnel via my network to theirs.

How do I set that up?

Thanks in advance!

What you can try is create another VPN that will be sole purpose is to allow those clients. Configure this VPN to only allow to go to their network.

Thanks for your reply @reymond070605 ! It sounds like a good idea and I will consider it.

I only hope there is a way to do it with my existing VPN server, so I don’t have to open extra ports!

Well in theory there is by setting up load balancer. I have not personally tried it but you give it a shot. As you know Pfsense has its own load balancer or if you have your own you can use that.

Didn’t think of that… I use haproxy for http traffic. I wonder if there is a good tutorial for that

There is a tutorial that Tom published about haproxy package with pfsense. You can try to follow that procedure as a reference:

That looks promising! I already have haproxy working for my websites. I hope it tells how to make it work with other applications.

When I am home from work I will check it out:l. Thanks!

I am hoping that with IPv6 this CG-NAT stuff goes away, there are plenty of IP addresses available under IPv6!

I’m on TMobile ay home now (CG-NAT), but so far my openVPN site to site is working fine and didn’t even glitch with the change. Server side is at work on an internet IP that we “own”.

It gets even more convulated if you want the full pathway:

Public IP, port forward to my firewall which is behind local NAT, home through lab domain which is now CG-NAT. Before TMobile home was under local NAT again through consumer router and Spectrum cable internet.

All that said, isn’t there a setting when creating the site to site about which remote networks are allowed? It has been a bunch of years now and I can’t exactly remember, but I do recall having to type the networks into something. I have two LANs at work that I can reach (real cable separated LANS on the back of my firewall).