I would like select devices on my network A to access the internet via location B.
Solution – setup an OpenVPN server at location B, and my house A would be the client.
This would require port forwarding at location B…which is a no-go…no access to B’s router(s) config.
So…I’d like to set it up with location A being the server, and B the client. There are tons of guides online – I followed them – it works! Well…the OpenVPN connection works.
I cannot find any guides for what to click in pfsense to get select devices on A’s pfsense LAN to send their internet bound traffic to location B’s internet? Picture attached.
Using an overlay VPN can make it much easier to get two (or more) devices connected, especially when NAT is involved. If you install the overlay VPN software directly onto the devices in question, you can leverage the built-in features (e.g. “exit nodes” for Tailscale) to route that device’s traffic through another node in the VPN.
If you prefer to have pfSense handle the VPN connection, that’s no problem. The steps are the same regardless of how the tunnel is established.
Create a new gateway under System → Routing → Gateways.
– Set the interface to the VPN’s interface (create it if it doesn’t exist).
– For the gateway IP address, use the tunnel address of the remote router (x.x.3.99).
Add a Pass firewall rule to the appropriate network (x.x.2.x).
– Set the source to the device(s) whose traffic you want to route through the VPN.
– Set the destination according to what you need (e.g. * to route everyting through the tunnel).
– Enable “Display Advanced” and set the gateway to the one you created in step 1.
Create an outbound NAT rule (set Outbound NAT mode to hybrid or manual).
– Select the tunnel interface.
– Select IPv4 protocol family.
– Leave source and destination at any.
– Set translation address to the tunnel interface’s address (x.x.3.1).
Note that if you’re going for security, you should put your devices onto a separate network instead of targeting specific ones with the firewall rule’s source setting. IP addresses are easily spoofed if you don’t take the proper measures.
Thank you so so much for the detailed instructions!
I followed them exactly (for step 1, I used the VPN interface IP and remote router IP addresses that tailscale assigned?). I also enabled the exit node radio button in the tailscale web interface. I’m so close…
From a device on my LAN assigned to the tailscale gateway via IP in pfsense, I can ping the remote windows box (I started with a remote router…but switched to windows when I couldn’t get it working to make it easier).
…but I cannot reach the internet whatsoever from the device on my LAN when tailscale is running.
If I stop tailscale (on pfsense or the windows box), then I can reach the internet via the local WAN…which is weird…I have a rule blocking that. (see pic of top LAN firewall rules…sorry….195.x is my LAN…the original diagram I posted I was trying to simplify and wrote .2.x)
Thoughts on how to debug?
I installed tailscale on another device just for kicks…it was able to use the exit node I setup…so the issue is somewhere in the pfsense config, not the exit node.
At this point – right before clicking post – I decided to click reboot in pfsense just to see if that would fix it. My brand new Netgate 4200 never came back. It gets stuck with quickly flashing blue lights – the diamond and the circle. I tried to connect to the console, but there appears to be no output and it is unresponsive. Factory reset will be my next search. I am disturbed that settings at this level could have any relevance to the device’s ability to boot.
