Site to Site VPN pfsense port forwarding

I am attempting to create an openvpn site to site vpn. I followed the 2017 video how to setup a site to site vpn using pfSense. My issue is with the port forwarding. I was using port 1194 for a client VPN to one of the sites already so I used port 1195. When I set up the port forwarding I don’t know which IP address to forward the port to. I have multiple VLANS on each of the two networks. Should the forward IP address be the tunnel IP address? I tried the IP address associated with each vlan and my native vlan and when I check to see if the port is open using a port forward checking website, it lists the port as closed. I suspect this is because there is no service listening as the forwarding IP address is incorrect. What IP address is associated with the OpenVPN server when multiple interfaces are assigned to pfSense. Any help would be greatly appreciated.

If you have a router between your pfsense box and the internet (common in UK / Europe for ADSL / VDSL) then you need to port forward on that router to the WAN ip of your pfSense box.

If your ISP device is in Bridged mode so your pfSense box has a public IP on the WAN then you need to add a firewall rule to allow 1195 in.

You could always look at the rules / forwards you created for your client vpn and re-create them with 1195

It’s hard to follow after the first sentence, but i think I get you.

If 1195 is the port on your openVPN server then you need a rule on your WAN that allows traffic in on 1195. The rules for your openVPN can mirror what you have for your vlan rules, depending on what access you want to give it.

On my setup I haven’t port forwarded any openVPN ports that I use.

I then use static routes to define where the traffic goes.

You also need an outbound NAT rule for the subnet used by your openVPN server.

If you want that connection to then have access to the vlans you can add this in the openVPN server config I believe.

However, I have a site-to-site, but I’ve used a RAS and client on both sides so I kinda have two connections instead of one so it might be slightly different for peer to peer I can’t confirm. I use an alias for my subnets and add my tunnel subnets to it, I use the alias in my rules for allowing access to the vlans.

On a side note, if you use a peer to peer, if one side fails the connection fails. If you use two RAS servers then if one side fails the other side is still connected. OpenVPN is pretty stable but you never know, I had to take a tube, plane, bus to rectify my own balls up. Now I have three pairs of OpenVPN servers between my sites as it’s cheaper than travelling :slight_smile:

Thank you for the comments. I wanted to ensure a port forwarding rule was not required on the pfSense. My router is in bridge mode so my pfSense box si directly connected to the wan. I did create a firewale allowing access to port. I just wanted to ensure a forwarding rule wasn’t also required.