I set up a few site-to-site tunnels between a main office and two branches using the instructions at OpenBSDsupport
. It was relatively easy with hosts in the main office able to ping hosts in either branch. Hosts in either branch office can ping hosts in the main office.
The problem comes into play where hosts in one branch office wants to ping a host in the other branch office. Right now, the tunnels are from branch office to main office, but not between the branches (this is what I prefer). I updated pf.conf at the main office site, but I don't think this is the problem. If I do a traceroute from one branch to the other, it's going out directly through the Internet, not through the tunnel. I tried adding a route, but I'm only guessing at the syntax. The branch office subnets are 192.168.201.0/24 and 192.168.202.0/24, so I tried something like:
sudo route add -encap 192.168.201.0/24 -interface enc0
or variations on this theme. Can anyone point me in the right direction? As a last resort, I can always set up a tunnel between the branches, but I'd rather route everything through the main office for now, even though that's a single point of failure.