Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Consolidating Site to Site VPNs from multiple Shared Key instances to SSL/TLS

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 559 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dlogan
      last edited by dlogan

      For the purposes of this discussion we will only talk about 2 sites (although we have several).

      Each site has 2 WAN connections (and soon to be 3).
      So I have a Peer to Peer (Shared Key) OpenVPN server instance listening on each WAN per remote site. (Well technically it's listening on localhost with ports forwarded from each WAN, but I digress). Both VPNs are active concurrently and I use the VPN gateways with gateway groups for failover and preferring different WANs for different traffic.

      This is all working fine, but for each remote site, I have to spin up 2 more (and soon to be 3 more) server instances. So what I was wanting to do was consolidate down to one server VPN instance per WAN connection at the main site. To do with I was going to setup the new VPN as SSL/TLS and create certificates for each OpenVPN client connection.

      Normally I choose some device on the other end of each VPN instance for gateway monitoring, and each client -> server gets a separate IPv4 tunnel network. But moving to SSL/TLS with multiple VPN clients connecting to one instance, now they're sharing an IPv4 tunnel network. There is only 1 gateway from the server side, so I don't see a way to mark one of the tunnels as down if one of the clients disconnects.

      Is it possible to do what I'm trying to do? If it is, I'm guessing I'm going about this the wrong way.

      D 1 Reply Last reply Reply Quote 0
      • D
        dlogan @dlogan
        last edited by

        So, Big Gulps huh? Alright, well, see ya later!

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @dlogan
          last edited by

          @dlogan
          The client connections to a single instance happen within OpenVPN. pfSense gets no notice if a client is connected or not.

          Gateways can only be added to OpenVPN instances and now your goal is to do all connections with a single instance for whatever reason. So you can only have a single gateway for all naturally.

          You can monitor the client connections in the OpenVPN dashboard widget or in Status > OpenVPN.
          You may also add additional gateways to the OpenVPN instance and monitor a remote IP, but there is no way for pfSense to do a gateway failover as you did before, since there is only a single gateway.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.