Best practice for site to site, hub and spoke setup
-
I'm a little unclear from the documentation how to go about this. I have an HQ and seven remote sites. I want HQ to be the hub, each remote site is a spoke. Is it best to
-
Setup a separate OpenVPN server at the hub for each remote site's connection (ie, in this case my HQ would have seven servers configured, one for each remote site)
-
Setup a single OpenVPN server at the hub for all the remote sites to connect to
Couldn't find a direct answer to this, so thought I'd ask.
-
-
@bp81
I have no idea about best practice , but i have a Central and 7 remotes.
Using Openvpn SSL/TLS /30 site2site connections.I run a Server on the Central for each remote each with their own root + client cert. I have 6 trusted sites, using certs generated with with the same "trusted CA"
The 7'th "not that trusted" has its own CA , and Certs generated by that.
/Bingo
-
@bingo600 said in Best practice for site to site, hub and spoke setup:
@bp81
I have no idea about best practice , but i have a Central and 7 remotes.
Using Openvpn SSL/TLS /30 site2site connections.I run a Server on the Central for each remote each with their own root + client cert. I have 6 trusted sites, using certs generated with with the same "trusted CA"
The 7'th "not that trusted" has its own CA , and Certs generated by that.
/Bingo
I'm having issues getting it to work in this manner, and it definitely has something to do with tunnel network settings.
If I set my server and client to use a /31 subnet for the tunnel, everything works fine. Obviously, using a /31 server side won't work when I have more clients connecting.
Using a /24 network server side and client side doesn't function, however. No traffic passes between sites on the tunnel.
I am curious as to how your tunnel network is set up client and server side.
Edit to add: I can use the /24 tunnel network successfully if I use shared key authentication instead of SSL/TLS. It specifically does not work when using SSL/TLS authentication. SSL/TLS authentication works with a /31 tunnel network.
-
@bingo600 said in Best practice for site to site, hub and spoke setup:
@bp81
I have no idea about best practice , but i have a Central and 7 remotes.
Using Openvpn SSL/TLS /30 site2site connections.I run a Server on the Central for each remote each with their own root + client cert. I have 6 trusted sites, using certs generated with with the same "trusted CA"
The 7'th "not that trusted" has its own CA , and Certs generated by that.
/Bingo
I think I figured it out. I need to use client specific overrides section when using SSL/TLS. It is working now.
For posterity, on the server, you need to add a client specific override entry. Select the OpenVPN server you want it to apply to. Enter the CN of the certificate used by the remote site. Enter the LAN subnet for one of your remote sites in Remote Networks box. Repeat for all sites.
-
@bp81
Yeah, you need a configure CSO when you have a site to multiple site setup. This way you tell the server which remote network is behind which client for proper routing. -
@viragomann said in Best practice for site to site, hub and spoke setup:
@bp81
Yeah, you need a configure CSO when you have a site to multiple site setup. This way you tell the server which remote network is behind which client for proper routing.Took me a while to realize that the vanilla client/server setup specified the remote networks to the server, but doesn't tell the server which gateway in the tunnel network to use for a particular LAN. Obvious in retrospect.
