Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple Site-to-Site OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mnsmani
      last edited by

      One more question from me (Expecting answer this time, which will solve my problem :(  :( )

      I have defined two Site-to-Site OpenVPN entries. (Different names, Different ports, Different Locations). The problem is always first entry of Site-to-Site is working. If I disable First, then second is working… If both are enabled, There is no entry in the System Logs - OpenVPN at all.

      Why? Will PfSense-OpenVPN will not allow a second Site-to-Site entry ? Plz Plz some one plz help.

      1 Reply Last reply Reply Quote 0
      • S
        sh_man
        last edited by

        I am running two site to site OpenVPN's and a road warrior OpenVPN on the same server with no problems  ;) (well there were a few but most are sorted)

        Please post how you have configured it on the server and we will see what we can do to help. The best way is to backup the config and copy the relevant bits from the xml into a post.

        1 Reply Last reply Reply Quote 0
        • M
          mnsmani
          last edited by

          My config file looks like this

          <openvpnserver><config><disable><protocol>UDP</protocol>
          <dynamic_ip>on</dynamic_ip>
          <local_port>11150</local_port>
          <addresspool>192.168.100.0/24</addresspool>
          <nopool><start_address>192.168.19.1</start_address>
          <end_address>192.168.19.254</end_address>
          <local_network>192.168.19.0/24</local_network>
          <remote_network><client2client>on</client2client>
          <crypto>BF-CBC</crypto>
          <auth_method>pki</auth_method>
          <shared_key><ca_cert>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNsVENDQWY2Z0F3SUJBZ0lKQU1LRFB2d3ZTZGNrTUEwR0NTcUdTSWIzRFFFQkJRVUFNRHd4RHpBTkJnTlYKQkFNVEJrMWhjM1JsY2pFUE1BMEdBMVVFQ2hNR2MyaGhlbUZrTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRQpDQk1DVGtFd0hoY05NRGN3TXpFd01EZ3dOekU1V2hjTk1UY3dNekEzTURnd056RTVXakE4TVE4d0RRWURWUVFECkV3Wk5ZWE4wWlhJeER6QU5CZ05WQkFvVEJuTm9ZWHBoWkRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1QKQWs1Qk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRE8yTmJja3huYk0ybC9IMkNoMU1Ybgo5UTRib051WU1pUTZ1a21ROEltUFo1R0NwWHJiTVBkTEZ4cnRtV0ZqSURlY3NXcGpMallMUFhpZ2ErODJXWWhTCml3QVBOWENkc3p3NnpMWUVmemwzKzhTMW1DMS81S3pHMkhKbzVRVXpMUDBTNDd1VDY1cVU3UHN0VHY5OFdEYnQKeDVEaDNQc1pGMXh2cG5uOE13UlcxUUlEQVFBQm80R2VNSUdiTUIwR0ExVWREZ1FXQkJUZ0ZUU1l5UHNPL1FLTQpqMjZJTFZkSlBHNFh3VEJzQmdOVkhTTUVaVEJqZ0JUZ0ZUU1l5UHNPL1FLTWoyNklMVmRKUEc0WHdhRkFwRDR3ClBERVBNQTBHQTFVRUF4TUdUV0Z6ZEdWeU1ROHdEUVlEVlFRS0V3WnphR0Y2WVdReEN6QUpCZ05WQkFZVEFsVlQKTVFzd0NRWURWUVFJRXdKT1FZSUpBTUtEUHZ3dlNkY2tNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTgpBUUVGQlFBRGdZRUFyTVVOcW5lamJFZW9mRmNkYi9RVndjT01CdDFQamgvdWtIc1JCR2ljZy8vQUVtemJGK09FCklwU1lMNkdFNFJyV2J0eTUrSlNtYU9mTGVXMmpnb3RCMWN3TTRKM3lJdTlkeUo1czk0QmlMV2JITjdnN0hlUkkKVmlrTENzNmdrc2M3RXZGMXZmNWg1d2ZJTHJOeVhpMnplSWltTHowcFozNVhLWldlUGpKRVNBWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ca_cert>
          <server_cert>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWxDZ0F3SUJBZ0lCWFRBTkJna3Foa2lHOXcwQkFRUUZBREE4TVE4d0RRWURWUVFERXdaTllYTjAKWlhJeER6QU5CZ05WQkFvVEJuTm9ZWHBoWkRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBazVCTUI0WApEVEEzTURNek1ERTFORE13TWxvWERURTNNRE15TnpFMU5ETXdNbG93YXpFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKCkJnTlZCQWdUQWs1Qk1ROHdEUVlEVlFRS0V3WnphR0Y2WVdReFBqQThCZ05WQkFNVU5VTlZVMVF3TURBd05GOUUKZFdKaGFTMVdOUzFVWlhOMFgxSlhNREF3TURGZlJuSnBUV0Z5TXpBeE1EUXpNREZEUkZReU1EQTNNSUdmTUEwRwpDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEdmFObGJDQ3NVZUZtSjRaN2wrKzJRRFQ2Sks4V2xMZm92CjRnc3BwRk1FSGg2a0hyL3RBamZpbk5HeWdsNkp1NENQR1YzaFI4d011THJGaUFObE9LZW92TnBQcDI4ejZnT20KODJ6ampWZDdWVWE1OFZ6VzFQeWhFNW9uc3NleFZLMG4vNW95QVBwNzNGSXh2WHhaR0FZc3cxOFdGK01sSHozZApJYmNwZUZjWFB3SURBUUFCbzRISk1JSEdNQWtHQTFVZEV3UUNNQUF3TEFZSllJWklBWWI0UWdFTkJCOFdIVTl3ClpXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUjlXOGY3cWRzTVVvTGkKMit2RUlodEJVajlpZ0RCc0JnTlZIU01FWlRCamdCVGdGVFNZeVBzTy9RS01qMjZJTFZkSlBHNFh3YUZBcEQ0dwpQREVQTUEwR0ExVUVBeE1HVFdGemRHVnlNUTh3RFFZRFZRUUtFd1p6YUdGNllXUXhDekFKQmdOVkJBWVRBbFZUCk1Rc3dDUVlEVlFRSUV3Sk9RWUlKQU1LRFB2d3ZTZGNrTUEwR0NTcUdTSWIzRFFFQkJBVUFBNEdCQUI0UmZ2MUkKMGhWbU9nWnVzUXQvc1ZCY2RtZTg4UHViRUc3aXQxZVN2VVRsQ2xTOUwrZ00vYVBLSWV4M2c5N1JLaVpoNHBSdwo1MStQVStEdlluQlB0SFJSYkRtMG5pT1c2aXhlSm5XVGJENkowazBIR1kwelBLcmJia01mWmxsMTNMR0tTU2NnCnpiL3ZyT1pwWktSaVJRRVEyRzkxRmsrQUxPNTlCRllIRWptQgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</server_cert>
          <server_key>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWFFJQkFBS0JnUUR2YU5sYkNDc1VlRm1KNFo3bCsrMlFEVDZKSzhXbExmb3Y0Z3NwcEZNRUhoNmtIci90CkFqZmluTkd5Z2w2SnU0Q1BHVjNoUjh3TXVMckZpQU5sT0tlb3ZOcFBwMjh6NmdPbTgyempqVmQ3VlVhNThWelcKMVB5aEU1b25zc2V4Vkswbi81b3lBUHA3M0ZJeHZYeFpHQVlzdzE4V0YrTWxIejNkSWJjcGVGY1hQd0lEQVFBQgpBb0dBWEJKQ3BSTzdIYUE3THgrcDhHQzJ1Qk9mM1RrTVJiNHMzWVZkTGFLWW1wakt4K3RiZkZiQ0QxQ29CTExHCmtNbWZZMmtxQloyTEI4bHphc3dvSWlGcnVHYUNPMmgzVldlYnNZdm85cDc2UThkVmRNUSttbjE4UVN5NmRhTUwKbW1kVVVUbHVITzNKeU9XNjYvRlVuZXEyNjBMYW5idG82SytaTkIzU0g3RWtKNkVDUVFELys3cm1id1o3NFRMeQpiSmp5STJzZFlNbEZsOHBSR1lNWUVEc0tjZm5CeHdIUGo0RjBUVkgyK1ppcUs1cUFZYVVNWVY1dzBTYisxZDliCklwWnlTZk5UQWtFQTcyelhycVkvWmhRNHNMd0NpQzRrN0RIZnE4YXYxenFhbElJNHZVbFo3NkJObnNMVnBQSFcKME1vNEF1KzdPaHVDeDkrYkVmcER3alhSYTFqQSsxNGE1UUpCQU4wRWN5NE14SE5uVUg3Qnh4aWgvaFVpZ1FXbQpkbGVwaUdmWmM3Q2tFZm4rb3BDY25qQlZwaVJ4QXlCQ2Y2YkRLQ2RWVnA1ZjU2UjE4dUNVTDRQRVYrTUNRUUNmCjhyQ3NCbmc0TTY0anM1WmxiNTVQQklxT2NTK3JzNFR0VFltbU9zaVFZeUUzdktXSmlkNmVvVm1GN0szQmhmdDYKbDVFN0Uxd005SE14S1p2UzBlMVpBa0JIc05RcWhFanQvcHZqdGg4LzNDSUQwKzV2R3BFUFN5QUIveVlHQndWcwpzM0N4NzV1VmtIdEkrcWpSRDVmYmFLR3M5YnZMNVBjSlNxOVBCOVhDTHJ5RgotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=</server_key>
          <dh_params>LS0tLS1CRUdJTiBESCBQQVJBTUVURVJTLS0tLS0KTUlHSEFvR0JBTDZpWnY4Y1c1NmczZjlEL2VVUUxwb3pqQlZ6akFmT25iVnJYaHJYdDNzVEtTb0pYeEx4MjYrQQpYRmNRNkhBNktTanBKT0gyRnJFN0pRVFA5b3djeUVJd0duVkk4Y3JZeHFPSEhtb2s4dnRsNDFDeFVJYkpoanUwClYyNUJMU2FSd2pFOFdSL3c3dDR3VlVDM1ZicjJkaW9LNlhxYU1KSXRYMnVzaWd6bUhTSExBZ0VDCi0tLS0tRU5EIERIIFBBUkFNRVRFUlMtLS0tLQo=</dh_params>
          <crl><use_lzo>on</use_lzo>
          <custom_options><description>creek tower vpn</description></custom_options></crl></shared_key></remote_network></nopool></disable></config>
          <config><disable><protocol>TCP</protocol>
          <dynamic_ip>on</dynamic_ip>
          <local_port>1111</local_port>
          <addresspool>192.168.19.0/24</addresspool>
          <nopool><local_network><remote_network>192.168.1.0/24</remote_network>
          <client2client><crypto>BF-CBC</crypto>
          <auth_method>shared_key</auth_method>
          <shared_key>LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQphYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODkNCmFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQphYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODkNCmFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ==</shared_key>
          <ca_cert><server_cert><server_key><dh_params><crl><use_lzo>on</use_lzo>
          <custom_options><description>DubaiandHyd</description></custom_options></crl></dh_params></server_key></server_cert></ca_cert></client2client></local_network></nopool></disable></config>
          <config><disable><protocol>TCP</protocol>
          <dynamic_ip>on</dynamic_ip>
          <local_port>1114</local_port>
          <addresspool>192.168.19.0/24</addresspool>
          <nopool><local_network><remote_network>192.168.0.0/24</remote_network>
          <client2client><crypto>BF-CBC</crypto>
          <auth_method>shared_key</auth_method>
          <shared_key>LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQphYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmNkZWYNCmFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiY2RlZg0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQphYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmNkZWYNCmFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiY2RlZg0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ==</shared_key>
          <ca_cert><server_cert><server_key><dh_params><crl><use_lzo>on</use_lzo>
          <custom_options><description>LahoretoDubai</description></custom_options></crl></dh_params></server_key></server_cert></ca_cert></client2client></local_network></nopool></disable></config></openvpnserver>

          Let me explain something…. I have my own interface from where you can setup Site to Site / Site to User... When you set Site to Site, say between A and B Locations.... I add Server A and Client A similarly in site B, I add Server B and Client B. Client B is for Server A
          and Client A is for Server B

          Also, I am posting my Client portion of Server A (Both the post are from Server A)

          <openvpnclient><config><disable><protocol>TCP</protocol>
          <serveraddr>cust00004.hyd-v5-test.v5edgeserver.net</serveraddr>
          <serverport>1112</serverport>
          <interface_ip>192.168.19.0/24</interface_ip>
          <remote_network><proxy_hostname><proxy_port><crypto>BF-CBC</crypto>
          <auth_method>shared_key</auth_method>
          <shared_key>LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQphYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODkNCmFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQphYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODkNCmFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ==</shared_key>
          <ca_cert><client_cert><client_key><use_lzo>on</use_lzo>
          <custom_options><description>DubaiandHyd</description></custom_options></client_key></client_cert></ca_cert></proxy_port></proxy_hostname></remote_network></disable></config>
          <config><disable><protocol>TCP</protocol>
          <serveraddr>121.247.124.90</serveraddr>
          <serverport>1113</serverport>
          <interface_ip>192.168.19.0/24</interface_ip>
          <remote_network><proxy_hostname><proxy_port><crypto>BF-CBC</crypto>
          <auth_method>shared_key</auth_method>
          <shared_key>LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQphYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmNkZWYNCmFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiY2RlZg0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQphYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmNkZWYNCmFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiY2RlZg0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ==</shared_key>
          <ca_cert><client_cert><client_key><use_lzo>on</use_lzo>
          <custom_options><description>LahoretoDubai</description></custom_options></client_key></client_cert></ca_cert></proxy_port></proxy_hostname></remote_network></disable></config></openvpnclient>

          I tried Protocol UDP... but for testing, I changed it into TCP to find whether it works

          Expecting your reply.

          1 Reply Last reply Reply Quote 0
          • M
            mnsmani
            last edited by

            1. Dubai and Hyd
            2. LahoretoDubai

            are the two site to site….. only one is working.
            Server Port in Dubai will be client port in Hyderabad. Server Port in Hyderabad will be client port in Dubai.
            Of course, the First entry in openvpnserver is working fine for Site to Road warriors.

            Any more clarifications.... plz....

            1 Reply Last reply Reply Quote 0
            • S
              sh_man
              last edited by

              First thing that jumps out is that you have used the same address pool for all the VPN's, they need to be unique. Try changing them and see what happens.

              If you have routing problems from the far end try adding

              push "route xx.xx.xx.xx 255.255.255.0 vpn_gateway"

              to the custom options box where xx.xx.xx.xx is the servers local network.

              1 Reply Last reply Reply Quote 0
              • M
                mnsmani
                last edited by

                As far as I understood, addresspool is  the server address / source address which the other site will be accessing….. remote is the one which will be available at the destination. Since, I defined two site-to-site it is same across both.... It is like two branch office want to see all the computers in head office...

                1 Reply Last reply Reply Quote 0
                • S
                  sh_man
                  last edited by

                  Does not work like that - I think anyway - I did not write this  :)

                  The addresses in that address pool need to be unique to that VPN.

                  It is used to create the server and client addresses and they need to be unique to each tunnel on that server.

                  To get the two VPN's to talk you need to set up routes and push them.

                  I have two VPN's that can communicate with the server and its network and with each other and their networks

                  192.168.1.0/24 (server) -> VPN (192.168.189.0/24) -> 192.168.180.0/24 (client 1)

                  192.168.1.0/24 (server) -> VPN (192.168.179.0/24) -> 192.168.170.0/24 (client 2)

                  To enable machines on client 1 network access client 2 network add static route to client 1 for 192.168.170.0/24 via gateway 192.168.189.1 which is the server end of its VPN

                  To enable machines on client 2 network access client 1 network add static route to client 2 for 192.168.180.0/24 via gateway 192.168.179.1 which is the server end of its VPN

                  Hope this helps.

                  1 Reply Last reply Reply Quote 0
                  • A
                    agismaniax
                    last edited by

                    I want to implement multiple site-to-site OpenVPN in the future.
                    Right now I'm testing with a single site-to-site using 1.2-RC1.
                    Office 1 is using Dedicated Wireless 128Kbps and Office 2 is using ADSL 64/384Kbps.
                    The connection is successful, but when i test with ping, i have a lot of RTO from both of site.

                    Is there any workarround to fix this?

                    1 Reply Last reply Reply Quote 0
                    • A
                      agismaniax
                      last edited by

                      after reseting the firewall config and reseting the modem, now site-to-site vpn is work smoothly.
                      thanks…

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.