Multiple OpenPVN

jan.gestre

Hi Guys,

I have questions regarding OpenVPN, we are going to setup OpenVPN on 4 sites each using PfSense as firewall, what we want to happen is for the four sites be connected via OpenVPN, sharing files as if their in a LAN. Is this setup possible? What I have in mind is that each site will be configured as a server and as a client, some sort of multiple trust domain.

TIA,

Jan

GruensFroeschli

If you want to use pfSense to firewall the openVPN then it's a nogo.
You cannot filter the traffic comming in /going out through the openVPN tunnel.

But it is no problem to have multiple Servers or Clients running at the same time.

jan.gestre

Hi Gruens,

I didn't quite understood what you said, so you're saying that if I will use PfSense as firewall in all of the sites, I can't use OpenVPN? Isn't it the same as running OpenVPN that comes with PfSense?

Actually the filtering thing never crossed my mind, Do I really need to have that?

Jan

GruensFroeschli

@jan:

Hi Gruens,

I didn't quite understood what you said, so you're saying that if I will use PfSense as firewall in all of the sites, I can't use OpenVPN? Isn't it the same as running OpenVPN that comes with PfSense?

You can use OpenVPN.
I meant you cannot create a firewallrule on pfSense for the pfSense-internal openVPN client/server.

Actually the filtering thing never crossed my mind, Do I really need to have that?

Depends on your setup.
If your openVPN subnet is a "thrusted" subnet this should not be a problem.
I thought more you want to firewall the VPN connection.

maybe diagrams are more clear:
//–---------------------
  Client - vpnclient
    |
    |
pfSense
  WAN
    |
    |
  Server - vpnserver

the client will always be able to establish a VPN connection to the Server. (if it's the client running the openVPN client instance)
pfSense does only firewalling for the traffic from WAN to LAN and vice versa.
//-----------------------

Client
    |
    |
pfSense - vpnclient
  WAN
    |
    |
  Server - vpnserver

now the vpnclient is on the pfSense itself. One might think you could firewall the vpn connection too.
--> having rules who can access the vpn tunnel or who is accessible from the VPN.
But since you cannot creat a rule for the virtual VPN-interface this is not possible.
this is what i meant in my first post.

jan.gestre

Hi Gruens,

Thanks for  your inputs. Here is what I'm planning to setup, install Pfsense as firewall in all of the sites and configure the OpenVPN client/server setup. The subnet is a trusted subnet, and the scenario would be e.g., clients on site 1 will able to see/share files on the Head Office subnet and vice versa.

LAN subnet
    |
    |
pfsense HeadOffice
OpenVPN server
    |
    |
pfsense remote site 1
    |
    |
Remote LAN

Regards,

Jan