Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client to Client using shared key (Help me with a very simple siteA-siteB-siteC)

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 5 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tehryan
      last edited by

      follow this how-to and setup the server for 2 clients - make sure the site-to-site is clicked and make sure you have the right custom options - i think that'll give you what you want

      http://forum.pfsense.org/index.php/topic,12888.0.html

      1 Reply Last reply Reply Quote 0
      • F Offline
        franklookyou
        last edited by

        tehryan's suggestion seems possible, although quite a lot of work given your current setup.  It would also require a few custom OVPN settings involving routes and iroutes (that aren't covered in the linked howto).

        Why not just create a new shared-key OVPN connection running from Site-C to Site-B?  Are there some limitations of the DD-WRT box preventing this?

        1 Reply Last reply Reply Quote 0
        • B Offline
          benutne
          last edited by

          Our PKI clients currently have the ability to connect to site B through a VPN to site A via static routes and push options.  I know what I want to do can be done this way, I just don't know how with SKI.  It's commonly called a "wheel" or "spoke" model for VPN.  One big VPN server in the middle with several branch offices out of the middle like spokes on a bike tire.  I just want those spokes to be able to talk to each other too.

          1 Reply Last reply Reply Quote 0
          • F Offline
            focalguy
            last edited by

            I have done what you are asking about with multiple sites using IPSEC connections. I'm not sure how your DDWRT with OpenVPN firmware is set up but if it's possible to use IPSEC for all 3 then it's quite simple to set up.

            Assume the following:

            Site A: 192.168.1.0/24
            Site B: 192.168.2.0/24
            Site C: 192.168.3.0/24
            

            VPN Settings:

            Site A:
            Local Subnet: 192.168.0.0/16
            Remote Subnet: 192.168.2.0/24
            Remote Subnet: 192.168.3.0/24
            
            Site B:
            Local Subnet: 192.168.2.0/24
            Remote Subnet: 192.168.0.0/16
            
            Site C:
            Local Subnet: 192.168.2.0/24
            Remote Subnet: 192.168.0.0/16
            
            

            Hope that helps. If you need more details let me know.

            1 Reply Last reply Reply Quote 0
            • B Offline
              benutne
              last edited by

              The DD-WRT firmware doesn't allow for an IPSEC connection, but in all honesty, it's just my home office so I can live with a road warrior like connection on my desktop using OpenVPN.  Is there someplace I can kind of view the pros and cons of each VPN type?  I like OpenVPN due to it's relative ease of setup, but honestly, if it's secure and works, I could care less what type of VPN I use.

              1 Reply Last reply Reply Quote 0
              • B Offline
                benutne
                last edited by

                Here is something else:  Why can't I check the client to client option when using shared key?  Eveyone says that for site to site communication, use shared key, but I cannot implement a proper hub-spoke topology without the clients being able to talk to each other.  I don't want to switch to PKI, but if that gets me what I want, I might have to.  Also, I've edited the title to reflect what this tread is turning into.

                1 Reply Last reply Reply Quote 0
                • F Offline
                  focalguy
                  last edited by

                  @benutne:

                  Here is something else:  Why can't I check the client to client option when using shared key?

                  I'm haven't set up OpenVPN on my box so I'm not sure how the client to client works. Sorry I can't be of more help. I do use a shared key for each site-to-site for IPSEC connections so maybe that's what people mean when they say to use it?

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    franklookyou
                    last edited by

                    I think I can answer that last question for you.

                    As stated in the Static Key Disadvantages section of the OpenVPN FAQ http://openvpn.net/index.php/documentation/howto.html, use of SKI under OpenVPN implies no more than one client per server instance.  Given your setup, then, I assume that you are running 2 separate OpenVPN instances (each with its own port) on your server.

                    The "client to client" option only applies within an instance (not across all instances that happen to be running on a machine).  It really doesn't have much meaning outside of a PKI context.

                    Perhaps one of the other posters here has actually routed between two distinct OpenVPN interfaces on the same machine, but I have not.

                    1 Reply Last reply Reply Quote 0
                    • B Offline
                      benutne
                      last edited by

                      You pretty much hit the nail on the head franklookyou.  I 'm running two instances of OpenVPN for each of the branches on different ports (three if you count my PKI setup for road warriors).  I guess I'm back to needing help setting up the routing between the branches.  Either that or I should switch to IPSEC like focalguy suggested, but I'm not very familiar with that type of setup.

                      1 Reply Last reply Reply Quote 0
                      • F Offline
                        franklookyou
                        last edited by

                        You might also try browsing the OpenVPN users mailing-list (http://news.gmane.org/gmane.network.openvpn.user).  A quick look over the past month turned up a couple of people asking about similar-ish problems.

                        1 Reply Last reply Reply Quote 0
                        • B Offline
                          benutne
                          last edited by

                          @franklookyou:

                          You might also try browsing the OpenVPN users mailing-list (http://news.gmane.org/gmane.network.openvpn.user).  A quick look over the past month turned up a couple of people asking about similar-ish problems.

                          Ah.  Excellent.  I'll take a look there.  Thanks for the link.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.