One server profile for each remote location, 1:1 ratio
-
Can any confirm this? You can ONLY have one openVPN server profile for each remote site? I have been racking my brain out in last 24 hours getting a hub and spoke set up with one server profile to several remote site and it does not seem to work. It seem to somewhat work. Remote SiteA would connect and at random Remote SiteB would connect causing Remote Site A to disconnect and vice versa. This using PKI with and w/o TLS authenication.
-
It works fine with SSL/TLS for one server and multiple remotes. Easier to accomplish on 2.0. Covered on the doc wiki.
-
Thanks Jimp. I tried and can't seem to get it to work. End up doing 1:1 setup.
–---------------------------------------
On the server side, I have :Server mode: Peer to Peer SSL/TLS
Protocol: UDP
Direct Mode: tun
Interface: WAN
Local Port: 1194TLS Authenication: Enabled
TLS key: auto generate
Per CA: Local CA using Cert Manager
Server Cer: Local Cert Using Cert Manager
DH Paremeter: 1024
Encryption: BF-CBCTunnel Network: 10.10.10.0/24
Local Network: 192.168.96.0/22
Remote Network: BlankAdvance Option:
route 192.168.1.1 255.255.255.0 (remote A)
route 192.168.2.0 255.255.255.0 (remote B)Client Specific Overide for remote A
common name: remotea.testsdomain.com (same as CN on local certificate on remote A PFSense)
Advance Option:
push "route 192.168.96.0 255.255.252.0";
push "route 192.168.2.0 255.255.255.0";Client Specific Overide for remote B
common name: remoteb.testsdomain.com (same as CN on local certificate on remote B PFSense)
Advance Option:
push "route 192.168.96.0 255.255.252.0";
push "route 192.168.1.0 255.255.255.0";
Remote A PFS side:
Server mode: Peer to Peer SSL/TLS
Protocol: UDP
Direct Mode: tun
Interface: WANServer host: ip of server side
Server port: 1194TLS Authenication: Enabled
TLS key: use key generated from server side
Per CA: CA Server from the server
Server Cer: Local Cert Using Cert Manager
DH Paremeter: 1024
Encryption: BF-CBCTunnel Network: 10.10.10.0/24
Local Network: 192.168.1.0/24
Remote Network: Blank
Remote B PFS side:
Server mode: Peer to Peer SSL/TLS
Protocol: UDP
Direct Mode: tun
Interface: WANServer host: ip of server side
Server port: 1194TLS Authenication: Enabled
TLS key: use key generrated from server side
Per CA: CA Server from the server
Server Cer: Local Cert Using Cert Manager
DH Paremeter: 1024
Encryption: BF-CBCTunnel Network: 10.10.10.0/24
Local Network: 192.168.2.0/24
Remote Network: Blank
Please advised where I am doing wrong. What I notice, that both remote A and Remote B have the same virtual tunnel ip address of 10.10.10.2. I know that couldn'd be right. So on the server side, in the client specific overide for remote A, I changed the tunnel to 10.10.10.0/30 for remote A and 10.10.10.4/30 for remote B and still does not work.
Any insight would be greatly appreciated.
-
Read the doc wiki article. You are missing iroutes, may have other errors but it's all covered on the wiki.
-
I am assuming the wiki link is http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL). If not please correct me.
So , to be clear. I need to add the iroute on the server side in the "Client Specific Overide" section.
Please correct me if I am wrong.Client Specific Overide for remote A
common name: remotea.testsdomain.com (same as CN on local certificate on remote A PFSense)
Advance Option:
iroute 192.168.96.0 255.255.252.0
push "route 192.168.96.0 255.255.252.0"; remove this one?
push "route 192.168.2.0 255.255.255.0";Client Specific Overide for remote B
common name: remoteb.testsdomain.com (same as CN on local certificate on remote B PFSense)
Advance Option:
iroute 192.168.96.0 255.255.252.0
push "route 192.168.96.0 255.255.252.0"; remove this one?
push "route 192.168.1.0 255.255.255.0"; -
You don't need to push routes in the override.
Add the pushes and route statements for all subnets in the main server config
Only add iroutes in the override.
-
I see, got it. Thanks again Jimp. Will try it tonight.
One other question, since i both remote A and Remote get getting the same virtual tunnel IP, should I still leave the tunnel network as /30 in the "Client Specific Overide"? ie 10.10.10.0/30 for Remote A overide and 10.10.10.4 for Remote B overide
-
Jimp. The iroute command worked in the client overide. I left /30 in the tunnel network in the client overide. Thank you so much.