Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site2site VPN newbie question

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cosmin.batica
      last edited by

      I have three sites. Internet connection is available on each site by using a VDSL router. So:

      Site 1 - HQ:
      VDSL 1: Public IP: a.a.a.a, LAN class: 192.168.1.0/24
      pfSense: two NICs: WAN IP: 192.168.1.100; LAN: 192.168.151.0/24

      Site 2:
      VDSL 2: Public IP: b.b.b.b, LAN class: 192.168.2.0/24
      pfSense: two NICs: WAN IP: 192.168.2.100; LAN: 192.168.152.0/24

      Site 3:
      VDSL 3: Public IP: c.c.c.c, LAN class: 192.168.3.0/24
      pfSense: two NICs: WAN IP: 192.168.3.100; LAN: 192.168.153.0/24

      I want computers on the pfsense LAN for Sites 2 and 3 to communicate with computers on the pfSense LAN in HQ and viceversa.
      Is it ok to do this using OpenVPN or using ipSec?

      Is it necesarry to do some settings on the VDSL routers? (like port forwardings, NAT, so on)

      Thank you

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        I would use OpenVPN.
        Put a server at HQ. You will need to forward a port on VDSL 1 from a.a.a.a to 192.168.1.100 - then the pfSense OpenVPN server can listen on that port. If you use Peer to Peer (SSL/TLS) then you can have both clients connect to 1 server. With client-specific overrides you tell it which remote network is at the other end on which client.
        The clients from site 2 and site 3 can get out fine to the server at public IP a.a.a.a - so no port forwards or mods to VDSL 2 and VDSL 3 settings needed.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • C
          cosmin.batica
          last edited by

          Thank you phil.davis. So, I don't need to change any settings on VDSL 2 and 3.
          Btw, if I will extend the number of locations to maybe 10 or 12, do you think one HQ VPN Server is enough? I will use VPN especially for RDP connections from locations to HQ's some LAN machines.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            It should be fine having 12 clients connect to 1 server at HQ. I have 8 client offices connecting at my HQ.
            The OpenVPN server hands out a little /30 subnet of the tunnel network to each client - e.g. if server tunnel network is 192.168.42.0/24 then the server does stuff with 192.168.42.0-3, then gives 4-7 to the first client, 8-11 to the next client… The client tunnel end points will end up being 192.168.42.6 192.168.42.10 etc. Make the tunnel network a full /24 and there is room for the server and 63 clients.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • C
              cosmin.batica
              last edited by

              one more question and I hope will be ok (talk to you tommorow, after the tests, if not  ;D)
              Is the tutorial from here the right one for this purpose ?
              http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                Yes, that tutorial looks good - all the bits for pfSense 2.0 seem reasonable.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • C
                  cosmin.batica
                  last edited by

                  phil.davis, can you be more specific for client specific overrides for HQ Server?

                  Should I put on section Client Settings -> Advanced a line like this for site 2?
                  iroute 192.168.152.0 255.255.255.0

                  or something else?

                  thanks

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by

                    On my server, Client Specific Override, I have:

                    • Common Name - must be the exact match of the client certificate
                    • Description - whatever you like
                    • Advanced:
                    iroute 10.49.104.0 255.255.255.0

                    10.49.104.0/24 is the LAN network at the client end of the link.

                    iroute 192.168.152.0 255.255.255.0

                    I think you meant:

                    iroute 192.168.2.0 255.255.255.0

                    That should work.
                    Remember that the server itself must have a list of route statements covering all the networks at the various remote clients.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • C
                      cosmin.batica
                      last edited by

                      @phil.davis:

                      I would use OpenVPN.
                      Put a server at HQ. You will need to forward a port on VDSL 1 from a.a.a.a to 192.168.1.100 - then the pfSense OpenVPN server can listen on that port. If you use Peer to Peer (SSL/TLS) then you can have both clients connect to 1 server. With client-specific overrides you tell it which remote network is at the other end on which client.
                      The clients from site 2 and site 3 can get out fine to the server at public IP a.a.a.a - so no port forwards or mods to VDSL 2 and VDSL 3 settings needed.

                      Ok, finally it's working in a Site-to-site Shared Key version of OpenVPN. I have two more questions:
                      1. When I ping from Site 2 LAN location to Site 1 LAN, everything it's ok, but when I ping from Site 1 (HQ LAN) to Site 2 nothing happens.
                      2. I build only one openvpn pfsense client yet - Site 2. For the next pfsense openvpn client - Site 3, should I use on server side the route command in custom field, eg:
                      route 192.168.3.0 255.255.255.0 or something else ? I think client override section on HQ - pfsense Site 1 is useless, because for peer-to-peer shared key server mode I don't need certificates…

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.