Multiple Openvpn sites which all need to see each other
-
Does the Server Mode need to be changed from Peer to Peer (Shared Key), to something else for this to work?
-
Peer to Peer mode only allows communication between the server and a client. If you need communication between the clients, the easiest option is to use 'Remote Access' mode. For the 'Client Specific Overrides' you want to use SSL/TLS as well.
-
Setup a new server in Remote Access (SSL/TLS) mode. Followed the instructions in the previous posts and did the two clients. Status showed up for server and clients. However, no traffic flowed in any direction.
Been staring at this for awhile, so taking a break.
 -
Tick the "Provide a virtual adapter IP address to clients (see Tunnel Network)" checkbox. You should not enter the tunnel network in the client overrides if it is the same network.
-
I'll give the Tinc package a try,because this isn't working for me as a vpn mesh. At some point I will figure out what the correct settings are.
-
OpenVPN works fine for that, if you get all of the routes and such right.
Here is a multi-site howto for SSL/TLS
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29
Or you could do it with shared key tunnels you'd just need one server instance per side instead of one common server instance.
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29
If the traffic doesn't go the way you want, it's down to a few things:
- routes (AND iroutes if you use ssl/tls)
- firewall rules
- whether or not the VPNs actually connect and are up
- whether or not you have policy routing rules forcing the LAN traffic out a WAN bypassing the VPN
- If you used IPsec previously, make sure there are no overlapping p2's (and if you removed them, also check the SPD tab on IPsec status to make sure they really are gone)
Checking the routing table, traceroute, and packet captures should lead to a fairly straightforward answer about where the traffic is or isn't going.
-
Sorry to bump a dead topic, but I've been running into this exact same issue!
I'm able to get any clients connecting to the main site via site-to-site, but I'm unable to have the clients see each other. I've tried to switch to Remote Access (SSL) but I'm never able to pass traffic after that change. When I tracert to the main site it stops at the client firewall.
Also, does anybody know if you need to reboot after any of these changes? I only ask because I'm unable to restart the main site's firewall very often as it links 15 sites to the head office via ipsec. We just need to get off ipsec and onto OpenVPN, we also want to be able to connect to any of the external sites while we're at one of them.
Please help me out, as this is driving me insane!
-
I would try restarting the OpenVPN service to the corresponding site instead of restarting PfSense. Also make sure you create the rules allowing traffic to pass to each site. I ran into that mistake thinking that the rules where auto generated. They are only auto generated when you use the wizard.
-
Shouldn't I just have a rule accepting all OpenVPN traffic on every client + the host, and also a rule accepting the port on the WAN?
After restarting the openvpn service I'm passing traffic. Now I just need to get client to client working! :)
So, I'm unable to get client to client working. I have the inter-client box checked, but they're unable to get anywhere. I've tried with push settings and without. Is there anything I'm missing?
-
Good news. It's working! It's just our one site that's not connecting properly, and of course that was the one I was using for testing.
Great guides posted by everybody.