Routing problems when using two or more openvpnservers

ljoergensen

Hi
The first site-to-site vpn connection works like a charm.
If I add a similar openvpnserver with new certificate+key for the new clientsite, The connection is established, but….
Pfsense uses 10.0.9.5-6 as tunneling addresses!! NOT 10.0.9.1-2 as I would expect.
In the routing list of the Pfsense I can see the 10.0.9.1-2 NOT 10.0.9.5-6, so obviously the routing goes wrong.

I think this is a bug, but I need others to confirm this issue. Or at least an explanation on why Pfsense use the .5-6 ipaddresses on the other servers and not .1-2 ipaddresses.

ljoergensen

I should mention, that I need several openvpn servers, because each site2site connection is between different sites2lan's.
E.g one site connects to one lan behind pfsense…

cmb

That's just how OpenVPN works, the first /30 isn't assigned to clients. The routing is handled automatically internally by OpenVPN, just needs to be configured accordingly for the scenario you have.

ljoergensen

Hi cmb
Well, it's not the client ip-adresses, but the tunneling ip-adresses, which is wrong…
The first 'setup' works like a charm, but the next doesn't..
The next openvpn servers get's the 'top' ip-addresses, but in the routing table in pfsense you can see the 'bottom' ip-addresses. So, obviously the routing doesn't work for this second openvpn 'setup'.
I'll try to get som images...

phil.davis

Using certificates, you can have a single OpenVPN site-to-site server with multiple client ends connecting in. At each client end is a router with a LAN on the end. You can add client-specific overrides to tell the server which remote LAN is behind which client. I have a couple like this, with 6 small offices connecting in to 1 OpenVPN at a main office.
Or you can make a separate server for every client.

ljoergensen

Hi Phil
Your last suggestion is exactly what I try to achieve.
I've gat some pictures which might help me to explain what my problem is…..

Br Lars

Openvpn-status.jpg_thumb

Pfsense-routes.jpg_thumb

Openvpn-config.jpg_thumb

ljoergensen

….and here's the other end....
Where it shows, that dd-wrt is told to use 10.0.8.5-6 for the tunnel, which is wrong..

dd-wrt-openvpn-status.jpg_thumb

jimp

That is correct for an SSL-based tunnel with a tunnel network larger than /30.

Here is a how-to for doing a multi-site OpenVPN + certificate setup where you have one server process and multiple clients:

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

Pay particular attention to the notes about client-specific overrides and iroutes.