Can PFSense handle multiple VPN's? (more details inside)
-
Say I have my pfsense box, and I have a bunch of other pfsense boxes at other locations. Say I want to make my main pfsense box a vpn server, and I want to have all my other pfsense boxes connect to my main pfsense box via vpn tunnel.
Can this be done with pfsense? If so, which one? Open VPN? IPsec? I've been googling and I cannot seem to come up with the right searches if it is possible.
-
Yes it can. For OpenVPN, start here: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29
-
Sure. Either IPsec or OpenVPN fits the bill there.
-
I can attest to the fact that it works well, I run about 24 continuous OpenVPN connections to my main router currently.
The hardware required is not spectacular, I use an AMD 4600 X2 w/3GB of RAM and a 10GB HD, Realtek and Intel NIC's, no serious packages. Not particularly high bandwidth (25/5Mb) but very effective. I haven't done any serious analysis of the loads, but the CPU feels like serious overkill for my needs. I routinely run other boxes with processors as light as 800Mhz that still handle 1 or two OpenVPN connections reasonably well.
The worst problem I encountered were all self made (finger troubles) :)
-
Yes it can. For OpenVPN, start here: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29
Thats what I did to get my setup going with my main pfsense and 1 other box. I tried to add a 2nd pfsense box using the same settings as the first client, except of course all 3 networks are on different local subnets (ie: 192.168.99.0/24, 192.168.0.0/24, 192.168.1.0/24) and for some reason that 2nd box just would not work.
I have my pfsense running via hyper-v using a 2.1 beta build I found in these forums a while ago. Running on a 15TB 2012 server with the best Xeon processor I could find and 32GB of memory. The OS drives are running 2 SSD mirror'd. My internet connection is a 80MB down, 5MB up. So hopefully judging from the post above, I should be good there :)
In order to make this work, do I have to add additional openvpn servers to my main pfsense box?
edit
I added additional openvpn servers to my main box. I now have 1 main, and 2 client boxes that say the vpn is up. I can ping the pfsense at client 1, but I cannot ping the pfsense at client 2. Any idea what could cause this?
This showed up in the system logs for openvpn tab of the client I can't ping: openvpn[43894]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.10.2 10.0.10.1', remote='ifconfig 10.0.10.0 10.0.10.2
-
Thats what I did to get my setup going with my main pfsense and 1 other box. I tried to add a 2nd pfsense box using the same settings as the first client, except of course all 3 networks are on different local subnets (ie: 192.168.99.0/24, 192.168.0.0/24, 192.168.1.0/24) and for some reason that 2nd box just would not work.
If you followed the same instructions for the 2nd box, then it's probably just a typo in the configuration. Double check all your IP adresses and netmasks. If it still doesn't work, then post up your configurations and we can take a look at why it's failing.
In order to make this work, do I have to add additional openvpn servers to my main pfsense box?
That is the cleanest way IMO.
I added additional openvpn servers to my main box. I now have 1 main, and 2 client boxes that say the vpn is up. I can ping the pfsense at client 1, but I cannot ping the pfsense at client 2. Any idea what could cause this?
Any number of things, but usually a typo or a firewall rule. As above, double check all your settings, check the firewall logs for blocked packets, and feel free to post the configuration for us to look at.
This showed up in the system logs for openvpn tab of the client I can't ping: openvpn[43894]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.10.2 10.0.10.1', remote='ifconfig 10.0.10.0 10.0.10.2
That's probably due to a typo in your configuration. Is there a similar error on the server side with the local and remote IPs reversed? 10.0.10.0 is generally going to be a network address, so that's the one I would start looking for.
-
Whats weird is I completely deleted the entire VPN setup, and recreated it all from scratch and now the 2 client pfsense boxes are working perfectly.
Here is a odd question
say I have a setup like this:
Home (192.168.99.252)
| |
Client 1 (192.168.0.252) Client 2 (192.168.16.252)I can get the clients to ping the home and the home to ping the clients, however I cannot get the clients to ping each other. I'm sure this would be very laggy, but I still want to try it to see how well it works, can I get the clients to ping each other thru this setup?
-
I can get the clients to ping the home and the home to ping the clients, however I cannot get the clients to ping each other. I'm sure this would be very laggy, but I still want to try it to see how well it works, can I get the clients to ping each other thru this setup?
Your clients probably don't have routes to each other. If you don't see the destination network in the routing table (Diagnostics: Routes), try adding a static route in each client (System: Routing: Static Routes).
-
I can get the clients to ping the home and the home to ping the clients, however I cannot get the clients to ping each other. I'm sure this would be very laggy, but I still want to try it to see how well it works, can I get the clients to ping each other thru this setup?
Your clients probably don't have routes to each other. If you don't see the destination network in the routing table (Diagnostics: Routes), try adding a static route in each client (System: Routing: Static Routes).
what about adding a line in the advanced section of the openvpn -> client "route 192.168.16.0/24" on the opposite client pfsense box? and vice versa on the other opposite one? (or according to documentation "route 192.168.16.0 255.255.255.0"
-
what about adding a line in the advanced section of the openvpn -> client "route 192.168.16.0/24" on the opposite client pfsense box? and vice versa on the other opposite one? (or according to documentation "route 192.168.16.0 255.255.255.0"
Yes, that is the preferred solution over a static route.
Edit: If that doesn't work as expected, the book mentions some caveats to pushing routes.