OpenVPN Multiple Site-to-multiSites routing

karimwassim

hello,

i have 4 sites and i'm tring to make vpn connection for him

this is my scenario:

Site A : Server with public ip and LAN = 172.20.0.0/22

Site B : dynamic ip and LAN = 172.16.0.0/22

Site C : dynamic ip and LAN = 172.31.0.0/22

Site D : dynamic ip and LAN = 172.19.0.0/22

I've already setup the site-to-site vpns with success, where

This is the setup i made so far:

OpenVPN Server 1 Config : (VPN peer2peer SSL/TSL) with Site B

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 10.0.8.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 172.20.0.0/22
IPv6 Local Network/s: blank
IPv4 Remote Network/s: 172.16.0.0/22
IPv6 Remote Network/s: blank
Compression: enabled
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank
Certificate Depth : one (client/server)
Advanced configuration:

push "route 172.20.0.0 255.255.252.0";
push "route 172.31.0.0 255.255.252.0";
push "route 172.19.0.0 255.255.252.0";

Client Specific Override is one in the server for all site

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced:  iroute 172.16.0.0 255.255.252.0;iroute 172.31.0.0 255.255.252.0;iroute 172.19.0.0 255.255.252.0;

OpenVPN Server 2 Config : (VPN peer2peer SSL/TSL) with Site C

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1195
IPv4 Tunnel Network: 10.0.9.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 172.20.0.0/22
IPv6 Local Network/s: blank
IPv4 Remote Network/s: 172.31.0.0/22
IPv6 Remote Network/s: blank
Compression: enabled
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank
Certificate Depth : one (client+server)
Advanced configuration:

push "route 172.20.0.0 255.255.252.0";
push "route 172.16.0.0 255.255.252.0";
push "route 172.19.0.0 255.255.252.0";

OpenVPN Server 3 Config : (VPN peer2peer SSL/TSL) with Site D

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1196
IPv4 Tunnel Network: 10.0.10.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 172.20.0.0/22
IPv6 Local Network/s: blank
IPv4 Remote Network/s: 172.19.0.0/22
IPv6 Remote Network/s: blank
Compression: enabled
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank
Certificate Depth : one (client+server)
Advanced configuration:

push "route 172.20.0.0 255.255.252.0";
push "route 172.31.0.0 255.255.252.0";
push "route 172.16.0.0 255.255.252.0";

now that is my problem

i setup in the server an openvpn (remote access SSL/TSL + user auth) and generate the file and from outsite the sites i can only access to server not to the sites  B C D

this is the configuration :

IPv4 Tunnel Network: 10.0.11.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 172.20.0.0/22,172.16.0.0/22,172.31.0.0/22,172.19.0.0/22
Compression: enabled
Dynamic IP: Allow connected clients to retain their connections if their IP address changes (checked).
Address Pool :Provide a virtual adapter IP address to clients (checked).
Disable IPv6: blank
Certificate Depth : one (client+server)
Advanced configuration: blank

thanks for Any help

jdp0418

So site A is the main site, with tunnels to B, C, and D?  And local A can reach everything at B,C and D?  But on another OpenVPN connection into A, you can access local A, but NOT in B,C or D?

If my understanding is correct, then it very well could be a rules issue.  Make sure you have rules allowing the diverse networks to and from one another on LAN and OpenVPN interfaces alike.

karimwassim

hi

yes Site A is the main site

with different tunnels :

10.0.8.0/24 10.0.9.0/24 10.0.10.0/24

Site A can see all sites B C D
Site B can see all sites A C D
Site C can see all sites A B C

but i setup an connection openvpn 10.0.11.0/24 to see sites from external (remote access SSL/TSL + user auth) and export file to the openvpn client GUI and i can only see the main server not B C D

is there any option wrong in my setup ????

jdp0418

Well your OpenVPN client is now likely getting an address from the network 10.0.11.0/24, so that would need to be added to the tunnels to B,C, and D so they know where to send back traffic for 10.0.11.0/24.  Also, I'll reiterate that rules should be checked to ensure that 10.0.11.0/24 can reach 172.x.x.x networks and vice versa.

karimwassim

I did not understand well how to get client working  can I get more information  i'm newbie  ??? ???

thanks

jdp0418

No problem.  I think you are almost there, you just need to go one extra step in your configuration.

Let's break it down first.  Since there is no reason to repeat everything, I'm probably going to abbreviate alot of your config.

Site A Server for site B
Tunnel network AB
Push routes destination networks A,C,D

Site A Server for site C
Tunnel network AC
Push routes destination networks A,B,D

Site A server for site D
Tunnel network AD
Push routes destination networks A,B,C

Site A server Clients
Tunnel network CLIENT
Push routes destination networks A,B,C,D

Ok, so above I've summed up your config, just substituting the networks with character labels to make this easier to write.  Each site to site VPN connection you build will route over the Tunnel networks to get to the destination networks.  Each of the site to site links knows about the destination networks over the tunnels, and that's good.  But they DON'T know about the additional TUNNEL networks themselves since you don't push those networks out.

Your CLIENT server hands out addressing from the Tunnel network pool.  But since your clients are not routers/firewalls like your other sites that pass the traffic to another network interface, the clients source all traffic from the assigned TUNNEL network IP.  Therefore you have tunnel network CLIENT trying to reach destination networks B,C,D but B,C,D do not know how to get back.  Connections to A work because it is all on the same firewall so it is sharing the route table.

Basically, your remote CLIENT isn't routing from a 172.x.x.x address, it is using a 10.x.x.x address.  Your site to site networks know nothing of where any 10.x.x.x network lives except the OpenVPN network they have on their own tunnels.

All I think you need to do is add the Tunnel Client network to the route push destination networks for the site to site connections to B,C and D.

Site A Server for site B
Tunnel network AB
Push routes destination networks A,C,D,Tunnel network CLIENT

Site A Server for site C
Tunnel network AC
Push routes destination networks A,B,D,Tunnel network CLIENT

Site A server for site D
Tunnel network AD
Push routes destination networks A,B,C,Tunnel network CLIENT

Site A server Clients
Tunnel network CLIENT
Push routes destination networks A,B,C,D

Hopefully this makes sense and helps.  Let me know if I can explain further.

jdp0418

Oh, and don't forget to adjust your Rules table if necessary.  :)

karimwassim

hi,

thank you for your help , i do everthing you say but steel not working :

Site A Server for site B
Tunnel network AB Advanced configuration  OK
Push routes destination networks A,C,D,Tunnel network CLIENT

Site A Server for site C
Tunnel network AC Advanced configuration OK
Push routes destination networks A,B,D,Tunnel network CLIENT

Site A server for site D
Tunnel network AD Advanced configuration OK
Push routes destination networks A,B,C,Tunnel network CLIENT

Site A server Clients
Tunnel network CLIENT Advanced configuration OK
Push routes destination networks A,B,C,D

in Sites B i in openvpn tab / client/ Advanced configuration
i add route A C D and client network 10.0.11.0/24

in Sites C i in openvpn tab / client/ Advanced configuration
i add route A B D and client network 10.0.11.0/24

in Sites D i in openvpn tab / client/ Advanced configuration
i add route A B C and client network 10.0.11.0/24

but i did not understant : don't forget to adjust your Rules table if necessary

very sorry for every person who read this but i have no experience in routing vpn setup

thanks for help

jdp0418

Well aside from properly setting the routes in the OpenVPN setup, you should have an OpenVPN interface under your firewall rules table that requires rules to allow traffic over the VPN.  If you have working VPN's, then you have some kind of rules in place already.  However, most times those rules are limited to specific source/destination networks, depending how you set them up.  So, all I am saying is to be sure that your rules tables on all firewalls include permissions for the tunnel network to reach the LAN networks and vice versa.  I've seen many a setup troubled by simple issues like that, where a rule was only in place on one side of the VPN tunnel but not the other.

For example, on the A firewall, your OpenVPN rules should be something like this:

Firewall-> rules->  OpenVPN tab:
Permit IP (any protocol)-> (source) Remote Net -> any source port -> (destination) LAN net -> any destination port
Permit IP (any protocol)-> (source) LAN Net -> any source port -> (destination) Remote net -> any destination port

And so for the OpenVPN remote client network, you would have to add a rule to each firewall's OpenVPN interface
Firewall A
Firewall-> rules->  OpenVPN tab:
Permit IP (any protocol)-> (source) Client VPN Net -> any source port -> (destination) LAN net -> any destination port

Firewalls B,C,D
Firewall-> rules-> OpenVPN tab:
Permit IP (any protocol)-> (source) LAN Net -> any source port -> (destination) Client VPN net -> any destination port

jdp0418

Now that I think more about it, it is likely the Client VPN network needs to be added not as a route but as a local network in the OpenVPN setup.  Sorry, I didn't catch that the first time.

OpenVPN Server 1 Config : (VPN peer2peer SSL/TSL) with Site BServer Mode: Peer to Peer ( SSL/TLS )
IPv4 Tunnel Network: 10.0.8.0/24
IPv4 Local Network/s: 172.20.0.0/22**,10.0.11.0/24**
IPv4 Remote Network/s: 172.16.0.0/22

push "route 172.20.0.0 255.255.252.0";
push "route 172.31.0.0 255.255.252.0";
push "route 172.19.0.0 255.255.252.0";

Client Specific Override is one in the server for all site

OpenVPN Server 2 Config : (VPN peer2peer SSL/TSL) with Site C
Server Mode: Peer to Peer ( SSL/TLS )
IPv4 Tunnel Network: 10.0.9.0/24
IPv4 Local Network/s: 172.20.0.0/22**,10.0.11.0/24**
IPv4 Remote Network/s: 172.31.0.0/22

push "route 172.20.0.0 255.255.252.0";
push "route 172.16.0.0 255.255.252.0";
push "route 172.19.0.0 255.255.252.0";

OpenVPN Server 3 Config : (VPN peer2peer SSL/TSL) with Site D
Server Mode: Peer to Peer ( SSL/TLS )
IPv4 Tunnel Network: 10.0.10.0/24
IPv4 Local Network/s: 172.20.0.0/22**,10.0.11.0/24**
IPv4 Remote Network/s: 172.19.0.0/22

push "route 172.20.0.0 255.255.252.0";
push "route 172.31.0.0 255.255.252.0";
push "route 172.16.0.0 255.255.252.0";

This is probably good as is.

IPv4 Tunnel Network: 10.0.11.0/24
IPv4 Local Network/s: 172.20.0.0/22,172.16.0.0/22,172.31.0.0/22,172.19.0.0/22
Compression: enabled
Dynamic IP: Allow connected clients to retain their connections if their IP address changes (checked).
Address Pool :Provide a virtual adapter IP address to clients (checked).
Disable IPv6: blank
Certificate Depth : one (client+server)
Advanced configuration: blank

divsys

Unless I'm misunderstanding your setup, I think this can be vastly simplified.
There's no need for separate server setups on Site A for each of B, C, and D.

You setup Server A with (very similar to your first post):

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 10.0.8.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 172.20.0.0/22
IPv6 Local Network/s: blank
IPv4 Remote Network/s: 172.16.0.0/22,172.19.0.0/22,172.31.0.0/22
IPv6 Remote Network/s: blank
Compression: enabled
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank
Certificate Depth : one (client/server)

Then in "VPN->OpenVPN->Client Specific Overrides" section you create one new entry for each of the client sites (three in total) with:

Common name->The "CN" field from the client's certificate EXACTLY as it appears in the certificate (watch out for extra spaces if you cut and paste)
Tunnel Network->10.0.8.0/24
IPv4 Remote Network/s->172.16.0.0/22  You only need the particular remote network for this client (each one of the three entries will be different).

The client setups are even simpler:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: blank
Server host or address:

<address of="" openvpn="" server="">
Server port:1194
<cryptographic settings="" as="" they="" were="" since="" you="" could="" connect="" before="">IPv4 Tunnel Network: 10.0.8.0/24
IPv6 Tunnel Network: blank

Make sure you have one rule in the "Firewall->Rules->OpenVPN" tab that allows all traffic on both the Server and each of the Clients.
Restart the OpenVpn Server and then each of the clients.  In the Server's OpenVPN log you should see each of the client's attempting to connect.

When they do, the server will use the ClientSpecificConfiguration settings for each client to generate an "iroute command" specifying which of the remote networks (you previously listed 3 in the server) applies to which connected client.

This should be much simpler to enter and maintain.

One thing you haven't mentioned, which version of pfSense are you using for the Server and Clients?</cryptographic></address>

karimwassim

Hi and thanks for your replay,

I started Before the simple setup for 1 openvpn server for all clients but I was surprised to get the same tunnel ip for all clients and losing the openvpn connection for that sites and for this reason I separat and setup many server to clients openvpn connection
i'm using for server and all clients the last version of pfsense 2.2.2

Derelict

Why are you making your subnetting so complicated?

If you want 4 /24 networks (a /22) at each site, why not just do this:

Site A 172.19.0.0/22
Site B 172.19.8.0/22
Site C 172.19.16.0/22
Site D 172.19.24.0/22

That leaves you room to double the number of addresses at each site if you need to.

Then, in the server, define 172.19.0.0/16 as the remote network

push route 172.19.0.0 255.255.0.0 to each site

iroute 172.19.8.0 255.255.252.0 to Site B

iroute 172.19.16.0 255.255.252.0 to Site C

iroute 172.19.24.0 255.255.252.0 to Site D

And don't forget firewall rules.  Traffic has to be passed where ENTERING a site so traffic from Site B to Site C has to be passed on OpenVPN on Site A and Site C.

karimwassim

Yes sure,
But my topology was it to have 4 networks /22 and must be like that  :)
and my answer for the question of divsys about 1 server for all clients (sites) was it the issus of the same tunnels ip in the clients this is my reason for changing 1 server for each client but thanks for every person who contibuate for this subject.
I will trying the New parameter and answer for the result

Derelict

That gives you four networks - a /22 - at each site.

You're just making it hard on yourself.

Unless you're telling me you are unwilling or unable to renumber the end sites.

divsys

Why does it matter that the sites have the same tunnel addresses?

The tunnel is used by the OpenVPN server and clients to encapsulate the traffic you want routed.

In general they don't participate in your network traffic, just make sure the tunnel doesn't overlap any of your LAN subnets (the numbers I gave previously are fine).

In general a simpler design is a superior one IMHO…......

karimwassim

hi ,
I try many times without success

this my configuration

i just upload somes sceenshots of my config:

you will see rules of WAN/OPENVPN in site A (server) and rule in site B

you will see my setup in server for openvpn to site b
you will see also Client Specific Override in server
and you will see external setup client i just change the tunnel adress from 10.0.11.0/24 to 10.0.10.0/24 because i remove the site D from my topology

hope this screenshots help to resolve my problem.


Derelict

You obviously don't understand how the firewall rules work yet.  Until you do you are going to have a rough go of things.

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

On your server's OpenVPN tab (OpenVpn Rule Site A Server.png) you have a rule passing traffic with a source of LAN net.  You should NEVER see traffic coming INTO your pfSense node from OpenVPN clients with a source address of LAN net.  if you do, you probably want it to be blocked, not passed.

None of the rules after the pass IPv4 any any any rules on your OpenVPN tabs will ever be hit, because the first match, top down, stops rule processing.  I would just delete them.

OMG you're trying to configure a Remote Access (road warrior) VPN as a site-to-site/peer-to-peer.  That will never work.

jdp0418

Some good points about the setup here, but he has explained he is getting connected to his remote server without an issue and even talking to the local network of the firewall he is connected into.  It's the remote worker to site to site network routing that isn't working.

I think it is an issue with telling the Client PC to actually route over the tunnel.  I noticed in the remote server setup screenshot that the "Redirect Gateway" option isn't checked.

I just tested in my lab successfully.  I used the "Redirect Gateway" option to force all client generated traffic through the tunnel.

My remote worker VPN server was setup with network 10.1.1.0/24.

My site to site VPN server on the Firewall A was setup like:
IPv4 Tunnel Network: 10.10.10.0/30
IPV4 Local Networks: 192.168.1.0/24,10.1.1.0/24
IPV4 Remote networks: 192.168.230.0/24

My site to site VPN Client on Firewall B was setup like:
IPv4 Tunnel Network: 10.10.10.0/30
IPV4 Remote networks: 192.168.1.0/24,10.1.1.0/24

I am not pushing any routes over my tunnels.

Rules for OpenVPN was set to a simple "IPV4 Allow Any Any" on both A and B (to make things easier for testing).

I was able to successfully ping from my client PC to LAN Gateway on A, the LAN Gateway on B, and a LAN device on B.  Here is a traceroute screenshoot.


karimwassim

thank you jdp0418

problem resolved all is working .