OpenVPN Multiple Site-to-Site routing

guto_voigt

Hello.

I'm trying to reach the following scenario with OpenVPN and pfsense, but i'd get stuck with the routing thing.

What i'm trying to do is connect together 2 client's with different subnet's under a pfSense OpenVPN Server (hub n' spoke topology), and be able to Client A talk with Client B and vice-versa.

Client A
/
||
/
OpenVPN Server
/
||
/
Client B

I've already setup the site-to-site vpns with success, where Clients A and B talk to OpenVPN Server and vice-versa, but those client's can't talk with each other.

This is the setup i made so far:

OpenVPN Server:
LAN: 192.168.248.0/24
WAN: 192.168.0.2/24
Tunnel: 172.16.0.0/24

Client A: 192.168.246.0/24
Client B: 192.168.249.0/24

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 172.16.0.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 192.168.248.0/24
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Compression: No preference
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank

Advanced configuration:

route 192.168.246.0 255.255.255.0 172.16.0.2;
route 192.168.249.0 255.255.255.0 172.16.0.2;
push "route 192.168.246.0 255.255.255.0";
push "route 192.168.249.0 255.255.255.0";

Client Specific Override

Client A:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced: iroute 192.168.246.0 255.255.255.0;

Client B:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced: iroute 192.168.249.0 255.255.255.0;

Any help is appreciated.

Derelict

What's on the OpenVPN tabs in firewall rules in each of the three locations?

Are we looking at the tunnels not coming up at all or they're coming up and both can route to the hub or what?

Derelict

If you're building this out from scratch and can change the remote networks at will, I would consider putting all the remote sites on subnet boundaries.

For instance in order to encompass both 192.168.246.0/24 and 192.168.249.0/24 in one route, you have to go all the way to a /20 (192.168.240.0 - 192.168.255.255).  And you're covering your local LAN in the same subnet.

I would probably pick a brand new random subnet for the spokes.  Say you select 172.19.224.0/19.  That gives you 172.19.224.0 - 172.19.255.0 as /24s.

You could then just do this (changes in red):

OpenVPN Server:
LAN: 192.168.248.0/24
WAN: 192.168.0.2/24
Tunnel: 172.16.0.0/24

Client A: 172.19.224.0/24
Client B: 172.19.225.0/24

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 172.16.0.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 192.168.248.0/24
IPv6 Local Network/s: blank
IPv4 Remote Network/s: 172.19.224.0/19
IPv6 Remote Network/s: blank
Compression: No preference
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank

Advanced configuration:

route 192.168.246.0 255.255.255.0 172.16.0.2;
route 192.168.249.0 255.255.255.0 172.16.0.2;
push "route 172.19.224.0 255.255.224.0";
push "route 192.168.249.0 255.255.255.0";

Client Specific Override

Client A:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced: iroute 172.19.224.0 255.255.255.0;

Client B:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced: iroute 172.19.225.0 255.255.255.0;

Then if you want a fully-open hub and spoke, all sites need firewall rules on the appropriate OpenVPN tabs or interface tabs passing traffic from 172.19.224.0/19 and 192.168.248.0/24 to either any or to the local network or whatever assets you want them to have access to.

I think that'd do what you want.  It's not absolutely necessary but I like to supernet to OpenVPN then use iroutes for the individual sites.  The main reason I do so is so I don't have to bounce your OpenVPN server to change the IPv4 Remote Network/s: 172.19.224.0/19 or the advanced settings.  If you add a site, doing it the way I described, you don't have to touch the server.  All you have to add is the client-specific override with is hitless to everyone else.

I also like to be able to refer to all remote OpenVPN sites in one network statement.

guto_voigt

Oh great, that's all i needed :D

Yeah, i'm building this from scratch on a test lab.

I'm gonna try this setup tomorrow and let you updated.

Thanks for the help.

guto_voigt

Thanks for the help Derelict. After a week this configuration is working flawless.

This topic can be closed, and marked as solved.

:D

chris4916

@guto_voigt:

This topic can be closed, and marked as solved.  :D

;D I'm afraid you will have to do it by yourself, editing first post title  ;)

micro8765

I know this is an old post but it is directly relevant to my needs.

I've had a hub and spoke pfsense/openvpn for years but only using the basic config fields with no advanced 'push' or 'iroute' commands. For the most part routing works but sometimes there are issues and I'm wondering if this is a better way.

For reference my current setup is detailed in a recent post:

OpenVPN hub and spoke with AD/DNS on spoke

I'd like to try the configuration suggested in this thread but I don't have the luxury of changing to contiguous subnets - I have 5 spokes and their subnets are all over the place (mix of 192.168.x.x, 172.x.x.x & 10.x.x.x).

Therefore I'd like to understand if I have the config right in this case. Looking at the OP's original subnets, I'm wondering if the following config would have worked. I've added a third spoke for completeness. The only tweaks are in the server's IPv4 Remote Network/s field, the server's advanced 'push' commands, and the CSO 'iroute' commands.

OpenVPN Server:
LAN: 192.168.248.0/24
Tunnel: 172.16.0.0/24

Client A: 192.168.246.0/24
Client B: 192.168.249.0/24
Client C: 172.27.30.0/24

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 172.16.0.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 192.168.248.0/24
IPv6 Local Network/s: blank
IPv4 Remote Network/s: 192.168.246.0/24,192.168.249.0/24,172.27.30.1
IPv6 Remote Network/s: blank
Compression: No preference
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank

Advanced configuration:

push "192.168.246.0 255.255.255.0";
push "192.168.249.0 255.255.255.0";
push "172.27.30.1 255.255.255.0";

Client Specific Override

Client A:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced:

iroute 192.168.249.0 255.255.255.0;
iroute 172.27.30.1.0 255.255.255.0;

Client B:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced:

iroute 192.168.246.0 255.255.255.0;
iroute 172.27.30.0 255.255.255.0;

Client C:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced:

iroute 192.168.246.0 255.255.255.0;
iroute 192.168.249.0 255.255.255.0;

Any comments or advice is very much appreciated.