Help with Remote Access OpenVPN with multiple satellite offices
-
This is likely a very basic question, so I appreciate any help I can get here.
My organization has three locations, with each office connected through OpenVPN Site-to-Site VPN connections. Workstations in each office can access devices in any other office.
Each office has an identical PFSense firewalls, and on each firewall I have set up a Remote Access VPN that grants specific users access to that office from outside the office.
My question is about allowing remote users access to all offices. At the moment, users who connect to an office using the Remote Access VPN can only access resources in the office that they connect to. Is there a way to allow remote users to access all three offices through a single Remote Access VPN connection? If not, why not? And if not, is there a way to connect to multiple OpenVPN Remote Access VPNs at the same time?
Forgive me if this is extremely simple stuff. Thank you for the help.
-
You need to configure the vpn routing. Different access server tunnel network ranges are required.
Add all office networks to the "Local Network/s" in the access server settings.
And in each site-to-site setting add the tunnel network of the respective remote sites access server to the "Remote Network/s".If needed edit your firewall rules to permit the access.
-
Ah, of course. Makes perfect sense. Thank you. I'll give it a try and see if it works.
I knew it'd be something obvious that I was overlooking.
-
You need to configure the vpn routing. Different access server tunnel network ranges are required.
Add all office networks to the "Local Network/s" in the access server settings.
And in each site-to-site setting add the tunnel network of the respective remote sites access server to the "Remote Network/s".If needed edit your firewall rules to permit the access.
I added the office networks to the "Local Network(s)" field in the Remote Access VPN settings. I am still unable to access anything on any of the remote networks. It's not clear to me what sort of firewall rule I would need to create to permit access to the other offices; there is already an OpenVPN "allow all" rule.
I don't believe I included this in my initial post, but I believe you intuited it: each office is in its own separate subnet.
-
Have you also added the vpn tunnel networks to the site-to-site settings as suggested?
For trouble shooting there will be more details necessary like local networks of each office, tunnel networks of the access servers and the routing table of the client and all routers between the client and the destination device.
It will be best to make a drawing for clarity. -
Have you also added the vpn tunnel networks to the site-to-site settings as suggested?
Nope…somehow I misunderstood that part the first time through.
I'll try it and report back. Thanks very much for the help with this!
-
Have you also added the vpn tunnel networks to the site-to-site settings as suggested?
This was the key. Users are able to access all branch offices now through the Remote Access VPN.
Thank you for the help!