Open VPN site to site +multiple clients

mstojanovic

Hi to all,

I have configured OPEN VPN Remote Access SSL\TLS + User Auth , works fine :)
Now i have request to connect one more location and leave existing users who connect via VPN clinet from WIndows .

Task : Make site to multiple client sites , and leave possibility to connect via Windows\Linux client.

What is the best choice for this configuration ?

Thank you all !

Marko Stojanovic

Rico

You can have as many OpenVPN site to site instances mixed with as many OpenVPN Remote Access instances as you want.
There is no limitation in pfSense. :-)

-Rico

mstojanovic

Hi Rico :)

Thank you for your answer ! Can use existing configuration of server and only add client sites ? For Remote Access SSL\TLS + User Auth i cannot find proper documentation.

Best regards

Marko Stojanovic

Rico

Server mode Remote Access (SSL/TLS + User Auth) is for lets say "End User" connections only.
For Site to Site you create another Instance with Server mode Peer to Peer (SSL/TLS) or Peer to Peer (Shared Key)
There is a LOT of great documenation:
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/index.html
https://docs.netgate.com/pfsense/en/latest/book/openvpn/index.html
https://www.netgate.com/resources/videos/site-to-site-vpns-on-pfsense.html
https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html

-Rico

mstojanovic

Rico,
Thank you so much !

I need site to site connection ( location A server site and location B client site + client PC in many location ( commercial managers ) . What is the best config ?

Of course i will read documentation :)

NogBadTheBad

I'd be tempted to use routed IPSec, have a look at:-

https://www.netgate.com/resources/videos/routed-ipsec-on-pfsense-244.html

mstojanovic

I will rather use OPEN VPN . Thank you !

Rico

Personally I always use Certificates (SSL/TLS): https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html
My Options are:

• TLS Configuration: Use a TLS Key
• TLS Key usage mode: TLS Encryption and Authentication
• DH Parameter Length: 2048 bit
• Encryption Algorithm: AES-256-GCM
• Enable NCP: OFF
• Auth digest algorithm: SHA256
• Certificate Depth: One (Client + Server)
• Compression: LZ4-v2
• Topology: Subnet

Maybe you want to disable compression because of the VORACLE attack: https://forum.netgate.com/topic/133930/new-openvpn-attack-demo-d-at-defcon

-Rico