Setting up OpenVPN for new remote office
-
Based on the information given, no.
There is no problem having multiple OpenVPN servers running on different ports.
If traffic enters an OpenVPN interface, there must be a rule allowing it.
If traffic is to be sent out an OpenVPN interface, there must be a route. You do not set the remote networks the same on both sides of a tunnel. You set the remote networks to the networks on the other side you want to route to. (aka the remote networks).
You will probably want to include the current configurations and a specific example (including source and destination addresses, etc) that cannot communicate.
-
Hey @Derelict, thank you so much for your help.
So I'm trying to figure out what you're saying, sorry for being a n00b.
Based on the information given, no.
There is no problem having multiple OpenVPN servers running on different ports.
If traffic enters an OpenVPN interface, there must be a rule allowing it.
On the server side, there are two firewall rules :
- PASS / IPv4 UDP / WAN / 1194
- PASS / IPv4 UDP / WAN / 1195
No rules on the client side (SG-1100).
I think on the firewall side everything seems correct?
If traffic is to be sent out an OpenVPN interface, there must be a route. You do not set the remote networks the same on both sides of a tunnel. You set the remote networks to the networks on the other side you want to route to. (aka the remote networks).
On my "road warrior" set up (Remote Access (SSL/TLS + User Auth)), I set up IPv4 Local network(s) to:
10.0.3.0/24,10.0.4.0/24Everything works perfect: I can connect to a host on 10.0.3.XXX using OpenVPN client on Windows and Viscosity on MAC. We've been using it for years successfully.
As soon as I fire up the second OpenVPN service (openvpn_2), nothing works anymore.
You will probably want to include the current configurations and a specific example (including source and destination addresses, etc) that cannot communicate.
The current configuration is up there:
https://forum.netgate.com/topic/146151/setting-up-openvpn-for-new-remote-office/3With the exception that now on both sides of the Peer to Peer (Shared Key) Open VPN configuration, the IPv4 Remote network(s) are set to:
10.0.3.0/24,10.0.4.0/24So for example, I have a NAS server on 10.0.3.20
I want to connect to it with SMB.
Normally, I would fire up my OpenVPN client, connect through 1194 to my OpenVPN server with Remote Access (SSL/TLS + User Auth) and I can easily connect to my shares, no problem.
Now as soon as the second OpenVPN server on 1195 with Peer to Peer (Shared Key) configuration is running on the server side: I will still be able to connect like I usually do to my 1194 OpenVPN server I will not be able to connect with SMB to my 10.0.3.20 host.
I'm not sure if that's the info you wanted? If not, let me know and I'll be happy to provide more.
-
Why are you setting the remote networks on both sides of a p2p connection to the same networks? Set each side to list the networks on the other side.
-
@Derelict that's because of that:
@chpalmer said in Setting up OpenVPN for new remote office:
Get rid of the custom options. You do not need that there.
Use " 10.0.3.0/25,10.0.4.0/28" on the IPv4 Remote Networks line at the office opposite of those. Do the same for the office where those are with the subnet of the opposite office on the other end. Yes you have to.
So I set it up on both sides.
Now I'm assuming I need to get rid of it on the client side, right?
-
The networks that are on the other side of the tunnel go in the remote networks setting on each side. Consult your network diagram to determine which networks are where.
-
On the client side, I don't want to make anything available.
On the server side, I just want to make 10.0.3.0/24,10.0.4.0/24 available.
-
You have to put the networks you are sourcing from in the remote networks on the other side in order to route traffic. Else you have to assign an interface and perform outbound NAT to the tunnel address.
You can determine what connections can be made into that side using firewall rules on the OpenVPN tab.
-
So basically, on the CLIENT side I should put 10.0.3.0/24,10.0.4.0/24 in IPv4 Remote network(s)
and on the SERVER side I should leave blank.
Right?
-
Check out
https://www.netgate.com/resources/videos/site-to-site-vpns-on-pfsense.html
to get a basic understanding how it works. :-)-Rico
-
@BlazeStar said in Setting up OpenVPN for new remote office:
So basically, on the CLIENT side I should put 10.0.3.0/24,10.0.4.0/24 in IPv4 Remote network(s)
and on the SERVER side I should leave blank.
Right?
No. You have to put the remote networks on each side to be able to route traffic (or implement tunnel address NAT). You control who can connect to what using firewall rules.
Yeah, some study into exactly what is going on is likely in order.
-
@Rico said in Setting up OpenVPN for new remote office:
Check out
https://www.netgate.com/resources/videos/site-to-site-vpns-on-pfsense.htmlThat's the video I watched to set up my stuff.
Yet I'm still very puzzled why it doesn't work.
Around the end of the video, a few tests are recommended, and when I try them they fail.
For example, I try to ping host 10.0.3.20 which is a server I have on the server-side.
On the client-side, from pfSense, it works:
On the client-side, from LAN, it fails!!
And in the routing tables I see this:
Which appears to me like, once again, this should work!
Anything I'm not seeing here??
-
Does the server side have a route back to 192.168.1.1?
-
@Derelict on the server-side I can see this entry in my routing table:
So I would say yes there's a route back.
Is that what you meant?
-
And both side have this firewall rule in OpenVPN tab
-
That doesn't look like a route back to me. How does the server side firewall know to route traffic back to 192.168.1.1 over the VPN?
Add 192.168.1.0/24 to the remote networks in the OpenVPN instance on the server side.
-
Damn.
So I made a typo in the IPv4 Remote network(s) on the server-side.
Now everything works.
Thank you so much for you help @Derelict
