Recommended Configuration - Site-To-Site Question



  • So I've got 3 sites.

    A - Running pfSense going to be the server.
    B - Running pfSense as a client
    C - Running Ubiquiti EdgeRouter PoE as a client

    My question boils down to when doing site to site what's the recommended way as far as deploying OpenVPN Servers under pfSense.  Is it better to have one and connect all your clients to that or to do one each for site so if you ever need to disconnect a site or change a config you don't take everything down?

    Reason for the question, is originally I had A and B connected and data was flowing back and forth just fine.  Then C came into the picture and the Ubiquiti EdgeMax isn't quite as friendly as pfSense in my opinion.  I finally got it connected and have the following issue.

    A < - > B works great

    A < - > C Works great

    B <-> A <-> C - Doesn't work

    When I do a traceroute I see the path goto the virtual IP for the OpenVPN tunnel it never comes back.  Is it because I have two openvpn servers running on the box or?

    Any suggestions would be great!

    Thanks!

    Wes



  • im new to open vpn so sorry if this is no help.

    on pfsense can you ping the ip address of the connect EdgeMax router?

    also from what i found is check logs as they give a good indication sometime to whats wrong.



  • Yeah, the EdgeMax to PfSense is done and working.  It's going from EdgeMax to PfSense to Pfsense that isn't working.

    Thanks though,

    Wes



  • Very probably a routing issue.
    "A" should provide routing info about "B" to "C" as well as about "C" to "B".

    If this is a PKI Site to Site setup it's very straightforward in the Server's setup screen and the Client Specific Options tab.
    98% of the routing setup is done with the server config.

    Post your server's OpenVPN screenshot.



  • Well to further clarify my issue I'm trying to get routing between an OpenVPN Site-to-Site PKI SSL instance and an OpenVPN Site-to-Site Shared Key instance.

    Which config do you want?



  • So, A<->B is SSL and A<->C is shared key, you're running two separate instances of OpenVPN on A?

    While there's nothing inherently wrong with that (I run many instances of servers and clients on my boxes) is there any reason not to consolidate the connections into a single server on "A"?

    If you've already "bit the bullet" and setup an SSL instance, I would suggest making both your connections SSL.
    Even if you need two separate instances, it'd be worth making both SSL IMHO.
    While getting the routing options to work with Shared Key is possible, I've always found the options more limiting compared to SSL.

    Pretty much fill in the network lists you need on the Server side, add the CSO's and you're up and running.

    The other plus would be we don't have to debug two types of connection (that's just me being greedy  ;D  )