OpenVPN Scenario



  • We have a number of clients we monitor & assist.

    I would like to have an open VPN connection from our LAN to each client.

    Is a site-to-site OpenVPN the best way to implement this?

    I was looking to configure each client as a server and at our end have multiple clients.

    I need to be able to access each clients LAN without them having any access via the VPN to our LAN or another client's LAN.


  • Netgate

    What kind of number is "a number?" A few? Several? Dozens? Hundreds? Thousands?



  • 6

    Edit:
    I understand that 5+ would be better to use PKI however for the time being I wish to start with just 1 and potentially move to 6 at a later date so the shared key method is what I wish to implement if it is suitable.


  • Netgate

    Do you need these nailed up all the time or do you want them on-demand? Are all of the end user sites static IP or dynamic?

    It really makes sense to use a certificate-based approach with the end users being the clients I think. Mostly so you can push configs to them nd if they're dynamic IP you don't have to worry about dyndns so you can connect to them.

    Kind of a tough call. Sort of depends on the details.



  • I'd ideally like to have them up 24/7.

    The remote sites have static IPs and I have a semi static IP (dynamic but been advised it will not be changed)

    To allow me to access the remote LANs and not the other way round should the VPN be setup so the remote sites act as servers or can it be done either way?


  • Netgate

    Who can access what depends on firewall rules not who is the server/client. If you have no pass rules on OpenVPN they cannot initiate connections into your network whether server or client.

    Again, I would probably have them as clients connecting to my server. And I would probably use certificatesso configs can be pushed. It's not as hard as it sounds.

    You can probably even get away with running one server at your end instead of multiple client configs. Especially if you can control it so they are all in one supernet, like 172.29.129.0/24, 172.29.130.0/24, 172.29.131.0/24, etc



  • Excellent and thank you for all the help.

    Can you point me towards a certificate config as you mentioned, is this what is referred to as a PKI setup?
    https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

    Regarding the supernet, is this IP addressing for the remote LAN or tunnel? I understand that I can control the tunnel ip addressing in the VPN setup however each LAN already has it's own setup being:
    192.168.16.X
    192.1.1.X
    192.168.2.X


  • Netgate

    Remote LAN. The tunnel will all be one network.



  • OK, so with all my remote lans being on different subnets can I run a single server and a client at each end?

    The block access to the lan from the remote using rules.

    Would that work?