OpenVPN 3-4 sites



  • Hi,
    What is the recommended way to link 3-4 sites with OpenVPN ?

    The docs seem to recommend Peer to Peer with PKI (public infrastructure) beyond half a dozen; and Peer to Peer PSK (pre-shared key) when it is a small number.

    I had no trouble getting 2 sites linked with a VPN server and client using Pre Shared Keys; but when I tried to add a 2nd client using the same pre-shared key, connecting to the server, it just conflicted with the first site and only one site would be able to pass traffic at a time, then it would drop after a few seconds or minutes and the other site would work. Back and forth.

    I have not be able to sort out the issue. I tried enabling allowing duplicate certificates, but that threw an error that 'mode server' was required. (and adding mode server' just threw another error…)

    Do I just need to setup a 2nd openvpn server on a 2nd port? dedicated to the 3rd site? Or is there a proper way having 2 pre-shared-key client sites connected to one server that I've just missed?


  • Netgate

    PSK relationships are completely independent of each other. They do need to have unique tunnel and remote networks, of course. And the servers need to listen on different addresses or at least ports if they are on the same system.  They can all use the same PSK if you like, not that it would be recommended.



  • I still prefer PKI over PSK.
    Perhaps slightly more difficult to setup, but definitely more "predictable" especially once you've done one or two.

    Part of that may well be that you have to understand more about the link and what goes where.
    I still say it's well worth the initial learning curve in the long run.

    Just my $.02



  • @Derelict:

    PSK relationships are completely independent of each other. They do need to have unique tunnel and remote networks, of course. And the servers need to listen on different addresses or at least ports if they are on the same system.  They can all use the same PSK if you like, not that it would be recommended.

    So then each client site absolutely does need to be pointed at a separate openvpn server entry then.
    Thank you for that clarification.


  • Netgate

    If you want to do multiple sites on the same server there are additional considerations that usually require CSOs.

    And you must use SSL/TLS mode with a tunnel network larget than /30.