OpenVPN between single pfSense and >1000+ DD-WRT remote sites



  • I have a project where we want to link more than 1000 remote sites (possibly up to 10000 in the future) to a pfSense box using OpenVPN.  To keep costs down we plan on using DD-WRT routers as the endpoints at the remote sites.  The purpose of this build is to allow access to 3 remote devices behind the endpoints.

    My questions are:

    1 - Is this possible (ie does anyone know of any limitations)?

    2 - What kind of hardware would we need (i am assuming that the requirements aren't significantly high since there will not be a lot of data passing over the VPN, probably less than 1M per day per site).  A lot of RAM?  Fast processor?

    3 - What design would you use for routing?  Right now we have been testing with road warrior setups where the PC's at the other end of the connection run the OpenVPN client which gives us access to the PC but we also have a couple of other non-pc devices that we would like access to also, hence using a site to site instead of roadwarrior.  The clients now pull an address based on the address pool of 10.8.0.0/16.  We are also currently using PKI instead of shared key and BF-CBC (I guess this is Blowfish; we don't need tight security since there is no confidential data on the network).  What I don't understand now is how to set up the routing for this configuration in anticipation of potential number of remote networks.

    4 - Is there anything I am missing here - any thoughts on design, any experience with a similar implementation, anything?

    Any guidance is greatly appreciated!

    Kevin



  • For your first 2 questions you're probably better off asking the OpenVPN mailing list.

    For 3: If you want that many connecting clients i would do a very very very clean documented IP-planning since if you mess somewhere up you will have lots of problems on all ends.
    This might interrest you:
    http://forum.pfsense.org/index.php/topic,12888.0.html
    Also my reply in this thread:
    http://forum.pfsense.org/index.php/topic,13405.0.html



  • Thanks for the reply.

    I want to add that I am willing to pay someone familiar with the technology involved to develop this for me as I am finding myself inundated with other tasks.  I would be willing to do it as a bounty and share the developed strategies, or if you want to work 1 on 1 I would be open to that as well.  If you are interested in helping then please either reply or PM me.

    If this is an inappropriate way of requesting paid support then, moderators, please let me know.

    Thanks in advance,
    Kevin



  • The OpenVPN list archive is a good source of information ;)  In particular, this thread talks about a hard limit of 1024 tunnels at a time.  There are also discussions about hardward sizing if you search further.

    Don't forget their documentation as another source of information.


Locked