Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN between single pfSense and >1000+ DD-WRT remote sites

    Scheduled Pinned Locked Moved
    OpenVPN
    3
    4
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      callinectes
      last edited by

      I have a project where we want to link more than 1000 remote sites (possibly up to 10000 in the future) to a pfSense box using OpenVPN.  To keep costs down we plan on using DD-WRT routers as the endpoints at the remote sites.  The purpose of this build is to allow access to 3 remote devices behind the endpoints.

      My questions are:

      1 - Is this possible (ie does anyone know of any limitations)?

      2 - What kind of hardware would we need (i am assuming that the requirements aren't significantly high since there will not be a lot of data passing over the VPN, probably less than 1M per day per site).  A lot of RAM?  Fast processor?

      3 - What design would you use for routing?  Right now we have been testing with road warrior setups where the PC's at the other end of the connection run the OpenVPN client which gives us access to the PC but we also have a couple of other non-pc devices that we would like access to also, hence using a site to site instead of roadwarrior.  The clients now pull an address based on the address pool of 10.8.0.0/16.  We are also currently using PKI instead of shared key and BF-CBC (I guess this is Blowfish; we don't need tight security since there is no confidential data on the network).  What I don't understand now is how to set up the routing for this configuration in anticipation of potential number of remote networks.

      4 - Is there anything I am missing here - any thoughts on design, any experience with a similar implementation, anything?

      Any guidance is greatly appreciated!

      Kevin

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        For your first 2 questions you're probably better off asking the OpenVPN mailing list.

        For 3: If you want that many connecting clients i would do a very very very clean documented IP-planning since if you mess somewhere up you will have lots of problems on all ends.
        This might interrest you:
        http://forum.pfsense.org/index.php/topic,12888.0.html
        Also my reply in this thread:
        http://forum.pfsense.org/index.php/topic,13405.0.html

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • C
          callinectes
          last edited by

          Thanks for the reply.

          I want to add that I am willing to pay someone familiar with the technology involved to develop this for me as I am finding myself inundated with other tasks.  I would be willing to do it as a bounty and share the developed strategies, or if you want to work 1 on 1 I would be open to that as well.  If you are interested in helping then please either reply or PM me.

          If this is an inappropriate way of requesting paid support then, moderators, please let me know.

          Thanks in advance,
          Kevin

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            The OpenVPN list archive is a good source of information ;)  In particular, this thread talks about a hard limit of 1024 tunnels at a time.  There are also discussions about hardward sizing if you search further.

            Don't forget their documentation as another source of information.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post