Site-to-site OpenVPN multiple subnets



  • My head office has two subnets that we would like to tunnel out to remote offices. These subnets are in two different security zones and segmentation must be maintained.

    Should I be using dedicated OpenVPN servers for each subnet or can one server with routing maintain the segmentation?

    Can someone explain how best to go about thid, or point me to a link ?

    Thanks


  • Netgate

    You can control access to those from all clients on the OpenVPN tab.

    Multiple OpenVPN servers with multiple assigned interfaces can give you a but more granularity regarding the source addresses/locations.

    You didn't really give much to go on like what are the locations (site-to-site, remote access, etc), which direction are the connections flowing, etc.



  • Sorry. Basically it's a Head office as the hub and branch office as spokes. It would be a site-to-site config.

    Are you referring to the Firewall tab for the OpenVPN interface?


  • Netgate

    Yes. The firewall rules on OpenVPN govern which connections are passed from OpenVPN endpoints.

    The firewall rules on the local interfaces govern what connections are passed from those networks into wherever - including OpenVPN endpoints.



  • Would I use any custom entries for routes on the OpenVPN server? Would I be correct by saying that head office should be set up under OpenVPN - Servers and the branch offices setup under OpenVPN -Clients?


  • Netgate

    Probably.

    These days you rarely need to use any custom options.

    Just enter the right things in the Local and remote Networks (and CSOs if you are using an SSL/TLS Server) and pass the desired traffic int he firewall rules.



  • Can you expand on why CSOs are used and why they are needed with SSL/TLS servers?

    Thanks.