Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client to Client using shared key (Help me with a very simple siteA-siteB-siteC)

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 5 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      benutne
      last edited by

      I have three offices.  SiteA is the server for siteB and siteC using shared secret VPNs.  While at site A, I can connect to both sites B and C easily.  I'd like site B and C to be able to connect as well.  I'm sure this is well documented someplace, but I'm unsure how to word my search, and so far have come up with nothing.  For references sake, siteA and siteB are pfsense.  SiteC is a DD-WRT router running the OpenVPN firmware.  Thanks in advance for helping with what I'm sure is a very trivial matter.

      1 Reply Last reply Reply Quote 0
      • D
        Daakutenshi
        last edited by

        whitout thinking im the best you can have 2 solution IMO.

        1 would be to make a V connection

        like chose between A and B who got the best connection then (as for the example i will take B)

        A connect to B using IPSec (PFSense to PFSense)
        C connect to B using OpenVPN (or IPSec)

        then. the person who connect to site B will be able to connect to BOTH A and C whitout probleme. and the site will be inter-connecter too. you only need to add 4 route (inbound and outbound of A and C)

        on a other hand, if you want site B and C to connect directly. well you will make more a triangular one

        A connect to B
        B connect to C
        C connect to A

        but in that way, you need to make 2 route in EACH PFsense and at Site C (since it not a PFSense) you need to make a other OpenVPN connection (one to connect to B and a other one to connect to A)

        in ether way it will work…. whit a little bit of work.

        hope it help you

        1 Reply Last reply Reply Quote 0
        • T
          tehryan
          last edited by

          i have a vpn setup similar to what you want–- i dont think it can be done with shared key - if you set it to PKI the client-to-client vpn button becomes available - i have it setup this way and can ping computers in all 3 locations

          i'm not that advanced so maybe try it out first but i think that'll fix your trouble

          1 Reply Last reply Reply Quote 0
          • D
            Daakutenshi
            last edited by

            i might be a total noob too but…

            shared key is not like for a IPSec tunnel and
            certificate a openVPN tunnel ???

            1 Reply Last reply Reply Quote 0
            • T
              tehryan
              last edited by

              follow this how-to and setup the server for 2 clients - make sure the site-to-site is clicked and make sure you have the right custom options - i think that'll give you what you want

              http://forum.pfsense.org/index.php/topic,12888.0.html

              1 Reply Last reply Reply Quote 0
              • F
                franklookyou
                last edited by

                tehryan's suggestion seems possible, although quite a lot of work given your current setup.  It would also require a few custom OVPN settings involving routes and iroutes (that aren't covered in the linked howto).

                Why not just create a new shared-key OVPN connection running from Site-C to Site-B?  Are there some limitations of the DD-WRT box preventing this?

                1 Reply Last reply Reply Quote 0
                • B
                  benutne
                  last edited by

                  Our PKI clients currently have the ability to connect to site B through a VPN to site A via static routes and push options.  I know what I want to do can be done this way, I just don't know how with SKI.  It's commonly called a "wheel" or "spoke" model for VPN.  One big VPN server in the middle with several branch offices out of the middle like spokes on a bike tire.  I just want those spokes to be able to talk to each other too.

                  1 Reply Last reply Reply Quote 0
                  • F
                    focalguy
                    last edited by

                    I have done what you are asking about with multiple sites using IPSEC connections. I'm not sure how your DDWRT with OpenVPN firmware is set up but if it's possible to use IPSEC for all 3 then it's quite simple to set up.

                    Assume the following:

                    Site A: 192.168.1.0/24
                    Site B: 192.168.2.0/24
                    Site C: 192.168.3.0/24
                    

                    VPN Settings:

                    Site A:
                    Local Subnet: 192.168.0.0/16
                    Remote Subnet: 192.168.2.0/24
                    Remote Subnet: 192.168.3.0/24
                    
                    Site B:
                    Local Subnet: 192.168.2.0/24
                    Remote Subnet: 192.168.0.0/16
                    
                    Site C:
                    Local Subnet: 192.168.2.0/24
                    Remote Subnet: 192.168.0.0/16
                    
                    

                    Hope that helps. If you need more details let me know.

                    1 Reply Last reply Reply Quote 0
                    • B
                      benutne
                      last edited by

                      The DD-WRT firmware doesn't allow for an IPSEC connection, but in all honesty, it's just my home office so I can live with a road warrior like connection on my desktop using OpenVPN.  Is there someplace I can kind of view the pros and cons of each VPN type?  I like OpenVPN due to it's relative ease of setup, but honestly, if it's secure and works, I could care less what type of VPN I use.

                      1 Reply Last reply Reply Quote 0
                      • B
                        benutne
                        last edited by

                        Here is something else:  Why can't I check the client to client option when using shared key?  Eveyone says that for site to site communication, use shared key, but I cannot implement a proper hub-spoke topology without the clients being able to talk to each other.  I don't want to switch to PKI, but if that gets me what I want, I might have to.  Also, I've edited the title to reflect what this tread is turning into.

                        1 Reply Last reply Reply Quote 0
                        • F
                          focalguy
                          last edited by

                          @benutne:

                          Here is something else:  Why can't I check the client to client option when using shared key?

                          I'm haven't set up OpenVPN on my box so I'm not sure how the client to client works. Sorry I can't be of more help. I do use a shared key for each site-to-site for IPSEC connections so maybe that's what people mean when they say to use it?

                          1 Reply Last reply Reply Quote 0
                          • F
                            franklookyou
                            last edited by

                            I think I can answer that last question for you.

                            As stated in the Static Key Disadvantages section of the OpenVPN FAQ http://openvpn.net/index.php/documentation/howto.html, use of SKI under OpenVPN implies no more than one client per server instance.  Given your setup, then, I assume that you are running 2 separate OpenVPN instances (each with its own port) on your server.

                            The "client to client" option only applies within an instance (not across all instances that happen to be running on a machine).  It really doesn't have much meaning outside of a PKI context.

                            Perhaps one of the other posters here has actually routed between two distinct OpenVPN interfaces on the same machine, but I have not.

                            1 Reply Last reply Reply Quote 0
                            • B
                              benutne
                              last edited by

                              You pretty much hit the nail on the head franklookyou.  I 'm running two instances of OpenVPN for each of the branches on different ports (three if you count my PKI setup for road warriors).  I guess I'm back to needing help setting up the routing between the branches.  Either that or I should switch to IPSEC like focalguy suggested, but I'm not very familiar with that type of setup.

                              1 Reply Last reply Reply Quote 0
                              • F
                                franklookyou
                                last edited by

                                You might also try browsing the OpenVPN users mailing-list (http://news.gmane.org/gmane.network.openvpn.user).  A quick look over the past month turned up a couple of people asking about similar-ish problems.

                                1 Reply Last reply Reply Quote 0
                                • B
                                  benutne
                                  last edited by

                                  @franklookyou:

                                  You might also try browsing the OpenVPN users mailing-list (http://news.gmane.org/gmane.network.openvpn.user).  A quick look over the past month turned up a couple of people asking about similar-ish problems.

                                  Ah.  Excellent.  I'll take a look there.  Thanks for the link.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.