Client to Client using shared key (Help me with a very simple siteA-siteB-siteC)

  • I have three offices.  SiteA is the server for siteB and siteC using shared secret VPNs.  While at site A, I can connect to both sites B and C easily.  I'd like site B and C to be able to connect as well.  I'm sure this is well documented someplace, but I'm unsure how to word my search, and so far have come up with nothing.  For references sake, siteA and siteB are pfsense.  SiteC is a DD-WRT router running the OpenVPN firmware.  Thanks in advance for helping with what I'm sure is a very trivial matter.

  • whitout thinking im the best you can have 2 solution IMO.

    1 would be to make a V connection

    like chose between A and B who got the best connection then (as for the example i will take B)

    A connect to B using IPSec (PFSense to PFSense)
    C connect to B using OpenVPN (or IPSec)

    then. the person who connect to site B will be able to connect to BOTH A and C whitout probleme. and the site will be inter-connecter too. you only need to add 4 route (inbound and outbound of A and C)

    on a other hand, if you want site B and C to connect directly. well you will make more a triangular one

    A connect to B
    B connect to C
    C connect to A

    but in that way, you need to make 2 route in EACH PFsense and at Site C (since it not a PFSense) you need to make a other OpenVPN connection (one to connect to B and a other one to connect to A)

    in ether way it will work…. whit a little bit of work.

    hope it help you

  • i have a vpn setup similar to what you want–- i dont think it can be done with shared key - if you set it to PKI the client-to-client vpn button becomes available - i have it setup this way and can ping computers in all 3 locations

    i'm not that advanced so maybe try it out first but i think that'll fix your trouble

  • i might be a total noob too but…

    shared key is not like for a IPSec tunnel and
    certificate a openVPN tunnel ???

  • follow this how-to and setup the server for 2 clients - make sure the site-to-site is clicked and make sure you have the right custom options - i think that'll give you what you want,12888.0.html

  • tehryan's suggestion seems possible, although quite a lot of work given your current setup.  It would also require a few custom OVPN settings involving routes and iroutes (that aren't covered in the linked howto).

    Why not just create a new shared-key OVPN connection running from Site-C to Site-B?  Are there some limitations of the DD-WRT box preventing this?

  • Our PKI clients currently have the ability to connect to site B through a VPN to site A via static routes and push options.  I know what I want to do can be done this way, I just don't know how with SKI.  It's commonly called a "wheel" or "spoke" model for VPN.  One big VPN server in the middle with several branch offices out of the middle like spokes on a bike tire.  I just want those spokes to be able to talk to each other too.

  • I have done what you are asking about with multiple sites using IPSEC connections. I'm not sure how your DDWRT with OpenVPN firmware is set up but if it's possible to use IPSEC for all 3 then it's quite simple to set up.

    Assume the following:

    Site A:
    Site B:
    Site C:

    VPN Settings:

    Site A:
    Local Subnet:
    Remote Subnet:
    Remote Subnet:
    Site B:
    Local Subnet:
    Remote Subnet:
    Site C:
    Local Subnet:
    Remote Subnet:

    Hope that helps. If you need more details let me know.

  • The DD-WRT firmware doesn't allow for an IPSEC connection, but in all honesty, it's just my home office so I can live with a road warrior like connection on my desktop using OpenVPN.  Is there someplace I can kind of view the pros and cons of each VPN type?  I like OpenVPN due to it's relative ease of setup, but honestly, if it's secure and works, I could care less what type of VPN I use.

  • Here is something else:  Why can't I check the client to client option when using shared key?  Eveyone says that for site to site communication, use shared key, but I cannot implement a proper hub-spoke topology without the clients being able to talk to each other.  I don't want to switch to PKI, but if that gets me what I want, I might have to.  Also, I've edited the title to reflect what this tread is turning into.

  • @benutne:

    Here is something else:  Why can't I check the client to client option when using shared key?

    I'm haven't set up OpenVPN on my box so I'm not sure how the client to client works. Sorry I can't be of more help. I do use a shared key for each site-to-site for IPSEC connections so maybe that's what people mean when they say to use it?

  • I think I can answer that last question for you.

    As stated in the Static Key Disadvantages section of the OpenVPN FAQ, use of SKI under OpenVPN implies no more than one client per server instance.  Given your setup, then, I assume that you are running 2 separate OpenVPN instances (each with its own port) on your server.

    The "client to client" option only applies within an instance (not across all instances that happen to be running on a machine).  It really doesn't have much meaning outside of a PKI context.

    Perhaps one of the other posters here has actually routed between two distinct OpenVPN interfaces on the same machine, but I have not.

  • You pretty much hit the nail on the head franklookyou.  I 'm running two instances of OpenVPN for each of the branches on different ports (three if you count my PKI setup for road warriors).  I guess I'm back to needing help setting up the routing between the branches.  Either that or I should switch to IPSEC like focalguy suggested, but I'm not very familiar with that type of setup.

  • You might also try browsing the OpenVPN users mailing-list (  A quick look over the past month turned up a couple of people asking about similar-ish problems.

  • @franklookyou:

    You might also try browsing the OpenVPN users mailing-list (  A quick look over the past month turned up a couple of people asking about similar-ish problems.

    Ah.  Excellent.  I'll take a look there.  Thanks for the link.

Log in to reply