Client to Client using shared key (Help me with a very simple siteA-siteB-siteC)

franklookyou

tehryan's suggestion seems possible, although quite a lot of work given your current setup.  It would also require a few custom OVPN settings involving routes and iroutes (that aren't covered in the linked howto).

Why not just create a new shared-key OVPN connection running from Site-C to Site-B?  Are there some limitations of the DD-WRT box preventing this?

benutne

Our PKI clients currently have the ability to connect to site B through a VPN to site A via static routes and push options.  I know what I want to do can be done this way, I just don't know how with SKI.  It's commonly called a "wheel" or "spoke" model for VPN.  One big VPN server in the middle with several branch offices out of the middle like spokes on a bike tire.  I just want those spokes to be able to talk to each other too.

focalguy

I have done what you are asking about with multiple sites using IPSEC connections. I'm not sure how your DDWRT with OpenVPN firmware is set up but if it's possible to use IPSEC for all 3 then it's quite simple to set up.

Assume the following:

Site A: 192.168.1.0/24
Site B: 192.168.2.0/24
Site C: 192.168.3.0/24

VPN Settings:

Site A:
Local Subnet: 192.168.0.0/16
Remote Subnet: 192.168.2.0/24
Remote Subnet: 192.168.3.0/24

Site B:
Local Subnet: 192.168.2.0/24
Remote Subnet: 192.168.0.0/16

Site C:
Local Subnet: 192.168.2.0/24
Remote Subnet: 192.168.0.0/16

Hope that helps. If you need more details let me know.

benutne

The DD-WRT firmware doesn't allow for an IPSEC connection, but in all honesty, it's just my home office so I can live with a road warrior like connection on my desktop using OpenVPN.  Is there someplace I can kind of view the pros and cons of each VPN type?  I like OpenVPN due to it's relative ease of setup, but honestly, if it's secure and works, I could care less what type of VPN I use.

benutne

Here is something else:  Why can't I check the client to client option when using shared key?  Eveyone says that for site to site communication, use shared key, but I cannot implement a proper hub-spoke topology without the clients being able to talk to each other.  I don't want to switch to PKI, but if that gets me what I want, I might have to.  Also, I've edited the title to reflect what this tread is turning into.

focalguy

@benutne:

Here is something else:  Why can't I check the client to client option when using shared key?

I'm haven't set up OpenVPN on my box so I'm not sure how the client to client works. Sorry I can't be of more help. I do use a shared key for each site-to-site for IPSEC connections so maybe that's what people mean when they say to use it?

franklookyou

I think I can answer that last question for you.

As stated in the Static Key Disadvantages section of the OpenVPN FAQ http://openvpn.net/index.php/documentation/howto.html, use of SKI under OpenVPN implies no more than one client per server instance.  Given your setup, then, I assume that you are running 2 separate OpenVPN instances (each with its own port) on your server.

The "client to client" option only applies within an instance (not across all instances that happen to be running on a machine).  It really doesn't have much meaning outside of a PKI context.

Perhaps one of the other posters here has actually routed between two distinct OpenVPN interfaces on the same machine, but I have not.

benutne

You pretty much hit the nail on the head franklookyou.  I 'm running two instances of OpenVPN for each of the branches on different ports (three if you count my PKI setup for road warriors).  I guess I'm back to needing help setting up the routing between the branches.  Either that or I should switch to IPSEC like focalguy suggested, but I'm not very familiar with that type of setup.

franklookyou

You might also try browsing the OpenVPN users mailing-list (http://news.gmane.org/gmane.network.openvpn.user).  A quick look over the past month turned up a couple of people asking about similar-ish problems.

benutne

@franklookyou:

You might also try browsing the OpenVPN users mailing-list (http://news.gmane.org/gmane.network.openvpn.user).  A quick look over the past month turned up a couple of people asking about similar-ish problems.

Ah.  Excellent.  I'll take a look there.  Thanks for the link.