VPN Star topology



  • Hi

    I am need need of some assistant on how best to setup a star toplogy vpn network on a pfsense box.

    We have a pfSense box as our HQ router.
    Our satelite offices connect to the HQ through a IPsec site-to-site VPN, and when our employees are traveling they connect via an Openvpn connection.
    All of this is working fine, however, employees from one satelite office, needs to be able to contact devices on in the other satelite offices.
    Likewise the employees on a openvpn connection, needs to be able to contact devices in all of the satelite offices.

    What is the best way to set this up?

    Best regards
    Esben

    0_1536149322384_Drawing1.png


  • Galactic Empire



  • Thanks alot, this will make things alot easier :D

    Do youy know if openvpn clients will be able to take advantage of this aswell?


  • Galactic Empire

    Not sure.

    Maybe @jimp knows.


  • Rebel Alliance Developer Netgate

    As long as you have routes setup for what you want at each point, you can route between OpenVPN and IPsec that way.

    You don't need routed IPsec to do what you want though. You just need to have proper P2s in IPsec and routes in OpenVPN.



  • Thanks alot.

    That solved the IPsec issue.

    This properly is a really dumb question: But how do i go about routing the openvpn traffic?


  • Rebel Alliance Developer Netgate

    In the OpenVPN server, you declare all of your local site subnets as IPv4 Local Networks

    So for example in your first diagram this would be 10.0.40.0/24, 192.168.70.0/24, 192.168.71.0/24

    And then on each IPsec tunnel you need P2s to carry traffic between 10.0.41.0/24 and the remote site LAN subnets.



  • I have already tried that, but it doesnt work.
    When i do a trace route while connected through the openvpn client, it doesnt seem like the Pfsense box routes the traffic through the ipsec vpn.

    Traceroute from the 10.0.40.0/24 network:

    Tracing route to 192.168.70.8 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  10.0.40.1
      2     *        *        *     Request timed out.
      3     4 ms     4 ms     4 ms  192.168.70.8
    
    Trace complete.
    

    Traceroute when connected via openvpn

    Tracing route to 192.168.70.8 over a maximum of 30 hops
    
      1    45 ms    47 ms    47 ms  10.0.41.1
      2    66 ms    52 ms    48 ms  78.156.100.129
      3    44 ms    45 ms    79 ms  10.10.3.133
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.
      6     *        *        *     Request timed out.
      7     *        *        *     Request timed out.
      8     *        *        *     Request timed out.
      9     *        *        *     Request timed out.
     10     *        *        *     Request timed out.
    

    Traceroute from one remote site to the other:

    
    Tracing route to 192.168.71.152 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  192.168.70.1
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.
      4     6 ms     6 ms     5 ms  192.168.71.152
    
    Trace complete.
    

    0_1536762181032_Udklip.PNG image url)


  • Rebel Alliance Developer Netgate

    What do the rules on your OpenVPN interface look like? Maybe you have a gateway set on the rule(s) when you shouldn't. The first hop looked like it was going over the VPN.



  • Thanks for your input.

    I think i might have encountered some kind of software bug.
    After i delete all phase 2 settings, redid them and rebooted the pfsense box it started working.


Log in to reply