VPN Star topology
-
Hi
I am need need of some assistant on how best to setup a star toplogy vpn network on a pfsense box.
We have a pfSense box as our HQ router.
Our satelite offices connect to the HQ through a IPsec site-to-site VPN, and when our employees are traveling they connect via an Openvpn connection.
All of this is working fine, however, employees from one satelite office, needs to be able to contact devices on in the other satelite offices.
Likewise the employees on a openvpn connection, needs to be able to contact devices in all of the satelite offices.What is the best way to set this up?
Best regards
Esben
-
pfSense 2.4.4 routed IPsec IMO, it won't be too long now.
https://www.netgate.com/blog/pfsense-software-version-2-4-4-release-highlights.html
https://www.youtube.com/watch?v=AKMZ9rNQx7Y&frags=pl%2Cwn
-
Thanks alot, this will make things alot easier :D
Do youy know if openvpn clients will be able to take advantage of this aswell?
-
Not sure.
Maybe @jimp knows.
-
As long as you have routes setup for what you want at each point, you can route between OpenVPN and IPsec that way.
You don't need routed IPsec to do what you want though. You just need to have proper P2s in IPsec and routes in OpenVPN.
-
Thanks alot.
That solved the IPsec issue.
This properly is a really dumb question: But how do i go about routing the openvpn traffic?
-
In the OpenVPN server, you declare all of your local site subnets as IPv4 Local Networks
So for example in your first diagram this would be
10.0.40.0/24, 192.168.70.0/24, 192.168.71.0/24And then on each IPsec tunnel you need P2s to carry traffic between
10.0.41.0/24and the remote site LAN subnets. -
I have already tried that, but it doesnt work.
When i do a trace route while connected through the openvpn client, it doesnt seem like the Pfsense box routes the traffic through the ipsec vpn.Traceroute from the 10.0.40.0/24 network:
Tracing route to 192.168.70.8 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.0.40.1 2 * * * Request timed out. 3 4 ms 4 ms 4 ms 192.168.70.8 Trace complete.Traceroute when connected via openvpn
Tracing route to 192.168.70.8 over a maximum of 30 hops 1 45 ms 47 ms 47 ms 10.0.41.1 2 66 ms 52 ms 48 ms 78.156.100.129 3 44 ms 45 ms 79 ms 10.10.3.133 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out.Traceroute from one remote site to the other:
Tracing route to 192.168.71.152 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.70.1 2 * * * Request timed out. 3 * * * Request timed out. 4 6 ms 6 ms 5 ms 192.168.71.152 Trace complete.
image url) -
What do the rules on your OpenVPN interface look like? Maybe you have a gateway set on the rule(s) when you shouldn't. The first hop looked like it was going over the VPN.
-
Thanks for your input.
I think i might have encountered some kind of software bug.
After i delete all phase 2 settings, redid them and rebooted the pfsense box it started working.
