Hi Franklookyou need your help to configure OVPN

  • Hi Franklookyou i need your help what i am trying to reach is to make 5 sites to see each other with your configuration, i have a test enviroment where i already have configured 3 pfsense and with your excellent tutorial i already make site A to see site B and C, but i cant make site C connect and see site B, here is the server configuration i have, what left is (B) i need to get connected and reach segment in both sides.

    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    keepalive 10 60
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-config-dir /var/etc/openvpn_csc
    lport 1198
    push "dhcp-option DISABLE-NBT"
    ca /var/etc/openvpn_server3.ca
    cert /var/etc/openvpn_server3.cert
    key /var/etc/openvpn_server3.key
    dh /var/etc/openvpn_server3.dh
    push "route"

    thanks in advance


  • So, the hub can see everything, the spokes can see the hub, but the spokes can't see each other.

    I'm pretty sure that this can be corrected … but I've never actually done it.  It wasn't necessary for our setup, and I don't have anything as nice as the howto to help you with.

    You'll certainly need to add some additional "custom options" to the client-specific configuration for the spokes -- for C, routing B traffic back to the hub.  If I understand OVPN correctly, doing so will require both a route and iroute statement (see http://openvpn.net/index.php/documentation/howto.html / Including multiple machines on the client side …) for an overview.

    That may not be all that's required, though.  When I tried to set that up (months ago, and I only played with it for a few hours), I didn't make much progress.

    I've been vaguely interested in seeing this work for a while now – I'm happy to help you out here.  But for the short term, I don't really have enough spare machines to set up this kind of network, so I'm not going to have all the answers.


    An interesting tidbit: you'll find that the B and C routers have been given addresses on your 10.8 network.  If you have "Client-to-client VPN" checked on the home router, you'll find that B and C can ping each other using their 10.8 addresses.

  • thanks again Franklookyou i did it i add a custom option in client B route and in client C route and works right now i can see all segments from every where

  • Great!  I'll be sure to add that fact next time I update the howto.

Log in to reply