Open VPN site to site +multiple clients
-
Hi to all,
I have configured OPEN VPN Remote Access SSL\TLS + User Auth , works fine :)
Now i have request to connect one more location and leave existing users who connect via VPN clinet from WIndows .Task : Make site to multiple client sites , and leave possibility to connect via Windows\Linux client.
What is the best choice for this configuration ?
Thank you all !
Marko Stojanovic
-
You can have as many OpenVPN site to site instances mixed with as many OpenVPN Remote Access instances as you want.
There is no limitation in pfSense. :-)-Rico
-
Hi Rico :)
Thank you for your answer ! Can use existing configuration of server and only add client sites ? For Remote Access SSL\TLS + User Auth i cannot find proper documentation.
Best regards
Marko Stojanovic
-
Server mode Remote Access (SSL/TLS + User Auth) is for lets say "End User" connections only.
For Site to Site you create another Instance with Server mode Peer to Peer (SSL/TLS) or Peer to Peer (Shared Key)
There is a LOT of great documenation:
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/index.html
https://docs.netgate.com/pfsense/en/latest/book/openvpn/index.html
https://www.netgate.com/resources/videos/site-to-site-vpns-on-pfsense.html
https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html-Rico
-
Rico,
Thank you so much !I need site to site connection ( location A server site and location B client site + client PC in many location ( commercial managers ) . What is the best config ?
Of course i will read documentation :)
-
I'd be tempted to use routed IPSec, have a look at:-
https://www.netgate.com/resources/videos/routed-ipsec-on-pfsense-244.html
-
I will rather use OPEN VPN . Thank you !
-
Personally I always use Certificates (SSL/TLS): https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html
My Options are:- TLS Configuration: Use a TLS Key
- TLS Key usage mode: TLS Encryption and Authentication
- DH Parameter Length: 2048 bit
- Encryption Algorithm: AES-256-GCM
- Enable NCP: OFF
- Auth digest algorithm: SHA256
- Certificate Depth: One (Client + Server)
- Compression: LZ4-v2
- Topology: Subnet
Maybe you want to disable compression because of the VORACLE attack: https://forum.netgate.com/topic/133930/new-openvpn-attack-demo-d-at-defcon
-Rico