Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Site to Site with 3 locations

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tehmischi
      last edited by

      Hi,

      I've been trying to figure this out by myself but I just can't find the (probably easy) solution for this.

      I basically have to connect 3 locations which all need to communicate with each other.

      I've attached the layout as a paint drawing.

      The thing I haven't been able to make work is the connection between location B-C.
      From A->B, B->A, A->C, C->A everything works fine, i just can't reach anything from B->C or C->B.

      I have 2 OpenVPN Servers running on location A with two different ports and shared keys and different tunnel networks and location B has a client running connecting to UDP 1196 and location C a client connecting to UDP 1197.

      Basically everything is set up as described in the documentation with A as server and B+C as clients:
      https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html

      Can anybody help me out to get this working?

      Thanks already

      Cheers
      MichaelOpenVPN Layout.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @tehmischi
        last edited by

        In the client settings at B add the LAN network of C 192.168.5.0/24 to the "IPv4 Remote Network/s". At C add 192.168.2.0/24 to the "IPv4 Remote Network/s", comma-separated.
        So at B the box should look like "192.168.1.0/24,192.168.5.0/24", at C "192.168.1.0/24,192.168.2.0/24".
        This adds routes to the respective other site when the connection is established.

        1 Reply Last reply Reply Quote 0
        • T
          tehmischi
          last edited by

          This is actually one of the things I've already tried, but the behaviour didn't change with those settings.

          I just put this in again and restarted all OpenVPN services but it still doesn't work unfortunately.

          I've also tried adding push "route 192.168.5.0 255.255.255.0" and push "route 192.168.2.0 255.255.255.0" at the VPN Server settings with no luck.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            The "push route" option is for pushing routes from a OpenVPN server to a client. You have to add routes for the remote networks to the clients, so you will rather use a "route" command on the client here. However, the "IPv4 Remote Network/s" does the same and is the recommended way on pfSense.

            So if your routes work, maybe you need to add firewall rules on one of the involved pfSense boxes or on the destination devices to allow the access.
            Without knowing more details it's hard to say what's wrong.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              You can't push routes with shared-key. You have to use TLS/Certs if you want to push routes. Else you have to put the proper remote networks at B (192.168.1.0/24,192.168.5.0/24) and C (192.168.1.0/24,192.168.2.0/24).

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • chpalmerC
                chpalmer
                last edited by chpalmer

                edit - deleted this line.

                OpenVPN Firewall rule at site "A" has to also allow B and C ips through.

                Triggering snowflakes one by one..
                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                DerelictD 1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate @chpalmer
                  last edited by

                  @chpalmer said in OpenVPN Site to Site with 3 locations:

                  Remote Networks on "A" would need to be (192.168.2.0/24,192.168.5.0/24).

                  Sort of. They would need to each be on the proper server going to that site.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  chpalmerC 1 Reply Last reply Reply Quote 0
                  • chpalmerC
                    chpalmer @Derelict
                    last edited by chpalmer

                    @Derelict said in OpenVPN Site to Site with 3 locations:

                    Sort of. They would need to each be on the proper server going to that site.

                    I did misspeak that...

                    The A-B link would be "remote networks" 192.168.2.0/24 on the A side

                    and

                    The A-C link would be "remote networks" 192.168.5.0/24 on the A side.

                    But since I apparently need new glasses I missed the part where the OP said he had those links working... DOH!

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.