Site to MultiSite Open VPN (Single VS Multi Server configuration)

Bambos

Merry Christmas to everyone,

I'm testing a site to multisite (1 central , many clients) open vpn configuration using shared key.

i follow this video that gave me the idea that i could setup site to multisite having configured a single VPN server, so i did. (7:26 on video)
https://www.youtube.com/watch?v=-8xt7LUtYH4&t=52s

Even on the open vpn setup there is option for limit number of clients , seems that is not working ok on a single port on a single server configuration. server is on 1194 and all clients configured with the same shared key, same tunnel 172.16.62.0/24, so server gets 172.16.62.1 tunnel IP. The first client connects ok, pings ok from / to LAN using 172.16.62.2 tunnel IP, the second client comes in and then all kinds of gateway issues and packet loss occurred. I was expect that 2nd client gets tunnel 172.16.62.3, instead gets 172.16.62.2 again. I have tried to add the interface of open vpn server and add DHCP, but is not available under menu. (i thought dhcp on open vpn might correct the IP of clients issue).

So i tried something else. This is all solved, if i configured separate server on a separate port and separate tunnel for each client. the reason is we can't add server on same port, and we can't use the same tunnel if is in use. So i went all separated and seems stable with 2 clients at the same time.

What is recommended for this kind of setup ? I'm i missing something ?

viragomann

@bambos
That video describes a site-2-site connection, so this is meant for two site only.
What you try to achieve may be a sort of Single Multi-Purpose OpenVPN like its described here: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-multi-purpose.html
Possibly its better to use TLS/SSL authentication for that.

Bambos

I have followed the guide with no success. Something is missing for the client side. I feel that import certificate directions are not ok.

viragomann

@bambos
What do you get?
Something in the server or client logs?

Bambos

@viragomann

I have followed this guide:
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

The certificates creation and export are not described well, also the guide assume that already has been done from previous steps, something that is not clear.

Nevertheless, i created CA, certificate and export the keys and use them for the client configuration using the import methods. It needed to open with notepad and copy the keys and paste them.

Also this hangout : https://www.youtube.com/watch?v=ku-fNfJJV7w
is not clear. for example client specific overrides in the documentation something is written but not enough to get the tunnel established. The guy in hangouts, says that you can use upper case "DEFAULT" to override everything or the certificate name. In the documentation says use the host name

I will try again if i find another method described better.

viragomann

@bambos
You can either use the certificates common name (CN) or the user name, but not both!

And you have to tell the server, what should be used by checking the Username as Common Name option or not in the server advanced configuration.