OpenVPN Site-to-site multiple clients unreliable

TomHBP

Hi All,

I have an SG-1100 set up as a peer-to-peer (shared key) OpenVPN server on port 1195.
This is positioned behind a watchguard firewall and has a static IPv4 assigned to it. Ports 1194-1196 are forwarded to this static IP for all traffic.
I have two other pfsense instances, (one, another SG-1100, and the other a home-built) which connect to this server as clients.

The server has its own LAN & Wifi, from which both remote clients should always be reachable.
All instances are on fiber connections at different locations, and don't have any reliability issues.

Clients successfully connect to the Server on boot, and this part seems very reliable, however I have noticed some flaky connections.
I've started using a Raspberry pi and NEMS to periodically ping each host from the Server.
Tunnel IP: 10.100.254.0/24
Server IP: 10.100.1.1
Cli 1: 10.0.1.1
Cli 2: 10.10.10.1

The server has the Ci1 & Cli 2 CIDR's in the 'remote IPv4 networks' box, and each client has the server's CIDR.

About half the time the clients don't respond at all to the ping and return 100% packet loss, only to work fine again moments later.

When accessing the WebUI on the above IP addresses, the page for the clients will often timeout multiple times, only to connect immediately (as expected) once refreshed.

Does anyone hove any idea why the connections might be so flaky? Is it a case of multiple clients connecting to one server?

Thanks in advance,
Tom.

viragomann

@tomhbp said in OpenVPN Site-to-site multiple clients unreliable:

I have two other pfsense instances, (one, another SG-1100, and the other a home-built) which connect to this server as clients.

Both to a single OpenVPN instance?

Server IP: 10.100.1.1
Cli 1: 10.0.1.1
Cli 2: 10.10.10.1

The server has the Ci1 & Cli 2 CIDR's in the 'remote IPv4 networks' box, and each client has the server's CIDR.

When you're talking about CIDR, you should also use CIDR notation. I assume all are /24s?

TomHBP

Hello,

Yes, both to a single openvpn server instance, same port, same tunnel network.
Apologies, yes the server has "10.0.10.0/24, 10.10.10.0/24" as remote ipv4 networks (as well as some others to allow access via remote access VPN into the server box).

Thank you,
Tom.

viragomann

@tomhbp
So you have to set up an VPN > OpenVPN > Client Specific Overrides for each of these clients you want to access the LANs behind.

Set all options you need for the respective client in the CSO like "Local Networks" (server side) and "Remote Networks" (client side).

This overrides the server settings for the respective clients and sets the routes properly inside OpenVPN.

TomHBP

@viragomann thanks for you help. One problem, however, once I go to add a client specific override, I am only provided with my remote access VPN servers in the Server list. My peer-to-peer VPN doesn't appear, so I am unable to set overrides for this.

Should I have a peer-to-peer server for each individual remote site?

TomHBP

Aah, so. For the sake of completeness, a search on 'Client Specific Overrides' led me here:

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure.html.

Specifically:

Peer to Peer (Shared Key)

A connection between local and remote networks that is secured by a single Shared Key configured on both nodes. This choice is >easier to setup, but is less secure. If a shared key is compromised, a new key must be generated and then copied to any router or >client using the old shared key. In this mode, a separate server instance is needed for each client.

This is what I am doing, and apparently I do need a server per client.

The page also says:

Peer to Peer (SSL/TLS)
A connection between local and remote networks that is secured by SSL/TLS. This choice offers increased security as well as the >ability for the server to push configuration commands to the remote peer router when using a 1:many style setup. Remote peer >routers can also have certificates revoked to remove access if they become compromised.

So in the interest of keeping a single server, and gaining more security, I will give this option a try first.

Thanks again!

viragomann

@tomhbp
I'm running an SSL/TLS peer to peer and this is selectable in the CSO.

However, basically I'd use a separate server for each site2site connection. But it's also possible with an access server as described here: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-multi-purpose.html