How to make lokal networks of OpenVPN clients available to other clients?
-
Hi,
this is my first contact with pfSense as well as OpenVPN.
I tried to google my problem but have not found a solution yet.I have set up an OpenVPN server with pfSense using certificates.
With the client-specific overrides, I managed to assign each client a "static" VPN IP.I got one OpenVPN Server and multiple clients of two types.
The first client type is an OpenVPN suitable router. All devices in the LAN of each router shall be made available to all other connected clients. Each router has its LAN in another subnet (Router1: 192.168.6.0/24, Router2: 192.168.7.0/24).The second client type is a user, directly connecting via a computer. The user shall get access to all devices behind the connected routers. Other devices in the LAN the user might connect from, shall be ignored.
This shows the architecture of the network (names and IPs are exemplary):
I guess I need to route something, but how is that done?
Thank you very much!
-
@rol
I'd rather recommend to set up separate servers for the site to site connections to the routers. This enhances the clarity and is easier to configure in my opinion.However, you will need to add an additional CA with server and client certs for each.
But it should also be doable with a single server if you want this.
However, what your graphic shows, would not work anyway. According to that the router 1 and the user1 use equal or overlapping local subnets. Hence routing between both won't be possible at all.
-
@viragomann
Thank you very much for your suggestions.
I prefer to use the proposed structure as I do not have many users, low amounts of traffic and I do not need to administrate multiple pfSense servers.Regarding the CA, I use self-signed certificates.
The routing issue with overlapping local subnets is something I am now aware of. I will 10.x.x.x networks for the LANs of the routers. In this case, it is unlikely that a connecting user is in an identical subnet.
I found this explanation regarding OpenVPN routing:
https://community.openvpn.net/openvpn/wiki/RoutedLans
This seems to be exactly what I would like to do.
I will try it tomorrow.Thanks!