3 Sites VPN doesn't work correctly

hispeed

I have 3 Sites which I want to connect.

Site 1: My Home 192.168.100.X / 24
Site 2: Brother Home 192.168.1.X / 24
Site 3: Parent Home 192.168.20.X / 24

I have a working connection from: Site 1 to Site 2 and Site 3.

Now I want to connect Site 2 and 3 together and if there are traffic between them I don't want to route that traffic over my VPN.
I found this online:

This is excactly what i'm tryint to do. All Sites are using a Pfsense Plus and all are on the latest update.

Here is the configuration of Site 3 which should be the server for Site 2 who is the client:

Before I send more images and make a mess, can someone have look at it and tell me if this is correct?

Thank you for your help.

elvisimprsntr

Have you considered Tailscale MESH VPN? Simple to set up and works automagically!

https://www.netgate.com/blog/tailscale-on-pfsense-software

hispeed

Hi @elvisimprsntr

I have never heard about that but I would prefer to do it the classic way.

Jarhead

@hispeed
I would suggest Wireguard. You'll get much faster speeds with it over OpenVPN. Not a fan of using other company servers like Tailscale but they use Wireguard also, so better speeds there too.

What you have looks good, but the key is gonna be the routes. After you set it all up, go to Diagnostics/Routes and make sure each site is routing over the correct link.

hispeed

@Jarhead

Thank you for this hint. Yes Wireguard could also be an option the speed is not so important it's enough for our usage.

Here is the routes entry on Site 2:

I can't only ping from the OpenVPN Interface the Site 3. I can't ping site 3 from the lan interface. I have checked all rules but i don't find the problem.

So here is the site 2 configuration which is the client:

Jarhead

@hispeed You're best bet is to start using the packet capture tool in Diagnostics.
Do a constant ping from a pc on one of the sites to the other. Do a packet capture on the OpenVPN interfaces on both ends and check to see if the pings are getting to the far end, and if the replies are getting back to the local.
Go from there.

hispeed

@Jarhead

I forgot Client Specific Overrides, now it's working.

Jarhead

@hispeed A ha, yeah, you're using a /24 for the tunnel. No need for that. If you used a /30 or /31 you wouldn't need CSO at all.