How to configure 3 tunnels on 3 different sites with 3 pfsense
-
I would like the site to take a direct way if possible - I have it working with three sites, but is a pain to configure :)
So was looking for an alternative way - and OpenVPN can do it? (I am trying to mimic a setup based on Cisco RemoteVPN, and is quite sure is using some thing more clever way - 10 sites with multiple DMZs)
Thanks
-
There is probably no easy way to pull that off with all sites interconnected.
No matter what you do it's messy: You could do static key site-to-site, which is just as ugly as site-to-site IPsec, or every site is a SSL PKI server and a client to all others, which would be a nightmare to manage, key-wise. (not to mention a pill to setupโฆ)
-
Damn :(
So if each site has a OpenVPN server, and each site also has OpenVPN clients to all the other sites, I could then push out the routing for the DMZ/Optional networks on each site?
Thanks
-
If you do a PKI setup, you can push routes. If you do a site-to-site, the routes must be set manually on both ends.
-
Hi
I am trying to make multiple site-2-site setup based on 3 sites so that all connects to each other, and have been looking at some guides on site-2-site, but I don't understand the "Remote Network" when I create the server part.
1. I thought that my site A should have a openvpn server running
2. My two other sites - site B and site C would connect to site A as a OpenVPN Clients
3. And my two other sites also should have an OpenVPN server (and clients on the other sites)So what should the "Remote network" be on sita A?
Thanks again
-
Or should I use "Remote Access" when connection multiple sites - instead of a "peer-2-peer"?
Thanks
-
So what should the "Remote network" be on sita A?
You can leave that blank, or put in either site B or site C. You'll need a route for both sites in the custom options, and the Remote Network just does a route statement behind the scenes for you. If you fill in B, then you'll still need a custom route statement for C, and vice versa.
If you are doing a PKI (remote access) setup, you'll also need to make a CSC entry for the CN of both site B and C, with an iroute statement in its custom options.
That is probably the better way to handle setting up a multi-site "star" layout. peer-to-peer would be better for making individual tunnels between each site that only have one connection per tunnel.
-
Got it - will try both options :)
And thanks for a FAST reply :)
-
One more thing "Inter-client communication" - would that allow site B and site C to talk to each other? - but routed through site A I guess?
-
Correct. With a PKI setup you need that option ticked so the B can reach C via A.
