My first OpenVPN network need help installing tonight

01pfsensefan · Jul 12, 2010, 1:58 PM

Hi,

I have a new client and they have three locations all in the same town. I have ordered three NetGate boxes. Each has three interfaces and pfsense already installed. The main location has the DC and Mail server. I will be removing some older Ciso PIX boxes and replacing them with these that will have the same IP Addresses as the ciscos had. I want to make a secure OpenVPN Shared key VPN from headquarters to the other two branches. Branches only need to talk to headquarters, but if they can reach each other that will not gurt anything.

Headquarters: 192.168.0. (I have to keep the existing subnets for now)
Location 1: 192.168.1.
Location 2: 192.168.2.

I have the pfsense book here which details it out. My question is do I simply make the openvpn active at headquaters and open port 1194? Or do I need a new port one for each branch?

What do I need to do for routing? They get to file and print shares at corporate and Exchange as well as remote desktop. Thanks

jimp · Jul 12, 2010, 2:59 PM

You can do this one of two ways.

You can make a whole PKI setup and use the main office as the server (just once instance) and have each remote site be a client.
You can generate two shared keys, and setup two server instances on the main office, one for each site, on different ports. Then each site would connect to a separate instance.

The PKI method scales better with many sites, but the PKI setup can be tricky to get going (though with EasyRSA it's not too bad). Both ways can route however you want, including between the remote sites.

01pfsensefan · Jul 12, 2010, 3:07 PM

Thanks for the fast reply! Since they only have three locations total I am going to stick with the key method. You answered my question about the ports though. Because when it is made you have to define the network and you cant have too. I dont know much about routing, so after I make the rules to allow traffic I hope it works.

jimp · Jul 12, 2010, 5:29 PM

If you specify the local and remote networks properly in all of the instances, it should "just work".

If you have three sites:

A: Main Office
B: Remote 1
C: Remote 2

Then you can route between B and C through A, or setup another OpenVPN instance between them. To route through A, do this:

In the custom options box for the client on B, add:

route c.c.c.c 255.255.255.0;

Where c.c.c.c is the subnet behind the C router.

Then in the custom options box for the router on C, add:

route b.b.b.b 255.255.255.0;

Where b.b.b.b is the subnet behind the B router.

01pfsensefan · Jul 13, 2010, 2:23 AM

Ok, I am onsite now. They are talking and I can ping each gateway and the server by IP. However if I ping from the client site to the server at the main location by dns name it will time out. But if I ping by IP in this case the servers ip is 192.168.0.5 then ping by name it works fine.

On the client side I went in under DHCP and added the main resolver to be 192.168.0.5 then 192.168.1.1 which is the client side main gatway. So I need other routes, we seem really close!

01pfsensefan · Jul 13, 2010, 4:25 AM

It seems to all be working now. I didnt change anything else so I am unsure what the cause was. Tomorrow I am bringing the 3rd branch online.