Configuration Help

drummer_adair

I'm looking for some help on how to best structure my OpenVPN setup.
Let me explain my setup first.

Main office has two primary subnets, this could even become three or more as time goes on.
The subnets are
192.168.1.0/24 - Primary LAN for general data usage
192.168.100.0/24 - Voice/Phone system usage
192.168.xxx.0/24 - Future security/video network or other.

I have OVPN connections to 6 other locations soon to be 7 or 8 (and growing)
and each location varies on the local subnets it needs to be able to communicate with.
For instance, we have a branch office that needs the voice and data subnets but another customer with a remote phone that only needs the voice subnet, etc.

Also, one of my soon to be added VPN's has multiple networks at it's location and I will want to specify which networks I have access to (i suppose with multiple iroute statements?)and visa versa.

Currently in my OVPN (server) config using PKI at the main office, I'm using the address pool 192.168.0.0/24, I have the client to client option checked and in my custom options I have: "route 192.168.0.0 255.255.0.0;push "route 192.168.1.0 255.255.255.0";push "route 192.168.100.0 255.255.255.0";management 127.0.0.1 1194;"

In the main site under client specific configuration I have the "iroute 192.168.xxx.0 255.255.255.0" statement.

I have the client to client box checked but I'm not really sure I need it. It would be nice to allow a few of my sites with remote phones the ability to intercom each other without having to keep a tunnel up between each of them. With the Client to Client it wants to route traffic thru my main site (server) is there any way around this?

With the above obviously all connections get access to my data and voice networks. Do I just build firewall rules on my LAN interface to deny those VPN's networks access to my networks or should I be doing something more fancy with each OVPN config? I was hoping not to have to do multiple servers for each connection. (pretty much why I switched from IPSec).
Which BTW for the last two weeks using open vpn has made my life much more enjoyable.
I had a couple of my VPN's on dynamic WAN's that I always had trouble with using IPSec.

Thanks,
Adair

jimp

@drummer_adair:

I have the client to client box checked but I'm not really sure I need it. It would be nice to allow a few of my sites with remote phones the ability to intercom each other without having to keep a tunnel up between each of them. With the Client to Client it wants to route traffic thru my main site (server) is there any way around this?

You do need client-to-client in order for the remote networks to reach each other. Otherwise they could only reach the main site. There is no alternative way to have them communicate directly unless you build a web of interconnecting tunnels rather than routing centrally. Depending on the bandwidth available, having each node interconnected to the others may be a more complex setup but work the smoothest.

@drummer_adair:

With the above obviously all connections get access to my data and voice networks. Do I just build firewall rules on my LAN interface to deny those VPN's networks access to my networks or should I be doing something more fancy with each OVPN config? I was hoping not to have to do multiple servers for each connection. (pretty much why I switched from IPSec).
Which BTW for the last two weeks using open vpn has made my life much more enjoyable.
I had a couple of my VPN's on dynamic WAN's that I always had trouble with using IPSec.

Yes, just put rules on LAN to deny access to the networks that they should not see. In 2.0 you can also put filters on the OpenVPN interface (You can do this on 1.2.3 with some fiddling also: http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3 )

drummer_adair

I must have something wrong.
From a connected client I can't ping any other clients pool address (the 192.168.0.0/24 network)
I can however ping them all from the server and the clients can ping the server.
I think I read somewhere that it takes some static routes for me to be able to ping from one clients lan to another, right?
Or is my server config options wrong?

jimp

Double check your route/csc iroute setup, as mentioned here:
http://doc.pfsense.org/index.php/OpenVPN_iroute_in_CSC_seems_to_have_no_effect

drummer_adair

Ok, getting further now.

I re-created my custom options on my OVPN server to include each remote subnet in it's own "route" statement.
Before I had "route 192.168.0.0 255.255.0.0".

Now I have "route 192.168.2.0 255.255.255.0; route 192.168.3.0 255.255.255.0;" etc. One for each remote network.
And am still pushing my two local subnets.

I know technically the /16 was encompassing all of the above but I didn't like the broadness and I don't know what subnets I will be connecting to in the future. I'd rather add a new statement each time I add a tunnel and know for sure what's routed where. Any thoughts on this other than my tunnel restarts anytime I add a route?

I also found that putting a static route on any two client routers for another remote subnet allowed me to route traffic thru the server to the remote network. Nice.

I can see where something like OSPF, RIP or OLSRD would make life easier as the network grows.
Any comments on which of the above routing protocols would be the best to use in my OVPN setup and what it would take to configure it? Or is there a way to have the server tell all connected clients about the other subnets?

Lastly, there is no way other than to setup a client server connection with each peer in the network to route traffic between sites directly instead of via the server connection, correct?

jimp

@drummer_adair:

Any thoughts on this other than my tunnel restarts anytime I add a route?

Doing them separately may be needed internally for OpenVPN, but I haven't tried to be certain. I know the route and iroute have to match up, but I don't know if a more general route statement works for certain. Doing them separately is probably safer. Even if the server does restart, the clients will reconnect in about a minute.

@drummer_adair:

I can see where something like OSPF, RIP or OLSRD would make life easier as the network grows.
Any comments on which of the above routing protocols would be the best to use in my OVPN setup and what it would take to configure it? Or is there a way to have the server tell all connected clients about the other subnets?

Personally, I use OSPF, but I use it with shared key site-to-site tunnels. It might work with a PKI setup, but I've never tried it. Since OpenVPN doesn't present real interfaces for clients to the server in PKI mode, I'm not sure if OSPF (or any routing protocol) would work since OpenVPN usually needs the internal route (iroute) statements.

@drummer_adair:

Lastly, there is no way other than to setup a client server connection with each peer in the network to route traffic between sites directly instead of via the server connection, correct?

Correct.

drummer_adair

thanks for all the info.
Just trying to make sure I understand how everything works and squeeze the most out of it.