Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configuration Help

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drummer_adair
      last edited by

      I'm looking for some help on how to best structure my OpenVPN setup.
      Let me explain my setup first.

      Main office has two primary subnets, this could even become three or more as time goes on.
      The subnets are
      192.168.1.0/24 - Primary LAN for general data usage
      192.168.100.0/24 - Voice/Phone system usage
      192.168.xxx.0/24 - Future security/video network or other.

      I have OVPN connections to 6 other locations soon to be 7 or 8 (and growing)
      and each location varies on the local subnets it needs to be able to communicate with.
      For instance, we have a branch office that needs the voice and data subnets but another customer with a remote phone that only needs the voice subnet, etc.

      Also, one of my soon to be added VPN's has multiple networks at it's location and I will want to specify which networks I have access to (i suppose with multiple iroute statements?)and visa versa.

      Currently in my OVPN (server) config using PKI at the main office, I'm using the address pool 192.168.0.0/24, I have the client to client option checked and in my custom options I have: "route 192.168.0.0 255.255.0.0;push "route 192.168.1.0 255.255.255.0";push "route 192.168.100.0 255.255.255.0";management 127.0.0.1 1194;"

      In the main site under client specific configuration I have the "iroute 192.168.xxx.0 255.255.255.0" statement.

      I have the client to client box checked but I'm not really sure I need it. It would be nice to allow a few of my sites with remote phones the ability to intercom each other without having to keep a tunnel up between each of them. With the Client to Client it wants to route traffic thru my main site (server) is there any way around this?

      With the above obviously all connections get access to my data and voice networks. Do I just build firewall rules on my LAN interface to deny those VPN's networks access to my networks or should I be doing something more fancy with each OVPN config? I was hoping not to have to do multiple servers for each connection. (pretty much why I switched from IPSec).
      Which BTW for the last two weeks using open vpn has made my life much more enjoyable.
      I had a couple of my VPN's on dynamic WAN's that I always had trouble with using IPSec.

      Thanks,
      Adair

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        @drummer_adair:

        I have the client to client box checked but I'm not really sure I need it. It would be nice to allow a few of my sites with remote phones the ability to intercom each other without having to keep a tunnel up between each of them. With the Client to Client it wants to route traffic thru my main site (server) is there any way around this?

        You do need client-to-client in order for the remote networks to reach each other. Otherwise they could only reach the main site. There is no alternative way to have them communicate directly unless you build a web of interconnecting tunnels rather than routing centrally. Depending on the bandwidth available, having each node interconnected to the others may be a more complex setup but work the smoothest.

        @drummer_adair:

        With the above obviously all connections get access to my data and voice networks. Do I just build firewall rules on my LAN interface to deny those VPN's networks access to my networks or should I be doing something more fancy with each OVPN config? I was hoping not to have to do multiple servers for each connection. (pretty much why I switched from IPSec).
        Which BTW for the last two weeks using open vpn has made my life much more enjoyable.
        I had a couple of my VPN's on dynamic WAN's that I always had trouble with using IPSec.

        Yes, just put rules on LAN to deny access to the networks that they should not see. In 2.0 you can also put filters on the OpenVPN interface (You can do this on 1.2.3 with some fiddling also: http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3 )

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          drummer_adair
          last edited by

          I must have something wrong.
          From a connected client I can't ping any other clients pool address (the 192.168.0.0/24 network)
          I can however ping them all from the server and the clients can ping the server.
          I think I read somewhere that it takes some static routes for me to be able to ping from one clients lan to another, right?
          Or is my server config options wrong?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Double check your route/csc iroute setup, as mentioned here:
            http://doc.pfsense.org/index.php/OpenVPN_iroute_in_CSC_seems_to_have_no_effect

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • D
              drummer_adair
              last edited by

              Ok, getting further now.

              I re-created my custom options on my OVPN server to include each remote subnet in it's own "route" statement.
              Before I had "route 192.168.0.0 255.255.0.0".

              Now I have "route 192.168.2.0 255.255.255.0; route 192.168.3.0 255.255.255.0;" etc. One for each remote network.
              And am still pushing my two local subnets.

              I know technically the /16 was encompassing all of the above but I didn't like the broadness and I don't know what subnets I will be connecting to in the future. I'd rather add a new statement each time I add a tunnel and know for sure what's routed where. Any thoughts on this other than my tunnel restarts anytime I add a route?

              I also found that putting a static route on any two client routers for another remote subnet allowed me to route traffic thru the server to the remote network. Nice.

              I can see where something like OSPF, RIP or OLSRD would make life easier as the network grows.
              Any comments on which of the above routing protocols would be the best to use in my OVPN setup and what it would take to configure it? Or is there a way to have the server tell all connected clients about the other subnets?

              Lastly, there is no way other than to setup a client server connection with each peer in the network to route traffic between sites directly instead of via the server connection, correct?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                @drummer_adair:

                Any thoughts on this other than my tunnel restarts anytime I add a route?

                Doing them separately may be needed internally for OpenVPN, but I haven't tried to be certain. I know the route and iroute have to match up, but I don't know if a more general route statement works for certain. Doing them separately is probably safer. Even if the server does restart, the clients will reconnect in about a minute.

                @drummer_adair:

                I can see where something like OSPF, RIP or OLSRD would make life easier as the network grows.
                Any comments on which of the above routing protocols would be the best to use in my OVPN setup and what it would take to configure it? Or is there a way to have the server tell all connected clients about the other subnets?

                Personally, I use OSPF, but I use it with shared key site-to-site tunnels. It might work with a PKI setup, but I've never tried it. Since OpenVPN doesn't present real interfaces for clients to the server in PKI mode, I'm not sure if OSPF (or any routing protocol) would work since OpenVPN usually needs the internal route (iroute) statements.

                @drummer_adair:

                Lastly, there is no way other than to setup a client server connection with each peer in the network to route traffic between sites directly instead of via the server connection, correct?

                Correct.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • D
                  drummer_adair
                  last edited by

                  thanks for all the info.
                  Just trying to make sure I understand how everything works and squeeze the most out of it.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.