Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    One server profile for each remote location, 1:1 ratio

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      probie
      last edited by

      Can any confirm this?  You can ONLY have one openVPN server profile for each remote site?  I have been racking my brain out in last 24 hours getting a hub and spoke set up with one server profile to several remote site and it does not seem to work.  It seem to somewhat work.  Remote SiteA would connect and at random Remote SiteB would connect causing Remote Site A to disconnect and vice versa.  This using PKI with and w/o TLS authenication.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It works fine with SSL/TLS for one server and multiple remotes. Easier to accomplish on 2.0. Covered on the doc wiki.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • P
          probie
          last edited by

          Thanks Jimp.  I tried and can't seem to get it to work.  End up doing 1:1 setup.

          –---------------------------------------
          On the server side, I have :

          Server mode: Peer to Peer SSL/TLS
          Protocol: UDP
          Direct Mode: tun
          Interface: WAN
          Local Port: 1194

          TLS Authenication: Enabled
          TLS key: auto generate
          Per CA: Local CA using Cert Manager
          Server Cer:  Local Cert Using Cert Manager
          DH Paremeter: 1024
          Encryption: BF-CBC

          Tunnel Network: 10.10.10.0/24

          Local Network: 192.168.96.0/22
          Remote Network: Blank

          Advance Option:
          route 192.168.1.1 255.255.255.0 (remote A)
          route 192.168.2.0 255.255.255.0 (remote B)

          Client Specific Overide for remote A
          common name: remotea.testsdomain.com (same as CN on local certificate on remote A PFSense)
          Advance Option:
          push "route 192.168.96.0 255.255.252.0";
          push "route 192.168.2.0 255.255.255.0";

          Client Specific Overide for remote B
          common name: remoteb.testsdomain.com (same as CN on local certificate on remote B PFSense)
          Advance Option:
          push "route 192.168.96.0 255.255.252.0";
          push "route 192.168.1.0 255.255.255.0";

          Remote A PFS side:

          Server mode: Peer to Peer SSL/TLS
          Protocol: UDP
          Direct Mode: tun
          Interface: WAN

          Server host: ip of server side
          Server port: 1194

          TLS Authenication: Enabled
          TLS key: use key generated from server side
          Per CA: CA Server from the server
          Server Cer:  Local Cert Using Cert Manager
          DH Paremeter: 1024
          Encryption: BF-CBC

          Tunnel Network: 10.10.10.0/24

          Local Network: 192.168.1.0/24
          Remote Network: Blank

          Remote B PFS side:

          Server mode: Peer to Peer SSL/TLS
          Protocol: UDP
          Direct Mode: tun
          Interface: WAN

          Server host: ip of server side
          Server port: 1194

          TLS Authenication: Enabled
          TLS key: use key generrated from server side
          Per CA: CA Server from the server
          Server Cer:  Local Cert Using Cert Manager
          DH Paremeter: 1024
          Encryption: BF-CBC

          Tunnel Network: 10.10.10.0/24

          Local Network: 192.168.2.0/24
          Remote Network: Blank

          Please advised where I am doing wrong.  What I notice, that both remote A and Remote B have the same virtual tunnel ip address of 10.10.10.2.  I know that couldn'd be right.  So on the server side, in the client specific overide for remote A, I changed the tunnel to 10.10.10.0/30 for remote A and 10.10.10.4/30 for remote B and still does not work.

          Any insight would be greatly appreciated.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Read the doc wiki article. You are missing iroutes, may have other errors but it's all covered on the wiki.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • P
              probie
              last edited by

              I am assuming the wiki link is http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL).  If not please correct me.

              So , to be clear.  I need to add the iroute on the server side in the "Client Specific Overide" section.
              Please correct me if I am wrong.

              Client Specific Overide for remote A
              common name: remotea.testsdomain.com (same as CN on local certificate on remote A PFSense)
              Advance Option:
              iroute 192.168.96.0  255.255.252.0
              push "route 192.168.96.0 255.255.252.0"; remove this one?
              push "route 192.168.2.0 255.255.255.0";

              Client Specific Overide for remote B
              common name: remoteb.testsdomain.com (same as CN on local certificate on remote B PFSense)
              Advance Option:
              iroute 192.168.96.0  255.255.252.0
              push "route 192.168.96.0 255.255.252.0"; remove this one?
              push "route 192.168.1.0 255.255.255.0";

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You don't need to push routes in the override.

                Add the pushes and route statements for all subnets in the main server config

                Only add iroutes in the override.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • P
                  probie
                  last edited by

                  I see, got it.  Thanks again Jimp.  Will try it tonight.

                  One other question, since i both remote A and Remote get getting the same virtual tunnel IP, should I still leave the tunnel network as /30 in the "Client Specific Overide"?  ie 10.10.10.0/30 for Remote A overide and 10.10.10.4 for Remote B overide

                  1 Reply Last reply Reply Quote 0
                  • P
                    probie
                    last edited by

                    Jimp.  The iroute command worked in the client overide.  I left /30 in the tunnel network in the client overide.  Thank you so much.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.