• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Multiple Site-to-Site OpenVPN

Scheduled Pinned Locked Moved OpenVPN
9 Posts 3 Posters 6.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mnsmani
    last edited by Apr 1, 2007, 12:32 PM Apr 1, 2007, 7:37 AM

    One more question from me (Expecting answer this time, which will solve my problem :(  :( )

    I have defined two Site-to-Site OpenVPN entries. (Different names, Different ports, Different Locations). The problem is always first entry of Site-to-Site is working. If I disable First, then second is working… If both are enabled, There is no entry in the System Logs - OpenVPN at all.

    Why? Will PfSense-OpenVPN will not allow a second Site-to-Site entry ? Plz Plz some one plz help.

    1 Reply Last reply Reply Quote 0
    • S
      sh_man
      last edited by Apr 1, 2007, 3:12 PM

      I am running two site to site OpenVPN's and a road warrior OpenVPN on the same server with no problems  ;) (well there were a few but most are sorted)

      Please post how you have configured it on the server and we will see what we can do to help. The best way is to backup the config and copy the relevant bits from the xml into a post.

      1 Reply Last reply Reply Quote 0
      • M
        mnsmani
        last edited by Apr 1, 2007, 3:20 PM

        My config file looks like this

        <openvpnserver><config><disable><protocol>UDP</protocol>
        <dynamic_ip>on</dynamic_ip>
        <local_port>11150</local_port>
        <addresspool>192.168.100.0/24</addresspool>
        <nopool><start_address>192.168.19.1</start_address>
        <end_address>192.168.19.254</end_address>
        <local_network>192.168.19.0/24</local_network>
        <remote_network><client2client>on</client2client>
        <crypto>BF-CBC</crypto>
        <auth_method>pki</auth_method>
        <shared_key><ca_cert>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNsVENDQWY2Z0F3SUJBZ0lKQU1LRFB2d3ZTZGNrTUEwR0NTcUdTSWIzRFFFQkJRVUFNRHd4RHpBTkJnTlYKQkFNVEJrMWhjM1JsY2pFUE1BMEdBMVVFQ2hNR2MyaGhlbUZrTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRQpDQk1DVGtFd0hoY05NRGN3TXpFd01EZ3dOekU1V2hjTk1UY3dNekEzTURnd056RTVXakE4TVE4d0RRWURWUVFECkV3Wk5ZWE4wWlhJeER6QU5CZ05WQkFvVEJuTm9ZWHBoWkRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1QKQWs1Qk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRE8yTmJja3huYk0ybC9IMkNoMU1Ybgo5UTRib051WU1pUTZ1a21ROEltUFo1R0NwWHJiTVBkTEZ4cnRtV0ZqSURlY3NXcGpMallMUFhpZ2ErODJXWWhTCml3QVBOWENkc3p3NnpMWUVmemwzKzhTMW1DMS81S3pHMkhKbzVRVXpMUDBTNDd1VDY1cVU3UHN0VHY5OFdEYnQKeDVEaDNQc1pGMXh2cG5uOE13UlcxUUlEQVFBQm80R2VNSUdiTUIwR0ExVWREZ1FXQkJUZ0ZUU1l5UHNPL1FLTQpqMjZJTFZkSlBHNFh3VEJzQmdOVkhTTUVaVEJqZ0JUZ0ZUU1l5UHNPL1FLTWoyNklMVmRKUEc0WHdhRkFwRDR3ClBERVBNQTBHQTFVRUF4TUdUV0Z6ZEdWeU1ROHdEUVlEVlFRS0V3WnphR0Y2WVdReEN6QUpCZ05WQkFZVEFsVlQKTVFzd0NRWURWUVFJRXdKT1FZSUpBTUtEUHZ3dlNkY2tNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTgpBUUVGQlFBRGdZRUFyTVVOcW5lamJFZW9mRmNkYi9RVndjT01CdDFQamgvdWtIc1JCR2ljZy8vQUVtemJGK09FCklwU1lMNkdFNFJyV2J0eTUrSlNtYU9mTGVXMmpnb3RCMWN3TTRKM3lJdTlkeUo1czk0QmlMV2JITjdnN0hlUkkKVmlrTENzNmdrc2M3RXZGMXZmNWg1d2ZJTHJOeVhpMnplSWltTHowcFozNVhLWldlUGpKRVNBWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ca_cert>
        <server_cert>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWxDZ0F3SUJBZ0lCWFRBTkJna3Foa2lHOXcwQkFRUUZBREE4TVE4d0RRWURWUVFERXdaTllYTjAKWlhJeER6QU5CZ05WQkFvVEJuTm9ZWHBoWkRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBazVCTUI0WApEVEEzTURNek1ERTFORE13TWxvWERURTNNRE15TnpFMU5ETXdNbG93YXpFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKCkJnTlZCQWdUQWs1Qk1ROHdEUVlEVlFRS0V3WnphR0Y2WVdReFBqQThCZ05WQkFNVU5VTlZVMVF3TURBd05GOUUKZFdKaGFTMVdOUzFVWlhOMFgxSlhNREF3TURGZlJuSnBUV0Z5TXpBeE1EUXpNREZEUkZReU1EQTNNSUdmTUEwRwpDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEdmFObGJDQ3NVZUZtSjRaN2wrKzJRRFQ2Sks4V2xMZm92CjRnc3BwRk1FSGg2a0hyL3RBamZpbk5HeWdsNkp1NENQR1YzaFI4d011THJGaUFObE9LZW92TnBQcDI4ejZnT20KODJ6ampWZDdWVWE1OFZ6VzFQeWhFNW9uc3NleFZLMG4vNW95QVBwNzNGSXh2WHhaR0FZc3cxOFdGK01sSHozZApJYmNwZUZjWFB3SURBUUFCbzRISk1JSEdNQWtHQTFVZEV3UUNNQUF3TEFZSllJWklBWWI0UWdFTkJCOFdIVTl3ClpXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUjlXOGY3cWRzTVVvTGkKMit2RUlodEJVajlpZ0RCc0JnTlZIU01FWlRCamdCVGdGVFNZeVBzTy9RS01qMjZJTFZkSlBHNFh3YUZBcEQ0dwpQREVQTUEwR0ExVUVBeE1HVFdGemRHVnlNUTh3RFFZRFZRUUtFd1p6YUdGNllXUXhDekFKQmdOVkJBWVRBbFZUCk1Rc3dDUVlEVlFRSUV3Sk9RWUlKQU1LRFB2d3ZTZGNrTUEwR0NTcUdTSWIzRFFFQkJBVUFBNEdCQUI0UmZ2MUkKMGhWbU9nWnVzUXQvc1ZCY2RtZTg4UHViRUc3aXQxZVN2VVRsQ2xTOUwrZ00vYVBLSWV4M2c5N1JLaVpoNHBSdwo1MStQVStEdlluQlB0SFJSYkRtMG5pT1c2aXhlSm5XVGJENkowazBIR1kwelBLcmJia01mWmxsMTNMR0tTU2NnCnpiL3ZyT1pwWktSaVJRRVEyRzkxRmsrQUxPNTlCRllIRWptQgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</server_cert>
        <server_key>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWFFJQkFBS0JnUUR2YU5sYkNDc1VlRm1KNFo3bCsrMlFEVDZKSzhXbExmb3Y0Z3NwcEZNRUhoNmtIci90CkFqZmluTkd5Z2w2SnU0Q1BHVjNoUjh3TXVMckZpQU5sT0tlb3ZOcFBwMjh6NmdPbTgyempqVmQ3VlVhNThWelcKMVB5aEU1b25zc2V4Vkswbi81b3lBUHA3M0ZJeHZYeFpHQVlzdzE4V0YrTWxIejNkSWJjcGVGY1hQd0lEQVFBQgpBb0dBWEJKQ3BSTzdIYUE3THgrcDhHQzJ1Qk9mM1RrTVJiNHMzWVZkTGFLWW1wakt4K3RiZkZiQ0QxQ29CTExHCmtNbWZZMmtxQloyTEI4bHphc3dvSWlGcnVHYUNPMmgzVldlYnNZdm85cDc2UThkVmRNUSttbjE4UVN5NmRhTUwKbW1kVVVUbHVITzNKeU9XNjYvRlVuZXEyNjBMYW5idG82SytaTkIzU0g3RWtKNkVDUVFELys3cm1id1o3NFRMeQpiSmp5STJzZFlNbEZsOHBSR1lNWUVEc0tjZm5CeHdIUGo0RjBUVkgyK1ppcUs1cUFZYVVNWVY1dzBTYisxZDliCklwWnlTZk5UQWtFQTcyelhycVkvWmhRNHNMd0NpQzRrN0RIZnE4YXYxenFhbElJNHZVbFo3NkJObnNMVnBQSFcKME1vNEF1KzdPaHVDeDkrYkVmcER3alhSYTFqQSsxNGE1UUpCQU4wRWN5NE14SE5uVUg3Qnh4aWgvaFVpZ1FXbQpkbGVwaUdmWmM3Q2tFZm4rb3BDY25qQlZwaVJ4QXlCQ2Y2YkRLQ2RWVnA1ZjU2UjE4dUNVTDRQRVYrTUNRUUNmCjhyQ3NCbmc0TTY0anM1WmxiNTVQQklxT2NTK3JzNFR0VFltbU9zaVFZeUUzdktXSmlkNmVvVm1GN0szQmhmdDYKbDVFN0Uxd005SE14S1p2UzBlMVpBa0JIc05RcWhFanQvcHZqdGg4LzNDSUQwKzV2R3BFUFN5QUIveVlHQndWcwpzM0N4NzV1VmtIdEkrcWpSRDVmYmFLR3M5YnZMNVBjSlNxOVBCOVhDTHJ5RgotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=</server_key>
        <dh_params>LS0tLS1CRUdJTiBESCBQQVJBTUVURVJTLS0tLS0KTUlHSEFvR0JBTDZpWnY4Y1c1NmczZjlEL2VVUUxwb3pqQlZ6akFmT25iVnJYaHJYdDNzVEtTb0pYeEx4MjYrQQpYRmNRNkhBNktTanBKT0gyRnJFN0pRVFA5b3djeUVJd0duVkk4Y3JZeHFPSEhtb2s4dnRsNDFDeFVJYkpoanUwClYyNUJMU2FSd2pFOFdSL3c3dDR3VlVDM1ZicjJkaW9LNlhxYU1KSXRYMnVzaWd6bUhTSExBZ0VDCi0tLS0tRU5EIERIIFBBUkFNRVRFUlMtLS0tLQo=</dh_params>
        <crl><use_lzo>on</use_lzo>
        <custom_options><description>creek tower vpn</description></custom_options></crl></shared_key></remote_network></nopool></disable></config>
        <config><disable><protocol>TCP</protocol>
        <dynamic_ip>on</dynamic_ip>
        <local_port>1111</local_port>
        <addresspool>192.168.19.0/24</addresspool>
        <nopool><local_network><remote_network>192.168.1.0/24</remote_network>
        <client2client><crypto>BF-CBC</crypto>
        <auth_method>shared_key</auth_method>
        <shared_key>LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQphYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODkNCmFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQphYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODkNCmFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ==</shared_key>
        <ca_cert><server_cert><server_key><dh_params><crl><use_lzo>on</use_lzo>
        <custom_options><description>DubaiandHyd</description></custom_options></crl></dh_params></server_key></server_cert></ca_cert></client2client></local_network></nopool></disable></config>
        <config><disable><protocol>TCP</protocol>
        <dynamic_ip>on</dynamic_ip>
        <local_port>1114</local_port>
        <addresspool>192.168.19.0/24</addresspool>
        <nopool><local_network><remote_network>192.168.0.0/24</remote_network>
        <client2client><crypto>BF-CBC</crypto>
        <auth_method>shared_key</auth_method>
        <shared_key>LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQphYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmNkZWYNCmFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiY2RlZg0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQphYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmNkZWYNCmFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiY2RlZg0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ==</shared_key>
        <ca_cert><server_cert><server_key><dh_params><crl><use_lzo>on</use_lzo>
        <custom_options><description>LahoretoDubai</description></custom_options></crl></dh_params></server_key></server_cert></ca_cert></client2client></local_network></nopool></disable></config></openvpnserver>

        Let me explain something…. I have my own interface from where you can setup Site to Site / Site to User... When you set Site to Site, say between A and B Locations.... I add Server A and Client A similarly in site B, I add Server B and Client B. Client B is for Server A
        and Client A is for Server B

        Also, I am posting my Client portion of Server A (Both the post are from Server A)

        <openvpnclient><config><disable><protocol>TCP</protocol>
        <serveraddr>cust00004.hyd-v5-test.v5edgeserver.net</serveraddr>
        <serverport>1112</serverport>
        <interface_ip>192.168.19.0/24</interface_ip>
        <remote_network><proxy_hostname><proxy_port><crypto>BF-CBC</crypto>
        <auth_method>shared_key</auth_method>
        <shared_key>LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQphYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODkNCmFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQphYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODlhYmNkZWYxMjM0NTY3ODkNCmFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OWFiY2RlZjEyMzQ1Njc4OQ0KYWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5YWJjZGVmMTIzNDU2Nzg5DQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ==</shared_key>
        <ca_cert><client_cert><client_key><use_lzo>on</use_lzo>
        <custom_options><description>DubaiandHyd</description></custom_options></client_key></client_cert></ca_cert></proxy_port></proxy_hostname></remote_network></disable></config>
        <config><disable><protocol>TCP</protocol>
        <serveraddr>121.247.124.90</serveraddr>
        <serverport>1113</serverport>
        <interface_ip>192.168.19.0/24</interface_ip>
        <remote_network><proxy_hostname><proxy_port><crypto>BF-CBC</crypto>
        <auth_method>shared_key</auth_method>
        <shared_key>LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQphYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmNkZWYNCmFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiY2RlZg0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQphYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmNkZWYNCmFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjMTIzZGVmNjc4MGFiY2RlZg0KYWJjMTIzZGVmNjc4MGFiYzEyM2RlZjY3ODBhYmMxMjNkZWY2NzgwYWJjZGVmDQotLS0tLUVORCBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ==</shared_key>
        <ca_cert><client_cert><client_key><use_lzo>on</use_lzo>
        <custom_options><description>LahoretoDubai</description></custom_options></client_key></client_cert></ca_cert></proxy_port></proxy_hostname></remote_network></disable></config></openvpnclient>

        I tried Protocol UDP... but for testing, I changed it into TCP to find whether it works

        Expecting your reply.

        1 Reply Last reply Reply Quote 0
        • M
          mnsmani
          last edited by Apr 1, 2007, 3:25 PM

          1. Dubai and Hyd
          2. LahoretoDubai

          are the two site to site….. only one is working.
          Server Port in Dubai will be client port in Hyderabad. Server Port in Hyderabad will be client port in Dubai.
          Of course, the First entry in openvpnserver is working fine for Site to Road warriors.

          Any more clarifications.... plz....

          1 Reply Last reply Reply Quote 0
          • S
            sh_man
            last edited by Apr 1, 2007, 3:43 PM

            First thing that jumps out is that you have used the same address pool for all the VPN's, they need to be unique. Try changing them and see what happens.

            If you have routing problems from the far end try adding

            push "route xx.xx.xx.xx 255.255.255.0 vpn_gateway"

            to the custom options box where xx.xx.xx.xx is the servers local network.

            1 Reply Last reply Reply Quote 0
            • M
              mnsmani
              last edited by Apr 1, 2007, 3:58 PM

              As far as I understood, addresspool is  the server address / source address which the other site will be accessing….. remote is the one which will be available at the destination. Since, I defined two site-to-site it is same across both.... It is like two branch office want to see all the computers in head office...

              1 Reply Last reply Reply Quote 0
              • S
                sh_man
                last edited by Apr 1, 2007, 4:13 PM

                Does not work like that - I think anyway - I did not write this  :)

                The addresses in that address pool need to be unique to that VPN.

                It is used to create the server and client addresses and they need to be unique to each tunnel on that server.

                To get the two VPN's to talk you need to set up routes and push them.

                I have two VPN's that can communicate with the server and its network and with each other and their networks

                192.168.1.0/24 (server) -> VPN (192.168.189.0/24) -> 192.168.180.0/24 (client 1)

                192.168.1.0/24 (server) -> VPN (192.168.179.0/24) -> 192.168.170.0/24 (client 2)

                To enable machines on client 1 network access client 2 network add static route to client 1 for 192.168.170.0/24 via gateway 192.168.189.1 which is the server end of its VPN

                To enable machines on client 2 network access client 1 network add static route to client 2 for 192.168.180.0/24 via gateway 192.168.179.1 which is the server end of its VPN

                Hope this helps.

                1 Reply Last reply Reply Quote 0
                • A
                  agismaniax
                  last edited by Aug 23, 2007, 6:44 AM

                  I want to implement multiple site-to-site OpenVPN in the future.
                  Right now I'm testing with a single site-to-site using 1.2-RC1.
                  Office 1 is using Dedicated Wireless 128Kbps and Office 2 is using ADSL 64/384Kbps.
                  The connection is successful, but when i test with ping, i have a lot of RTO from both of site.

                  Is there any workarround to fix this?

                  1 Reply Last reply Reply Quote 0
                  • A
                    agismaniax
                    last edited by Aug 23, 2007, 8:56 AM

                    after reseting the firewall config and reseting the modem, now site-to-site vpn is work smoothly.
                    thanks…

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received