Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Road-Warrior-VPN + Peer to Peer-VPN: Connection to only one OpenVPN server?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nachtfalke
      last edited by

      Hi,

      I have got one pfsense running an OpenVPN Server as Road-Warrior with SSL/TLS. I use this server to connect mobile clients with ther OpenVPN client. This is working.

      Now I want to install on another location a pfsense as an OpenVPN client. It should use SSL/TLS, too (Peer-to-Peer SSL).

      Now my question is, can I connect this pfsense OpenVPN Client with Peer to Peer SSL to the same OpenVPN Server as the ROad-Warrior clients ?
      Peer to Peer SSL <–-> RoadWarrior SSL ?

      Can someone explain me the difference between the OpenVPN Server RoadWarrior and OpenVPN Server Peer-to-Peer functionality ?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you don't require a username and password, then you could run the site-to-site on it as well (you'd need to setup a Client specific override with an iroute back to the client subnet). Usually though it's best to keep those on two completely separate VPN instances. There's not a whole lot of advantages to combining the two into one OpenVPN instance.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          @jimp:

          If you don't require a username and password, then you could run the site-to-site on it as well (you'd need to setup a Client specific override with an iroute back to the client subnet). Usually though it's best to keep those on two completely separate VPN instances. There's not a whole lot of advantages to combining the two into one OpenVPN instance.

          Ok, thank you for that.

          Im running three instances of OpenVPN servers at the moment with three different CAs so there ist not the possibility to cross connect. Could I realize this easier with the CAs or do I need three different ones ?

          Thanks a lot!

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You could run them on the same CA, but they could connect to the other instances as you mention. If you want to micromanage things you could setup a CRL for each VPN and list the certs there you don't want to connect to a specific VPN, but that's tough to maintain. Much easier to just keep a separate CA for each.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • DonnyD
              Donny
              last edited by

              @jimp:

              You could run them on the same CA, but they could connect to the other instances as you mention. If you want to micromanage things you could setup a CRL for each VPN and list the certs there you don't want to connect to a specific VPN, but that's tough to maintain. Much easier to just keep a separate CA for each.

              Hello Jimp,

              At your explain above I understood. I have some question about OpenVPN road warrior CA.
              explain:
              1. I have 1 OpenVPN Server site and 4 OpenVPN clients site and all of clients site used the same CA that I created on OpenVPN server site.
              2. I also created separate CA for OpenVPN road warrior on OpenVPN server site. Is this the best way to use CA for road warrior as separate?
                 or I can use as the same CA that 4 OpenVPN clients site have used.

              I just would like to learn how to use OpenVPN "CA" in the correct way.

              Thank u

              Donny

              1 Reply Last reply Reply Quote 0
              • N
                Nachtfalke
                last edited by

                Hi Donny,

                you are asking the same question like me. :)

                If you have two different CA, one for site-to-site VPN and another CA for Road-Warrior VPN then the site-to-site clients can not connect to RoadWarrior VPN but only to site-to-site VPN.
                The Road-Warrior clients can only connect to Road-Warrior VPN but not to site-to-site VPN.

                But it would be technically no problem to use just one CA for both VPN (site-to-site and RoadWarrior). But if you chose just one CA then the RoadWarrior client can connect to RoadWarrior VPN and site-to-site VPN and of course the site-to-site client can connect to RoadWarrior VPN.

                So what you use is up to you. I reason could be the firewall rules:
                Example: If the site-to-site VPN has full access firewall rules but the RoadWarriors should only have access to some IPs then it could be a problem because a RoadWarrior could connect to the site-to-site VPN and gain full access to the network.

                So in your case I would think about what is easier to configure and easier to maintain in the future.

                1 Reply Last reply Reply Quote 0
                • DonnyD
                  Donny
                  last edited by 

                  If you have two different CA, one for site-to-site VPN and another CA for Road-Warrior VPN then the site-to-site clients can not connect to RoadWarrior VPN but only to site-to-site VPN.
The Road-Warrior clients can only connect to Road-Warrior VPN but not to site-to-site VPN.

                  Thank u Nachtfalke

                  I have confused about this. Because I have tested with OpenVPN site to site and road warrior VPN with separate CA. Road warrior-clients can connect to site to site clients and clients site to site can also connect to road warrior-client with I used advance configuration option in tunnel and working.

                  Example: OpenVPN server + road warrior site A, OpenVPN client site B and OpenVPN client site C

                  "Road Warrior" on server site at Advance configuration tunnel I use:                   push "route 10.66.76.0 255.255.255.0"; (OpenVPN Client site B LAN subnet )

                  "OpenVPN Client site B" at Advance configuration tunnel I use:                          route 172.31.23.0 255.255.255.0; (Road Warrior tunnel network on server site)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.