[PfSENSE-2.0.1] openVPN Site to Site, with multi client



  • Hi!

    I'm trying to make a big central VPN Server to have a unique acces to all my sitees. (about ten clients)

    I'm ok with an OpenVPN Server and 1 client.

    When I try to join another site, the client takes the same IP address than the 1st one…

    Is there a possibility to have multiple clients? Have I just missed an Option?

    My Server mode is Peer to Peer SSL/TLS. Does it mean that it's juste one peer with another?

    I've made a certificate from Each client, my tunnel network is :  10.200.0.0/24 (so a lot of adresses...)

    Thanks for your help!

    Ask if I've forgotten some details.

    Jerem.



  • Give us a network map with some specifics and re-clarify what you're trying to do.  Then tell us again what is not working…. because this statement:

    "When I try to join another site, the client takes the same IP address than the 1st one..."

    Does not make sense :)



  • well sorry if I wasn't clear…

    I want to join all my sites to on VPN to avoid me to connect to a pptp VPN for maintenance.

    I've in all my site en pfSense 2.0.1

    in my main site i've made un openvpn server, with a tunnel network  10.200.0.0/24

    I've made a certificate for a client, that can connect without error, everything is fine.

    on the tunnel network, it automatically take the 10.200.0.2 address (10.200.0.1 is the server)

    So i've tried to make a second site, with a secon certificate, et when it connects, il also take the 10.200.0.2 address...

    So my question is: is it possible to have multiple clients on that kind of conf?

    have i missed something or do i have to modify the vpn type?

    Hope that i've been clear this time......

    Thanks.



  • Check this howto: http://forum.pfsense.org/index.php/topic,48667.0.html

    What are your Client Specific Override settings and Server Advanced Settings?



  • I believe you have two choices.

    1.  keep your tunnel @ 10.200.0.0/24, but go to a client/server setup and use client specific overrides -> http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)  I think this needs some updating but most of it's there.

    2.  stay peer-to-peer and create separate /30 tunnels for each client and change the port… i.e. 1st on 1194, 2nd on 1195, etc.


  • Rebel Alliance Developer Netgate

    Make sure each site has a unique certificate, and as mentioned on the wiki article, setup the routes and iroutes in the client-specific overrides as needed. Then it doesn't matter who gets what IP, the routes will match up properly.

    Also make sure you are putting the full tunnel network in (10.200.0.0/24) ONLY on the server – do not fill that in on the clients.



  • Hi!

    So, With your help, i've found my problem, but i havent found yet my solution! :)

    I had only one client working because on my server, i had :  Remote Network  with the lan  of my first client. (sorry…)

    To resume, :

    Server:
    LAN:  10.0.1.0/24
    Tun:  10.200.0.0/24

    Client1:
    LAN: 10.5.1.0/24

    Client2:
    LAN: 10.1.3.0/24

    When i delete the Remote Network instruction on my server, my 2 clients take a different IP on the Tun network.

    BUT!

    My client1 LAN is unreachable from my Server LAN
    My Server Lan is reachable from my Client1 LAN

    My pfsense Server ping everyone on the Client1 LAN
    But no one on my ServerLAN ping anyone on the Client1 LAN

    When on my Server LAN I make a:

    tracert 10.5.1.49

    It goes directly on my server WAN.

    To resume, this is just a routing problem.

    On my Ovpn Server, in Advanced i have:
    route 10.5.1.0 255.255.255.0;

    I Also have in my Client Spe Overrides a rule with my Certificate Name, which says:

    Tunnel Network: 10.200.0.0/24
    Advanced:  iroute 10.5.1.0 255.255.255.0;

    I've probably just not found the correct syntax for my Advanced routing in Ovpn....

    Last question, why does every one on the tun network takes 2 IP adresses? my server is 10.200.0.1 , 10.200.0.2,  my client1 is  10.200.0.9, 10.200.0.10?

    Thanks.



  • Hi,

    After a lot of  tests, I can't fid my solution.

    So I decided to burn everything and start again…

    And.. surprise! everything works ... :)

    I think that I had problems wth my certificate, .

    Now it's all good.


Log in to reply