Multiple tunnels, joining multiple sites at a 'hub'



  • Hi folks, I'm one of those really annoying users - enough knowledge to be dangerous, but not enough to be useful!

    pfSense 2.01-i386 in ESX environments -

    I've managed to set up a single OpenVPN client/server tunnel, and traffic is passing between the endpoints. However, I need multiple tunnels, radiating out from a single 'hub', and so far my attempts to get this working have failed.

    If I configure multiple OpenVPN servers on one pfSense VM, only one instance of the OpenVPN service will run (I am specifying different UDP ports for each server).

    If I configure a single OpenVPN server there's more than one remote network so how do I specify that in the server configuration?

    Any suggestions as to what I might be doing wrong, or what other methods might be better suited to this?

    Currently I have the following configuration -

    Common
        server mode: peer to peer (shared key)
        protocol: udp
        device mode: tun
        interface: wan
        cryptographic settings: same

    Server (wan 10.240.76.95 lan 172.16.76.0/24)
        tunnel: 172.17.76.0/24
        local: 172.16.76.0/24
        remote: 172.16.0.0/16

    Client (wan 10.240.68.95 lan 172.16.68.0/24)
        tunnel: 172.17.68.0/24
        remote:  172.16.76.0/24



  • you should be able to run multiple ovpn servers without problems (on different ports).

    check logs to see what errors you get when you try to start a second server



  • @heper:

    you should be able to run multiple ovpn servers without problems (on different ports).

    check logs to see what errors you get when you try to start a second server

    Thanks Heper - I figured it out - I gave up on trying a single server with multiple clients and went back to trying multiple server/client pairs. Where I was going wrong initially turned out to be the tunnel addresses - everything seems to be working now that every server and every client has a unique non-overlapping /30 address space. I'm away from the systems right now so can't check in detail, but yes, progress is being made =:-)


  • Rebel Alliance Developer Netgate

    You can do the hub-and-spoke style setup with OpenVPN in SSL/TLS mode and a single server - it just has some setup differences.

    See http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29



  • Thanks jimp - I got it working with multiple server endpoints on the one pfsense box. When time allows I'll look into the method you've listed to see if it offers any advantages, and I'll report back here with a comparison.


Locked