Multiple Openvpn sites which all need to see each other

thetallkid

I have an Openvpn server and 2 sites, all with different subnets. I defined routes from client 1 to client 2 and client 2 to client 1. However, both clients can only see the server but not connect to each other.

I've experimented with different settings, searched the forums, but haven't been able to solve this issue.

Can Openvpn be set up in a mesh, where all sites can access the subnets of all the other sites? If so, how do I do it?

jimp

Yes, that works fine, provided each node has the proper routes, and the OpenVPN firewall rules allow the traffic through.

Also you'd need to make sure there aren't any conflicting subnets of course.

thetallkid

Subnets are 10.0.41.1, 10.0.60.1, 10.80.5.1.
I used the wizard to get openvpn started since it does it all neatly, including the default firewall rule.

Each of the clients can connect to the main openvpn server. They just can't talk to each other.

Here is an example of the routes setup in the Advanced Config box and Openvpn firewall rules


bardelot

The clients have to be told about the subnets for which the traffic should be directed through the OpenVPN tunnel

Add the following in the advanced config:
push "route 10.0.42.0 255.255.255.0";
push "route 10.0.60.0 255.255.255.0";

and create two client specific overrides with the following advanced config:

1. client with 10.0.42.0 subnet
   iroute 10.0.42.0 255.255.255.0;

2. client with 10.0.60.0 subnet
   iroute 10.0.60.0 255.255.255.0;

thetallkid

iroutes in the client overrides didn't work. The two sites can still only connect to the main openvpn server but still can't connect to each other's subnets.

phil.davis

Maybe you also need to check the box for:
Inter-client communication - Allow communication between clients connected to this server
that will put the client-to-client directive into the OpenVPN server conf file.
Also, I guess there was a typo above:

Subnets are 10.0.41.1, 10.0.60.1, 10.80.5.1.

But in the examples is "42" rather than "41". Just double-check which is the correct subnet address.
Also, the unstated assumption is that 10.80.5.1 is the server, and the others are the 2 clients.

bardelot

@thetallkid:

iroutes in the client overrides didn't work. The two sites can still only connect to the main openvpn server but still can't connect to each other's subnets.

You need to verify the routing tables on the server and the clients.

Also just to make it clear because you only mentioned the iroutes, the advanced config for the server should be:
route 10.0.42.0 255.255.255.0;
route 10.0.60.0 255.255.255.0;
push "route 10.0.42.0 255.255.255.0";
push "route 10.0.60.0 255.255.255.0";

thetallkid

Update on the subnets. I changed them to make it easier to keep track of. Also I'm using 2.1 BETA1 at all 3 locations.
Couldn't find the option that Phil mentioned in his post: Inter-client communication - Allow communication between clients connected to this server

Server/Central location subnet - 10.0.41.1
Tunnel Network - 10.0.44.1

Client Site 1 - 10.80.5.1 (Client Settings –> Advanced --> iroute 10.80.5.0 255.255.255.0;)

Client Site 2 - 10.80.7.1 (Client Settings --> Advanced --> iroute 10.80.7.0 255.255.255.0;)

Attached is the Advanced Config for the Server/Central location with the push settings as suggested by bardelot.
Still no go.


bardelot

You do not need the 'push "route 10.0.41.0 255.255.255.0"' option when filling out the settings as attached. I also marked the 'Inter-client communication setting' (not available with Peer to Peer mode).

thetallkid

Does the Server Mode need to be changed from Peer to Peer (Shared Key), to something else for this to work?

bardelot

Peer to Peer mode only allows communication between the server and a client. If you need communication between the clients, the easiest option is to use 'Remote Access' mode. For the 'Client Specific Overrides' you want to use SSL/TLS as well.

thetallkid

Setup a new server in Remote Access (SSL/TLS) mode. Followed the instructions in the previous posts and did the two clients. Status showed up for server and clients. However, no traffic flowed in any direction.

Been staring at this for awhile, so taking a break.


bardelot

Tick the "Provide a virtual adapter IP address to clients (see Tunnel Network)" checkbox. You should not enter the tunnel network in the client overrides if it is the same network.

thetallkid

I'll give the Tinc package a try,because this isn't working for me as a vpn mesh. At some point I will figure out what the correct settings are.

jimp

OpenVPN works fine for that, if you get all of the routes and such right.

Here is a multi-site howto for SSL/TLS

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

Or you could do it with shared key tunnels you'd just need one server instance per side instead of one common server instance.

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29

If the traffic doesn't go the way you want, it's down to a few things:

• routes (AND iroutes if you use ssl/tls)
• firewall rules
• whether or not the VPNs actually connect and are up
• whether or not you have policy routing rules forcing the LAN traffic out a WAN bypassing the VPN
• If you used IPsec previously, make sure there are no overlapping p2's (and if you removed them, also check the SPD tab on IPsec status to make sure they really are gone)

Checking the routing table, traceroute, and packet captures should lead to a fairly straightforward answer about where the traffic is or isn't going.

kevotman

Sorry to bump a dead topic, but I've been running into this exact same issue!

I'm able to get any clients connecting to the main site via site-to-site, but I'm unable to have the clients see each other. I've tried to switch to Remote Access (SSL) but I'm never able to pass traffic after that change. When I tracert to the main site it stops at the client firewall.

Also, does anybody know if you need to reboot after any of these changes? I only ask because I'm unable to restart the main site's firewall very often as it links 15 sites to the head office via ipsec. We just need to get off ipsec and onto OpenVPN, we also want to be able to connect to any of the external sites while we're at one of them.

Please help me out, as this is driving me insane!

mikeisfly

I would try restarting the OpenVPN service to the corresponding site instead of restarting PfSense. Also make sure you create the rules allowing traffic to pass to each site. I ran into that mistake thinking that the rules where auto generated. They are only auto generated when you use the wizard.

kevotman

Shouldn't I just have a rule accepting all OpenVPN traffic on every client + the host, and also a rule accepting the port on the WAN?

After restarting the openvpn service I'm passing traffic. Now I just need to get client to client working! :)

So, I'm unable to get client to client working. I have the inter-client box checked, but they're unable to get anywhere. I've tried with push settings and without. Is there anything I'm missing?

kevotman

Good news. It's working! It's just our one site that's not connecting properly, and of course that was the one I was using for testing.

Great guides posted by everybody.