Site2site VPN newbie question
-
I have three sites. Internet connection is available on each site by using a VDSL router. So:
Site 1 - HQ:
VDSL 1: Public IP: a.a.a.a, LAN class: 192.168.1.0/24
pfSense: two NICs: WAN IP: 192.168.1.100; LAN: 192.168.151.0/24Site 2:
VDSL 2: Public IP: b.b.b.b, LAN class: 192.168.2.0/24
pfSense: two NICs: WAN IP: 192.168.2.100; LAN: 192.168.152.0/24Site 3:
VDSL 3: Public IP: c.c.c.c, LAN class: 192.168.3.0/24
pfSense: two NICs: WAN IP: 192.168.3.100; LAN: 192.168.153.0/24I want computers on the pfsense LAN for Sites 2 and 3 to communicate with computers on the pfSense LAN in HQ and viceversa.
Is it ok to do this using OpenVPN or using ipSec?Is it necesarry to do some settings on the VDSL routers? (like port forwardings, NAT, so on)
Thank you
-
I would use OpenVPN.
Put a server at HQ. You will need to forward a port on VDSL 1 from a.a.a.a to 192.168.1.100 - then the pfSense OpenVPN server can listen on that port. If you use Peer to Peer (SSL/TLS) then you can have both clients connect to 1 server. With client-specific overrides you tell it which remote network is at the other end on which client.
The clients from site 2 and site 3 can get out fine to the server at public IP a.a.a.a - so no port forwards or mods to VDSL 2 and VDSL 3 settings needed. -
Thank you phil.davis. So, I don't need to change any settings on VDSL 2 and 3.
Btw, if I will extend the number of locations to maybe 10 or 12, do you think one HQ VPN Server is enough? I will use VPN especially for RDP connections from locations to HQ's some LAN machines. -
It should be fine having 12 clients connect to 1 server at HQ. I have 8 client offices connecting at my HQ.
The OpenVPN server hands out a little /30 subnet of the tunnel network to each client - e.g. if server tunnel network is 192.168.42.0/24 then the server does stuff with 192.168.42.0-3, then gives 4-7 to the first client, 8-11 to the next client… The client tunnel end points will end up being 192.168.42.6 192.168.42.10 etc. Make the tunnel network a full /24 and there is room for the server and 63 clients. -
one more question and I hope will be ok (talk to you tommorow, after the tests, if not ;D)
Is the tutorial from here the right one for this purpose ?
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29 -
Yes, that tutorial looks good - all the bits for pfSense 2.0 seem reasonable.
-
phil.davis, can you be more specific for client specific overrides for HQ Server?
Should I put on section Client Settings -> Advanced a line like this for site 2?
iroute 192.168.152.0 255.255.255.0or something else?
thanks
-
On my server, Client Specific Override, I have:
- Common Name - must be the exact match of the client certificate
- Description - whatever you like
- Advanced:
iroute 10.49.104.0 255.255.255.0
10.49.104.0/24 is the LAN network at the client end of the link.
iroute 192.168.152.0 255.255.255.0
I think you meant:
iroute 192.168.2.0 255.255.255.0
That should work.
Remember that the server itself must have a list of route statements covering all the networks at the various remote clients. -
I would use OpenVPN.
Put a server at HQ. You will need to forward a port on VDSL 1 from a.a.a.a to 192.168.1.100 - then the pfSense OpenVPN server can listen on that port. If you use Peer to Peer (SSL/TLS) then you can have both clients connect to 1 server. With client-specific overrides you tell it which remote network is at the other end on which client.
The clients from site 2 and site 3 can get out fine to the server at public IP a.a.a.a - so no port forwards or mods to VDSL 2 and VDSL 3 settings needed.Ok, finally it's working in a Site-to-site Shared Key version of OpenVPN. I have two more questions:
1. When I ping from Site 2 LAN location to Site 1 LAN, everything it's ok, but when I ping from Site 1 (HQ LAN) to Site 2 nothing happens.
2. I build only one openvpn pfsense client yet - Site 2. For the next pfsense openvpn client - Site 3, should I use on server side the route command in custom field, eg:
route 192.168.3.0 255.255.255.0 or something else ? I think client override section on HQ - pfsense Site 1 is useless, because for peer-to-peer shared key server mode I don't need certificates…