Linking multiple OpenVPN networks together
-
Now I was trying to get this working for a few days.
Right now, I have 3 pfSense boxes active.
Box 1: KVM-based VPS
Boxes 2 and 3: PCs serving as routers, one for my local network and another for my friend's.Box 1 is up and running with 1 remote access VPN server [for individual clients] and 2 peer-to-peer (site-to-site) VPN servers [for the other boxes].
Boxes 2 and 3 are linked in a site-to-site VPN, allowing my local network and my friend's network to communicate. In addition, both are linked to Box 1 in individual site-to-site VPNs.So then, what was the objective?? Enabling the remote access clients connected to Box 1 to communicate with the local networks of Boxes 2 and 3, and vice versa.
Here is how it was done. First, a few subnets.
Subnet 1: 10.3.7.0/24. This is the tunnel subnet for the clients connected to the remote access server (Box 1).
Subnet 2: 10.5.7.0/24. This is the tunnel subnet for the site-to-site link between Box 2 (my network) and Box 1.
Subnet 3: 10.22.4.0/24. This is the subnet for my network (Box 2, LAN).
Subnet 4: 10.4.7.0/24. This is the tunnel subnet for the site-to-site link between Box 3 (friend's network) and Box 1.
Subnet 5: 192.168.0.0/24. This is the subnet for my friend's network (Box 3, LAN).Site-to-Site between Box 1 and 2.
Box 1 is configured with a Peer-to-Peer (shared key) server. Box 2 is configured to connect to this server as a client. The tunnel network here is 10.5.7.0/24. For Box 1, the local network was configured as 10.3.7.0/24 [part 1 in allowing the local network of Box 2 to communicate with the remote access clients and vice versa] and the remote network was configured as 10.22.4.0/24 [allowing Box 1 to communicate with the local network of Box 2]. For Box 2, the remote network was configured as 10.3.7.0/24 [part 2 in allowing the local network of Box 2 to communicate with the remote access clients and vice versa].Site-to-Site between Box 1 and 3.
Box 1 is configured with another Peer-to-Peer (shared key) server. Box 3 is configured to connect to this second server as a client. The tunnel network here is 10.4.7.0/24. For Box 1, the local network was configured as 10.3.7.0/24 [part 1 in allowing the local network of Box 3 to communicate with the remote access clients] and the remote network was configured as 192.168.0.0/24 [allowing Box 1 to communicate with the local network of Box 3]. For Box 3, the remote network was configured as 10.3.7.0/24 [part 2 in allowing the local network of Box 3 to communicate with the remote access clients and vice versa].Remote Access Server.
Now I add a Remote Access (SSL/TLS + User Auth) server to Box 1. Individual clients connect to this third server. The tunnel network here is 10.3.7.0/24. The following options are added to "Advanced Configuration".
push "route 10.4.7.0 255.255.255.0"; (allows access to Box 3)
push "route 10.5.7.0 255.255.255.0"; (allows access to Box 2)
push "route 192.168.0.0 255.255.255.0"; (part 3 in allowing the local network of Box 3 to communicate with the remote access clients and vice versa)
push "route 10.22.4.0 255.255.255.0"; (part 3 in allowing the local network of Box 2 to communicate with the remote access clients and vice versa)I would note that I assigned interfaces to the virtual ports on all 3 boxes.
- For Box 1, all 3 server ports (ovpnsX) were assigned interfaces. Each interface was enabled with a type of "None". In the routing panel, the gateway for each interface was set as "dynamic". The remote access server port was assigned an interface named "RAV1". The Monitor IP was defined as 10.3.7.1. The site-to-site server port for Box 2's connection was assigned an interface named "SSV1". The Monitor IP was defined as 10.5.7.1. The site-to-site server port for Box 3's connection was assigned an interface named "SSV2". The Monitor IP was defined as 10.4.7.1.
- For Boxes 2 and 3, the client port connecting to Box 1 was assigned an interface named "SSV2". For Box 2, The Monitor IP was 10.5.7.1, and for Box 3, 10.4.7.1.
After rebooting all 3 pfSense boxes came the end result.
- On Box 1, all 3 interfaces (RAV1, SSV1, SSV2) showed their Monitor IPs as their assigned IP addresses. SSV1 & SSV2 showed the tunnel IP addresses assigned to Boxes 2 & 3 [respectively] as their gateway IP addresses. RAV1 showed 10.3.7.2 as its gateway IP address.
- On Boxes 2 and 3, interface SSV2 showed its Monitor IP as its gateway IP address, and the IP address assigned was as received from Box 1.
But then there's the firewall rules…
- In this case, I would note the rules for OpenVPN as a whole meant nothing, having assigned the OpenVPN ports in this matter to separate interfaces. I added rules to pass all traffic that matched the gateways of the respective interfaces.
The end result? Objective accomplished!
- The local networks of Boxes 2 and 3 can now communicate with the remote access clients connected to Box 1, and vice versa, without any need for port forwarding.
- Example 1. I have 2 SIP-based IP phones that connect to an Asterisk box over the Internet. Since both are behind the same internet connection, I configured them to connect on different ports: one on 5060 and one on 5061. However, after joining my Asterisk box to the remote access server on Box 1, both phones were able to connect to my PBX on the tunnel IP address assigned to it by Box 1, using port 5060. Checking the SIP peers on my Asterisk box showed both of the IP phones with their local network addresses.
Now begs the question… Was there an easier way to accomplish this objective?