OpenVPN for my Metro Ethernet traffic. At a loss



  • I am working with a test environment while I wait for fiber to be built to my 3 locations.  I would like to encrypt my traffic over Metro Ethernet using OpenVPN but I just cant seem to get it working.  I will be going from 3 pfsense boxes, each with their own internet connection to 3 pfsense boxes, one with the DIA and the other 2 with Metro E.  I already have it up and running without encryption in my test lab.  I have been successful in getting OpenVPN site to site shared key to work but I can't force traffic over it.  There will be servers behind each site that will need NAT through the DIA.  Below are some diagrams of what I have setup and what I would like to do.  If anyone has any ideas on how to get my traffic from Site A to Site B and Site A to Site C encrypted, please help!

    Current Setup:

    Ideal Setup:



  • I guess you have put:
    (SiteA OPT1+SiteB WAN) in a subnet - say 192.168.11.0/24 (OPT1 .1, other WAN .2)
    (SiteA OPT2+SiteC WAN) in a subnet - say 192.168.12.0/24 (OPT2 .1, other WAN .2)
    You have probably added routes to SiteA pfSense telling it to get to 10.10.1.0/24 via 192.168.11.2 and 10.10.2.0/24 via 192.168.12.2 - and those routes are being used in preference to an OpenVPN.
    IMHO routes like that are not useful - remove them.
    Then have 1 OpenVPN server listening on OPT1 for connects. SiteB has an OpenVPN client connecting out of WAN to SiteA OPT1 1192.168.11.1. Use another subnet as the tunnel network (e.g. 192.168.21.0/24). In local and remote network fields put the 10.10.0.0/24 and 10.10.1.0/24 networks (around the appropriate way at server and client end).
    Do a similar thing between SiteA and SiteC.
    Add firewall rules on the OpenVPN tab to allow traffic between the various subnets you need.
    Then OpenVPN should do the adding of routes to the "real" routing tables, and the routes will point through the OpenVPN tunnels, and traffic will go through the OpenVPN.



  • Thanks for the reply.  I actually did almost everything you said to a T before, but I never deleted the routes.

    I am going to reset to factory defaults and retry this.

    I will report back.



  • I now have it using OpenVPN to communicate Site B LAN to Site A LAN but I can't seem to figure out the rules to get Site B to the internet through Site A.

    Right now I have very basic rules which work as described above, but I have removed all the rules I created while trying to figure out how to get Site B internet.   See anything that I have wrong with these rules?  Any ideas on what I need to add to get Site B -> OpenVPN -> Site A -> Internet?








  • I think you will need to use Interfaces (assign) and assign the next OPTn interface to the OpenVPN link. Then put some appropriate allow rules on the interface (like on the OpenVPN tab). Then give the interface a gateway that is the IP at the other end of the OpenVPN tunnel. Then make that the default gateway. All traffic should then exit SiteB pfSense across the OpenVPN rather than the WAN.
    (You could add policy-routing rules on the new OpenVPN interface to select particular traffic and explicitly route it to the new gateway - if the default gateway thing does not work)



  • I have been trying and trying to implement something like you said in your last post but I cant get anything to work.

    I no longer have traffic flowing primarily through the VPN from Site B to Site A, not sure why or what caused it to stop.

    I assign OPT5 to openvpn but I am confused as to what IP to give it and what gateway.

    I have tried the IP of Site A OPT1, OpenVPN Virtual IP, etc.

    With the correct rules applied, I can get traffic flowing just fine from Site B to Site A but not through the VPN.



  • I think you leave the interface type set to none. It uses whatever the OpenVPN tunnel addresses are underneath. The interface assign is just so that you have an interface exposed that you can apply rules to, and a gateway exposed that you can feed traffic into (by adding rules on other interfaces that use "policy-based routing" - selecting a gateway in the advanced section of the rule).
    (All my production OpenVPN site-to-site is just for internal private traffic, so I don't have real-world experience with pushing internet traffic across a VPN  link first before letting it out into internet-land - others feel free to help!)



  • Thank you Phil for all your help.  I finally got it up and running with your help and Jim's help.  Once I got the OPTn set to openvpn I had to set outbound nat on SITE A for SITE B to get out to public.

    All seems to be working good so far.    Now I will work on getting NAT working for the servers in SITE B through SITE A.