[Solved] Need clarification on site to site shared key



  • I'm trying to link 3 sites together using OpenVPN P2P shared key.  Site A is the server and Site B and C being the client.  Do I need to have an additional server on a different port setup to accommodate site C or can all this be done using one OpenVPN port?  Site A and B do need to talk to each other but Site C only needs to talk to Site A.



  • With P2P shared key, you need a server instance for each client. If you use certificates then you can have multiple P2P clients on a server.
    I did shared key for a while, then when I had 5 or 6 sites I decided the certificate method was easier to manage. It's up to you, but if you think your site to site network will grow, then IMHO consider doing certificates from the start.



  • Thanks for the clarification.  I have site A (server) and site B (client) talking to each other using shared key.  I have site C (client) talking to site A.  The problem I'm having now is site C talking to site B.  I tried issuing a route command from the client advanced options but was still unable to contact site B.

    I assume the virtual tunnel from site A to site B should be different from site A to site C.


  • Rebel Alliance Developer Netgate

    In your setup you need:

    A: Server, has route to B in its tunnel config for B, and a route to C in its tunnel config for C.
    B: Client, has routes to A and C in its config to A
    C: Client, has routes to A and B in its config to A

    Everyone needs routes to everyone else. Then so long as your OpenVPN firewall rules allow it, it should work as expected.



  • I assume the virtual tunnel from site A to site B should be different from site A to site C.

    Yes, you need to use a different tunnel subnet on each OpenVPN link.



  • @jimp:

    In your setup you need:

    A: Server, has route to B in its tunnel config for B, and a route to C in its tunnel config for C.
    B: Client, has routes to A and C in its config to A
    C: Client, has routes to A and B in its config to A

    Everyone needs routes to everyone else. Then so long as your OpenVPN firewall rules allow it, it should work as expected.

    Thank you.  I'll try it this evening before I break something else.  Any chance of updating the wiki to include the scenario of 3-5 sites using shared key?  The separate instances of servers for each additional client and different tunnels for each client would have saved a lot of time.

    Edit: Got it working now.  At first it didn't work so I removed the Remote Network settings so they were blank and filled in both routes for each appropriate site until I got to site B where I realized I forgot to put in the subnet mask in the route statement.  Wasn't about to change them all back just to see if it works that way.

    Edit2: Site C will not always be up, will this affect communication between site A and B?


  • Rebel Alliance Developer Netgate

    @CuriousG:

    Edit2: Site C will not always be up, will this affect communication between site A and B?

    Avoid using "edit" to ask questions. It does not notify that the post was updated the same way a reply does.

    If C is just another client, it won't affect anything between And B.

    If A were down, then B could not reach C, but that is the only failure that would be a problem.



  • @jimp:

    @CuriousG:

    Edit2: Site C will not always be up, will this affect communication between site A and B?

    Avoid using "edit" to ask questions. It does not notify that the post was updated the same way a reply does.

    If C is just another client, it won't affect anything between And B.

    If A were down, then B could not reach C, but that is the only failure that would be a problem.

    Thanks.  It makes perfect sense if A was down since it is the "server".  Only reason I asked is I got a call today that they weren't able to reach A from B but since this user is a handful in the first place I didn't know what to think when I activated site C and everything was fine.