Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Need clarification on site to site shared key

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CuriousG
      last edited by

      I'm trying to link 3 sites together using OpenVPN P2P shared key.  Site A is the server and Site B and C being the client.  Do I need to have an additional server on a different port setup to accommodate site C or can all this be done using one OpenVPN port?  Site A and B do need to talk to each other but Site C only needs to talk to Site A.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        With P2P shared key, you need a server instance for each client. If you use certificates then you can have multiple P2P clients on a server.
        I did shared key for a while, then when I had 5 or 6 sites I decided the certificate method was easier to manage. It's up to you, but if you think your site to site network will grow, then IMHO consider doing certificates from the start.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • C
          CuriousG
          last edited by

          Thanks for the clarification.  I have site A (server) and site B (client) talking to each other using shared key.  I have site C (client) talking to site A.  The problem I'm having now is site C talking to site B.  I tried issuing a route command from the client advanced options but was still unable to contact site B.

          I assume the virtual tunnel from site A to site B should be different from site A to site C.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            In your setup you need:

            A: Server, has route to B in its tunnel config for B, and a route to C in its tunnel config for C.
            B: Client, has routes to A and C in its config to A
            C: Client, has routes to A and B in its config to A

            Everyone needs routes to everyone else. Then so long as your OpenVPN firewall rules allow it, it should work as expected.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              I assume the virtual tunnel from site A to site B should be different from site A to site C.

              Yes, you need to use a different tunnel subnet on each OpenVPN link.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • C
                CuriousG
                last edited by

                @jimp:

                In your setup you need:

                A: Server, has route to B in its tunnel config for B, and a route to C in its tunnel config for C.
                B: Client, has routes to A and C in its config to A
                C: Client, has routes to A and B in its config to A

                Everyone needs routes to everyone else. Then so long as your OpenVPN firewall rules allow it, it should work as expected.

                Thank you.  I'll try it this evening before I break something else.  Any chance of updating the wiki to include the scenario of 3-5 sites using shared key?  The separate instances of servers for each additional client and different tunnels for each client would have saved a lot of time.

                Edit: Got it working now.  At first it didn't work so I removed the Remote Network settings so they were blank and filled in both routes for each appropriate site until I got to site B where I realized I forgot to put in the subnet mask in the route statement.  Wasn't about to change them all back just to see if it works that way.

                Edit2: Site C will not always be up, will this affect communication between site A and B?

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  @CuriousG:

                  Edit2: Site C will not always be up, will this affect communication between site A and B?

                  Avoid using "edit" to ask questions. It does not notify that the post was updated the same way a reply does.

                  If C is just another client, it won't affect anything between And B.

                  If A were down, then B could not reach C, but that is the only failure that would be a problem.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • C
                    CuriousG
                    last edited by

                    @jimp:

                    @CuriousG:

                    Edit2: Site C will not always be up, will this affect communication between site A and B?

                    Avoid using "edit" to ask questions. It does not notify that the post was updated the same way a reply does.

                    If C is just another client, it won't affect anything between And B.

                    If A were down, then B could not reach C, but that is the only failure that would be a problem.

                    Thanks.  It makes perfect sense if A was down since it is the "server".  Only reason I asked is I got a call today that they weren't able to reach A from B but since this user is a handful in the first place I didn't know what to think when I activated site C and everything was fine.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.