Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN, 3 offices, need help with conf

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      ZibiX
      last edited by

      Hi.

      Can you give me a copuple of hints i configuration of openVPN on pfsense?

      I have 3 offices (callcenters using sip).

      1. Main office where servers are is office number 1. It has ip adres on wan side: x.x.x.x and ip on lan side: 192.168.0.1. The servers has ip adresses: 192.168.0.10, 192.168.0.20, 192.168.0.30

      2. Second office is number 2. It has ip adress on wan side: y.y.y.y and on lan side: 192.168.0.1. To the lan side there are connected computers of my agents (ip from: 192.168.0.100 to 192.168.0.200 - they get ip from dhcp on pfsense)

      3. Third office is number 3. It has ip adress on wan side: z.z.z.z and on lan side: 192.168.0.1. To the lan side there are connected computers of my agents (ip from: 192.168.0.100 to 192.168.0.200 - they get ip from dhcp on pfsense)

      Everything will be clear wneh you see my drawing :)

      How it must work:
      Computers from office 2 and 3 need to have direct access to servers in office 1 via openvpn tunnel (it must be one network for this offices).

      I know that in office 1 a need to configure openvpn server. In offices 2 and 3 openvpn in pfsense must be configured as openvpn client.

      Now questions:
      1. Is it possible to connect my offices in the way a have discribed?
      2. Do i need to change ip adresses in my offices? Do they need to be in difrent subnets (eg. 192.168.1.1 on office 1, 192.168.2.1 on office 2, 192.168.3.1 on office 3)
      3. Can you give me any sugestion in configuration of openVPN in pfsense?
      4. Do i need to choose special "options" in configuration of openvpn? The connection must be fast and 100% reliable

      I need to connect all my offices in 2 days :) Thank you for all answers!

      Best regards
      Zbyszek
      openvpn.jpg
      openvpn.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        1. Is it possible to connect my offices in the way a have discribed?
        2. Do i need to change ip adresses in my offices? Do they need to be in difrent subnets (eg. 192.168.1.1 on office 1, 192.168.2.1 on office 2, 192.168.3.1 on office 3)
        3. Can you give me any suggestion in configuration of openVPN in pfsense?
        4. Do i need to choose special "options" in configuration of openvpn? The connection must be fast and 100% reliable

        1.  Yes, tunnels to multiple sites are done all the time
        2.  Yes, in a routed solution, each office needs to be on a separate subnet.  I would also stay away from the range of home routers (i.e. 192.168.0.x, 192.168.1.x, 192.168.2.x)… pick something higher in that 3rd octet.
        3.  A good start is search for "site to site" on the wiki.  I believe you need separate openvpn server configured for each tunnel, but someone correct me if I'm wrong on that.
        4.  This depends on your network, but I've only used the advanced section for sites that have multiple subnets that need access.  I would say most setups do not need any advanced options.

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          Good advice above - it really does pay in the long run to stay away from the private address ranges that are in common use. I avoid 192.168.. completely, and go for a chunk of 10.x.n.n - e.g. have 10.77.0.0/24 10.77.1.0/24 and so on.
          If you really are going to have only 3 (or a few) sites, then you can just use site-to-site pre-shared key. Then you need a separate OpenVPN server for each client. In your example, 2 servers at main office. Each server needs to listen on a different port. Personally I don't use the default 1194 - I pick some other port numbers that are not used for anything, 4444, 4445 …
          You won't need any advanced options. Putting the right subnets in the "local" and "remote" fields will get you all the routes you need.
          Make sure to also choose a different tunnel subnet for each server.

          If you are likely to end up with lots of sites one day, then you can do certificates...

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • Z
            ZibiX
            last edited by

            OK thanks for help!

            I have more questions:
            1. Should i choose tun device or tap device as a standard on server and clients?
            2. Do i need to choose Manual Outbound NAT rule generation instead of Automatic outbound NAT rule generation? Or it doesnt matter what i choose?
            3. What is tunnel subnet? Is it something important in my particular case?
            4. If i lost internet connection in office 1 (openvpn server) all openvpn clients will disconnect. When internet is up in office 1 then do i nned manualy connect my clients to server or do they do it automaticaly?

            Best regards
            Zbyszek

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              1. Use "tun", that is for routing between different subnets at each site. "tap" is for bridging, when you want the same subnet everywhere and broadcast traffic to go across the OpenVPN and be seen everywhere.
              2. You don't need to change any NAT. NAT is not needed between the subnets on your private intranet - they can route happily to each other across the secure OpenVPN links. The internet traffic at each office goes straight out the office WAN/s and the automatic outbound NAT takes care of it. (If, one day, you want to send internet traffic from a branch office across the OpenVPN to the main office, then out to the internet, then you have to mess with manual NAT)
              3. Each office has a LAN subnet, and each OpenVPN link is a subnet - this is the "Tunnel Subnet". Technically the tunnel subnet for a single site-to-site connection can be just 4 addresses (a "/30"). But it is much easier on the brain to give it a "/24". e.g.
              Main Office - 10.77.0.0/24
              Branch 1 - 10.77.1.0/24
              Branch 2 - 10.77.2.0/24
              OpenVPN Tunnel Main to Branch 1 - 10.78.1.0/24
              OpenVPN Tunnel Main to Branch 2 - 10.78.2.0/24

              Make up 10.n.n.0/24 numbers to your liking.

              4. The OpenVPN client keeps trying every 60 seconds, forever until it gets a response. In my experience, OpenVPN is very good at reestablishing itself after 1 end has gone away and come back again.
              If you need Branch 1 and Branch 2 to talk to each other, then make another OpenVPN site-to-site between the 2. Then if Main office is down, branch 1 and 2 can still communicate. Note: It is possible to route from branch 1 to branch 2 via main office, but in this 3 office triangle it is simple to add the 3rd OpenVPN link.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.