Site-to-Site OpenVPN with multiple LANs at each site.



  • Hello.  I've begun looking at pfsense to (hopefully) improve my site-to-site VPN setup.

    Currently I have 3 sites, each site has 2 separate networks.

    I currently use 6 virtual IPcop virtual machines setup as squid proxies and OpenVPN devices to allow each ‘A’ network to talk across sites and for each ‘B’ network to talk across sites.

    I’d like to try to use one pfsense box at each site instead.

    Here are my networks:

    Site 1:
    Network ‘A’: 192.168.10.0/24
    Network ‘B’:172.16.0.0/16

    Site 2:
    Network ‘A’: 192.168.20.0/24
    Network ‘B’:172.17.0.0/16

    Site 3:
    Network ‘A’: 192.168.30.0/24
    Network ‘B’:172.18.0.0/16

    Each ‘A’ network in sites 2 and 3 should talk to the ‘A’ network at site 1, but not any ‘B’ network.
    Each ‘B’ network in sites 2 and 3 should talk to the ‘B’ network at site 1, but not any ‘A’ network.

    I have an assumption I will need to create four OpenVPN servers on the site 1 pfsense:
    OpenVPN server for Site 1-A to Site 2-A
    OpenVPN server for Site 1-B to Site 2-B
    OpenVPN server for Site 1-A to Site 3-A
    OpenVPN server for Site 1-B to Site 3-B

    And then I would need to create two OpenVPN ‘clients’ at sites 2 and 3:
    OpenVPN client at Site 2 for Site 2-A to 1-A
    OpenVPN client at Site 2 for Site 2-B to 1-B
    OpenVPN client at Site 3 for Site 3-A to 1-A
    OpenVPN client at Site 3 for Site 3-B to 1-B

    Would this work the way I'd like it to?  I noticed in the OpenVPN server dialog you can enter the local and remote network addresses while the in the client dialog you can only enter the remote network address.  I just want to verify that the networks will only talk to those they are supposed to.

    Thank you in advance!



  • I currently have a setup of:

    Main Site: 7 Subnets Locally and 27 Subnets on MPLS
    Remote 1: 2 Subnets (Lan and WiFi)
    Remote 2: 2 Subnets (Lan and WiFi)

    First step is to make sure that all subnets can communicate by setting up the proper routes.
    Make sure that all you routes are added on each location.
    Two OpenVPN Servers, one for each location.

    Second step is to add firewall rules preventing the communication from specified network to specified network.
    Firewall > Rules > OpenVPN. Set source and destination allow/deny



  • Hi,

    I would suggest you to read this how-to:
    http://forum.pfsense.org/index.php/topic,12888.0.html

    This will explain you how to make a site-to-site VPN which only needs one OpenVPN server and PKI infrastructure instead of PSK.

    Further you have the ability to use "Client specific overrides" so that you can push routes from the OpenVPN server to the clients and so you can push only the routes you want to allow. So one strategy could be to push only the routs syou want to allow or you push all routes to all sites and the do it like twaters wrote with firewall rules.

    I probably would go the way with firewall rules because configuring firewall rules to make a temporarily connection for some IPs or a subnet would be easier than with adding/removing routes.

    In general we can say what you want to do is possible, there are different possibilities to setup the VPN (PKI or PSK) and to use routes or firewall rules to limit traffic.



  • @Nachtfalke:

    Hi,

    I would suggest you to read this how-to:
    http://forum.pfsense.org/index.php/topic,12888.0.html

    This will explain you how to make a site-to-site VPN which only needs one OpenVPN server and PKI infrastructure instead of PSK.

    Further you have the ability to use "Client specific overrides" so that you can push routes from the OpenVPN server to the clients and so you can push only the routes you want to allow. So one strategy could be to push only the routs syou want to allow or you push all routes to all sites and the do it like twaters wrote with firewall rules.

    I probably would go the way with firewall rules because configuring firewall rules to make a temporarily connection for some IPs or a subnet would be easier than with adding/removing routes.

    In general we can say what you want to do is possible, there are different possibilities to setup the VPN (PKI or PSK) and to use routes or firewall rules to limit traffic.

    Not to mention, but if you ever need to have Site 1 Subnet A talk to Remote Site 1 Subnet B, the route is already established and confirmed. All that is needed is a change in the Firewall Status.