Multiple OpenPVN



  • Hi Guys,

    I have questions regarding OpenVPN, we are going to setup OpenVPN on 4 sites each using PfSense as firewall, what we want to happen is for the four sites be connected via OpenVPN, sharing files as if their in a LAN. Is this setup possible? What I have in mind is that each site will be configured as a server and as a client, some sort of multiple trust domain.

    TIA,

    Jan



  • If you want to use pfSense to firewall the openVPN then it's a nogo.
    You cannot filter the traffic comming in /going out through the openVPN tunnel.

    But it is no problem to have multiple Servers or Clients running at the same time.



  • Hi Gruens,

    I didn't quite understood what you said, so you're saying that if I will use PfSense as firewall in all of the sites, I can't use OpenVPN? Isn't it the same as running OpenVPN that comes with PfSense?

    Actually the filtering thing never crossed my mind, Do I really need to have that?

    Jan



  • @jan:

    Hi Gruens,

    I didn't quite understood what you said, so you're saying that if I will use PfSense as firewall in all of the sites, I can't use OpenVPN? Isn't it the same as running OpenVPN that comes with PfSense?

    You can use OpenVPN.
    I meant you cannot create a firewallrule on pfSense for the pfSense-internal openVPN client/server.

    Actually the filtering thing never crossed my mind, Do I really need to have that?

    Depends on your setup.
    If your openVPN subnet is a "thrusted" subnet this should not be a problem.
    I thought more you want to firewall the VPN connection.

    maybe diagrams are more clear:
    //–---------------------
      Client - vpnclient
        |
        |
    pfSense
      WAN
        |
        |
      Server - vpnserver

    the client will always be able to establish a VPN connection to the Server. (if it's the client running the openVPN client instance)
    pfSense does only firewalling for the traffic from WAN to LAN and vice versa.
    //-----------------------

    Client
        |
        |
    pfSense - vpnclient
      WAN
        |
        |
      Server - vpnserver

    now the vpnclient is on the pfSense itself. One might think you could firewall the vpn connection too.
    --> having rules who can access the vpn tunnel or who is accessible from the VPN.
    But since you cannot creat a rule for the virtual VPN-interface this is not possible.
    this is what i meant in my first post.



  • Hi Gruens,

    Thanks for  your inputs. Here is what I'm planning to setup, install Pfsense as firewall in all of the sites and configure the OpenVPN client/server setup. The subnet is a trusted subnet, and the scenario would be e.g., clients on site 1 will able to see/share files on the Head Office subnet and vice versa.

    LAN subnet
        |
        |
    pfsense HeadOffice
    OpenVPN server
        |
        |
    pfsense remote site 1
        |
        |
    Remote LAN

    Regards,

    Jan


Log in to reply