Site to site VPN for four remote locations



  • Hello,

    I am planning to implement pfSense at four different remote locations. Currently I have only setup two site-to-site VPNs using pfSense and OpenVPN.

    My questions:

    • What is the best strategy for this?

    • If the "server" router goes down, will the other networks still be able to communicate with each other?

    • Is it possible to setup a mesh for some kind of fault tolerance?

    • What will I need to do in order to get each network to communicate with the others?



  • With only 4 remote locations, it is manageable to setup 4 OpenVPN servers at "main office". Then you can restart an OpenVPN server and only effect 1 remote office. If there are going to be new offices coming online all the time, then it can be easier to setup a single server with multiple site-to-site clients at the start. OpenVPN is solid - you really do not have to restart the server, it recovers from all sort of link and client failures automagically.

    If all the remote offices only have a direct link to "main office" then if "main office" is down the remote offices canot talk to each other. If "main office" has multi-WAN then the OpenVPN server can failover (or effectively listen on both WANs).

    If the remote offices have significant traffic between them, then yes, just setup a mesh:
    Main Office server/s - listening for connects from Remote 1 to 4
    Remote 1 server/s - listening for connects from Remote 2 to 4
    Remote 2 server/s - listening for connects from Remote 3 to 4
    Remote 3 server - listening for connects from Remote 4

    Actually that is the very easy way for the routing - just put the other remote Remote Network/s in the box in each OpenVPN server and client.

    If you use the centralized hub-and-spoke method, then in the Remote Office client Remote Networl/s box, put a comma-separated list of all the other remote networks at Main Office and the other 3 Remote Offices.
    Make sure to allow all the internal traffic on the Firewall->Rules OpenVPN tab.
    I allocate all my intranet IPs inside 1 big subnet - e.g. they are all 10.42.n.0/24 subnets at each office. Then on OpenVPN tab I pass source 10.42.0.0/16 destination 10.42.0.0/16 and that includes all the private IP address space I intend to use in my intranet, in 1 rule.



  • Thanks for the quick response!

    I've been doing some more Googling…
    Is Tinc an easier/better solution or would you prefer OpenVPN?



  • @phil.davis:

    If the remote offices have significant traffic between them, then yes, just setup a mesh:
    Main Office server/s - listening for connects from Remote 1 to 4
    Remote 1 server/s - listening for connects from Remote 2 to 4
    Remote 2 server/s - listening for connects from Remote 3 to 4
    Remote 3 server - listening for connects from Remote 4

    Also, I'd like to try this, but I'm not quite following you.

    EDIT:  Actually, I drew it out and it was easier to visualize.



  • @TC10284:

    Thanks for the quick response!

    I've been doing some more Googling…
    Is Tinc an easier/better solution or would you prefer OpenVPN?

    I hav not tried Tinc, so I can't give a comparison. I use OpenVPN for site-to-site an Road Warrior "dialin" from Windows laptops. It works, so I use it - what more to say?


Log in to reply