Site to site VPN for four remote locations
-
Hello,
I am planning to implement pfSense at four different remote locations. Currently I have only setup two site-to-site VPNs using pfSense and OpenVPN.
My questions:
-
What is the best strategy for this?
-
If the "server" router goes down, will the other networks still be able to communicate with each other?
-
Is it possible to setup a mesh for some kind of fault tolerance?
-
What will I need to do in order to get each network to communicate with the others?
-
-
With only 4 remote locations, it is manageable to setup 4 OpenVPN servers at "main office". Then you can restart an OpenVPN server and only effect 1 remote office. If there are going to be new offices coming online all the time, then it can be easier to setup a single server with multiple site-to-site clients at the start. OpenVPN is solid - you really do not have to restart the server, it recovers from all sort of link and client failures automagically.
If all the remote offices only have a direct link to "main office" then if "main office" is down the remote offices canot talk to each other. If "main office" has multi-WAN then the OpenVPN server can failover (or effectively listen on both WANs).
If the remote offices have significant traffic between them, then yes, just setup a mesh:
Main Office server/s - listening for connects from Remote 1 to 4
Remote 1 server/s - listening for connects from Remote 2 to 4
Remote 2 server/s - listening for connects from Remote 3 to 4
Remote 3 server - listening for connects from Remote 4Actually that is the very easy way for the routing - just put the other remote Remote Network/s in the box in each OpenVPN server and client.
If you use the centralized hub-and-spoke method, then in the Remote Office client Remote Networl/s box, put a comma-separated list of all the other remote networks at Main Office and the other 3 Remote Offices.
Make sure to allow all the internal traffic on the Firewall->Rules OpenVPN tab.
I allocate all my intranet IPs inside 1 big subnet - e.g. they are all 10.42.n.0/24 subnets at each office. Then on OpenVPN tab I pass source 10.42.0.0/16 destination 10.42.0.0/16 and that includes all the private IP address space I intend to use in my intranet, in 1 rule. -
Thanks for the quick response!
I've been doing some more Googling…
Is Tinc an easier/better solution or would you prefer OpenVPN? -
If the remote offices have significant traffic between them, then yes, just setup a mesh:
Main Office server/s - listening for connects from Remote 1 to 4
Remote 1 server/s - listening for connects from Remote 2 to 4
Remote 2 server/s - listening for connects from Remote 3 to 4
Remote 3 server - listening for connects from Remote 4Also, I'd like to try this, but I'm not quite following you.
EDIT: Actually, I drew it out and it was easier to visualize.
-
Thanks for the quick response!
I've been doing some more Googling…
Is Tinc an easier/better solution or would you prefer OpenVPN?I hav not tried Tinc, so I can't give a comparison. I use OpenVPN for site-to-site an Road Warrior "dialin" from Windows laptops. It works, so I use it - what more to say?