Questions about OpenVPN site-2-site plus remote access



  • Hi,

    I'm testing pfsense openvpn to deploy a site 2 site connection between Pfsense (Server) and a DDWRT router (Openvpn client) on a remote location.

    Everything works ok with the server type as Peer to Peer.

    My questions:

    1 - When I set Pfsense to Remote Access I lose the routing between the two sites. I would like to set it as "remote access" because this PFSense will also be used to give me a "road warrior" access on my iphone. With Peer to Peer I lose "Client Export" functionality. Any way to workarround this?

    2 - I understand that when I set the tunnel network I'm telling openvpn server the network where there will be IP's available for clients. Is there any way to set a range of IPs on that range to be delivered to clients?

    3 - I set my tunnel network to 172.16.0.0/24. I see on PFSense ifconfig that there's the 172.16.0.1 and 172.16.0.2 addresses on the same IF. Why is that so?

    Thanks a lot!!



  • 1 - When I set Pfsense to Remote Access I lose the routing between the two sites. I would like to set it as "remote access" because this PFSense will also be used to give me a "road warrior" access on my iphone.

    Why don't you just leave the working Peer to Peer as is and create a 2nd OpenVPN server on your pfSense running Remote access?

    This works very well and lets you segregate the site2site traffic from the RoadWarrior stuff.  Just remember you need to use a different port# for each OpenVPN server you create and make sure to set a firewall rule to allow access on that port.

    With Peer to Peer I lose "Client Export" functionality. Any way to workarround this?

    What doesn't work with the Client Export, do you simply not see the export keys you're expecting for the OpenVPN server or does the Client Export section no longer appear?  Any problems I have had with Client Export have always been due to my screwups in creating the correct certificates for a RoadWarrior and not using the same CA as used for the OpenVPN server.

    2 - I understand that when I set the tunnel network I'm telling openvpn server the network where there will be IP's available for clients. Is there any way to set a range of IPs on that range to be delivered to clients?

    The tunnel network is used for the encrypted OpenVPN traffic. There is a minimum #of 4 IP's needed for each connection, so you can't treat the tunnel network like you would DHCP settings.  That said you can decrease the tunnel subnet down to /30 and still keep one connection.  Personally I tend to leave it at /24 and regard the OpenVPN tunnel subnets as "off limits", reserved for OpenVPN only.

    3 - I set my tunnel network to 172.16.0.0/24. I see on PFSense ifconfig that there's the 172.16.0.1 and 172.16.0.2 addresses on the same IF. Why is that so?

    From the OpenVPN site FAQ: http://openvpn.net/index.php/open-source/faq/77-server/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode.html

    I use the OpenVPN functions for many site-site connections and it works very well.

    Welcome to pfSense  :)



  • Thank you.

    1 - I did not want the trouble of config two instances of OpenVPN when everything works just fine.

    The only problem is this:

    When it's set as Peer to Peer

    2 - Ok. Understood.

    3 - "" ""

    Thanks :)



  • If you're trying to setup a site-site connection (usually another router or pfSense connected via OpenVPN to your current pfSense box) and at the same time allow for occasional remote connections from your phone or laptop (RoadWarrior setup), you have no choice you need two different OpenVPN servers.

    The Remote Access Server box in the Client Export Utility is only available  -when you have a Remote Access Server configured (who da thunk?)  ;)



  • Actually I have a site to site working and I use the same openvpn server for road warriors.

    Yes I lose client export utility but I can live with that! :))

    I have full routing intra-sites and road warriors can access both networks two :)



  • Well, look at that!

    As someone much brighter once said to me (on this forum) "I learn something new every day…"

    Just as a test, I created two servers using identical configurations, except "Local port#'s", "Server Mode", and "IPv4 Remote Network/s" (the last won't be allowed for Remote Access Server Mode).  I compared the two created server.conf files and the only difference I could find was the lack of two lines in the Remote Access version:

    route 192.168.233.0 255.255.255.0  (the fictious Remote network I created for my simulated site-site)
    ifconfig 10.10.10.1 10.10.10.2  (dedicates the first two IP's of the tunnel to the Local and Remote points respectively)

    Which leads me to believe that if you create an OpenVPN server in Remote Access mode, you can just add the two missing lines in the Client Specific Overrides section for site-stite connections and still have the Client Export utility for all your Road Warriors.

    That makes the Client Export util even handier than before.....

    Edit: Alas "ifconfig" and "route" are not valid in the CSC (makes sense now that I think about it...)  You can still include them in the "Advanced Configurations" section of the Remote Access mode server.  It means your older version OpenVPN road warriors may have an issue when connecting, but I think if everything is up to date it should be fine.



  • I will try your suggestions… ;)



  • Update: did not work.

    I still lacks the iroute which can only be applied on the client side I believe.



  • a little off topic but if you add 'topology subnet;' in the adv configuration, you wont be wasting any IPs… My first connection IP is x.2, before it would be x.6.



  • Update: did not work.

    I still lacks the iroute which can only be applied on the client side I believe.

    Yes an appropriate "iroute" command will still be required for site-site connections, but that can easily be place in the CSC section for each connection.  When you think about it, that's the appropriate place as an iroute is telling OpenVPN where to route addresses for "192.168.97.0/24" (assuming that's the net for some connecting client). Your connecting client could be on a totally different subnet and thus needs a different iroute command specific to your connection.

    It keeps the routes well organized when you have multiple site-site connections to one OpenVPN Server.



  • You are correct but it seems to ignore it (the iroute).



  • The RoadWarrior connections will, but the site-site connections absolutely need it to be able to complete their connections.

    Note that I'm assuming (what a terrible thing to do  ::) ) that the site-site conx's are all pfSense based clients, manually configured.  The RoadWarriors are installed via the appropriate Client Export Utility entry.

    With those caveats, I believe everything I've stated to this point describes the operation of OpenVPN under pfSense (I'm certainly willing to be proven wrong of course).  ;)