Questions about OpenVPN site-2-site plus remote access
-
Thank you.
1 - I did not want the trouble of config two instances of OpenVPN when everything works just fine.
The only problem is this:
When it's set as Peer to Peer
2 - Ok. Understood.
3 - "" ""
Thanks :)
-
If you're trying to setup a site-site connection (usually another router or pfSense connected via OpenVPN to your current pfSense box) and at the same time allow for occasional remote connections from your phone or laptop (RoadWarrior setup), you have no choice you need two different OpenVPN servers.
The Remote Access Server box in the Client Export Utility is only available -when you have a Remote Access Server configured (who da thunk?) ;)
-
Actually I have a site to site working and I use the same openvpn server for road warriors.
Yes I lose client export utility but I can live with that! :))
I have full routing intra-sites and road warriors can access both networks two :)
-
Well, look at that!
As someone much brighter once said to me (on this forum) "I learn something new every day…"
Just as a test, I created two servers using identical configurations, except "Local port#'s", "Server Mode", and "IPv4 Remote Network/s" (the last won't be allowed for Remote Access Server Mode). I compared the two created server.conf files and the only difference I could find was the lack of two lines in the Remote Access version:
route 192.168.233.0 255.255.255.0 (the fictious Remote network I created for my simulated site-site)
ifconfig 10.10.10.1 10.10.10.2 (dedicates the first two IP's of the tunnel to the Local and Remote points respectively)Which leads me to believe that if you create an OpenVPN server in Remote Access mode, you can just add the two missing lines in the Client Specific Overrides section for site-stite connections and still have the Client Export utility for all your Road Warriors.
That makes the Client Export util even handier than before.....
Edit: Alas "ifconfig" and "route" are not valid in the CSC (makes sense now that I think about it...) You can still include them in the "Advanced Configurations" section of the Remote Access mode server. It means your older version OpenVPN road warriors may have an issue when connecting, but I think if everything is up to date it should be fine.
-
I will try your suggestions… ;)
-
Update: did not work.
I still lacks the iroute which can only be applied on the client side I believe.
-
a little off topic but if you add 'topology subnet;' in the adv configuration, you wont be wasting any IPs… My first connection IP is x.2, before it would be x.6.
-
Update: did not work.
I still lacks the iroute which can only be applied on the client side I believe.
Yes an appropriate "iroute" command will still be required for site-site connections, but that can easily be place in the CSC section for each connection. When you think about it, that's the appropriate place as an iroute is telling OpenVPN where to route addresses for "192.168.97.0/24" (assuming that's the net for some connecting client). Your connecting client could be on a totally different subnet and thus needs a different iroute command specific to your connection.
It keeps the routes well organized when you have multiple site-site connections to one OpenVPN Server.
-
You are correct but it seems to ignore it (the iroute).
-
The RoadWarrior connections will, but the site-site connections absolutely need it to be able to complete their connections.
Note that I'm assuming (what a terrible thing to do ::) ) that the site-site conx's are all pfSense based clients, manually configured. The RoadWarriors are installed via the appropriate Client Export Utility entry.
With those caveats, I believe everything I've stated to this point describes the operation of OpenVPN under pfSense (I'm certainly willing to be proven wrong of course). ;)