Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-site OpenVPN, pfSense issuing the same IP for the Tunnel network.

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WillCT1
      last edited by

      We had a discrete box running OpenVPN left over from our pre-pfSense days that I am finally converting over to use pfSense's openvpn server.  Everything is fine if I connect one site to the pfSense OpenVPN, but if I connect two sites pfSense issues them the same "virtual address", even thought the CIDR bit is set to /24.  Do I need to specify a different tunnel network for each site?  That isn't how I had it set up on the existing OpenVPN.  All the sites are running pfSense 2.1.5-Release (i386).  For now i am testing with 2 sites, I will migrate the other 5 sites after the first 2 are working.

      On the pfSense Main OpenVPN status page it shows both Site A and Site B have a Virtual Address of 10.20.1.2

      Here are my settings:

      172.16.0.0/23 is the main office
      192.168.6.0/24 is Site A
      192.168.10.0/24 is Site B

      Main Office (Server):
      Server
      Server mode: Peer to Peer (SSL/TLS)
      Protocol: UDP
      Device Mode: TUN
      local Port 11194 (existing 1194 is taken by the legacy setup, will switch to standard ports after the migration)
      TLS Authentication is checked, using the pfSense auto-generated TLS key
      Peer Certificate Authority was created in the Cert Manager
      No Peer Certificate Revocation list (Will implement later)
      Server Certificate created in Cert Manager
      DH Parameter Length 2048
      Encryption: AES-128-CBC
      No Hardware Crypto
      Tunnel Network: 10.20.1.0/24
      IPv4 Local Network: 172.16.0.0/23
      IPv4 Remote Network: 192.168.6.0/24, 192.168.10.0/24
      Compress LZO: Checked
      Advanced Options are blank

      Site A Client Specific Options:
      Common Name: (Matches with Cert for Site A)
      Tunnel Network 10.20.1.0/24
      Advanced: iroute 192.168.6.0 255.255.255.0

      Site B Client Specific Options:
      Common Name: (Matches with Cert for Site B)
      Tunnel Network 10.20.1.0/24
      Advanced: iroute 192.168.10.0 255.255.255.0

      Client Settings:
      Site A:
      Server mode: Peer-to-Peer (SSL/TLS)
      Protocol: UDP
      Device mode: tun
      Server host: Main office WAN IP
      Server port: 11194
      TLS Authentication enabled
      TLS key copied from Server
      Peer CA: downloaded from Server
      Client Cert: SITE A's set of cert/key from server's cert manager
      Encryption AES-128-CBC
      IPv4 Tunnel Network: 10.20.1.0/24
      IPv4 Remote Nework: 172.16.0.0/23
      Compression: LZO Checked
      Advanced: Blank

      Client Settings:
      Site B:
      Server mode: Peer-to-Peer (SSL/TLS)
      Protocol: UDP
      Device mode: tun
      Server host: Main office WAN IP
      Server port: 11194
      TLS Authentication enabled
      TLS key copied from Server
      Peer CA: downloaded from Server
      Client Cert: SITE B's set of cert/key from server's cert manager
      Encryption AES-128-CBC
      IPv4 Tunnel Network: 10.20.1.0/24
      IPv4 Remote Nework: 172.16.0.0/23
      Compression: LZO Checked
      Advanced: Blank

      1 Reply Last reply Reply Quote 0
      • G
        gsmithe
        last edited by

        I know this is a couple weeks old, but I just ran into this and found a solution.

        My symptoms were that each site had the same IP listed on the Hub server's OpenVPN status page and the only site that had connectivity was the last site to connect.

        Site A Client Specific Options:
        Common Name: (Matches with Cert for Site A)
        Tunnel Network 10.20.1.0/24
        Advanced: iroute 192.168.6.0 255.255.255.0

        I did something similar for my 5 remote sites.  Remove the entry

        Tunnel Network 10.20.1.0/24
        

        That's what I did and each site then got a unique IP and all sites connected fine.

        • GS
        1 Reply Last reply Reply Quote 0
        • W
          WillCT1
          last edited by

          Thanks! Worked perfectly.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.