Multi-site OpenVPN, pfSense issuing the same IP for the Tunnel network.

WillCT1

We had a discrete box running OpenVPN left over from our pre-pfSense days that I am finally converting over to use pfSense's openvpn server.  Everything is fine if I connect one site to the pfSense OpenVPN, but if I connect two sites pfSense issues them the same "virtual address", even thought the CIDR bit is set to /24.  Do I need to specify a different tunnel network for each site?  That isn't how I had it set up on the existing OpenVPN.  All the sites are running pfSense 2.1.5-Release (i386).  For now i am testing with 2 sites, I will migrate the other 5 sites after the first 2 are working.

On the pfSense Main OpenVPN status page it shows both Site A and Site B have a Virtual Address of 10.20.1.2

Here are my settings:

172.16.0.0/23 is the main office
192.168.6.0/24 is Site A
192.168.10.0/24 is Site B

Main Office (Server):
Server
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: TUN
local Port 11194 (existing 1194 is taken by the legacy setup, will switch to standard ports after the migration)
TLS Authentication is checked, using the pfSense auto-generated TLS key
Peer Certificate Authority was created in the Cert Manager
No Peer Certificate Revocation list (Will implement later)
Server Certificate created in Cert Manager
DH Parameter Length 2048
Encryption: AES-128-CBC
No Hardware Crypto
Tunnel Network: 10.20.1.0/24
IPv4 Local Network: 172.16.0.0/23
IPv4 Remote Network: 192.168.6.0/24, 192.168.10.0/24
Compress LZO: Checked
Advanced Options are blank

Site A Client Specific Options:
Common Name: (Matches with Cert for Site A)
Tunnel Network 10.20.1.0/24
Advanced: iroute 192.168.6.0 255.255.255.0

Site B Client Specific Options:
Common Name: (Matches with Cert for Site B)
Tunnel Network 10.20.1.0/24
Advanced: iroute 192.168.10.0 255.255.255.0

Client Settings:
Site A:
Server mode: Peer-to-Peer (SSL/TLS)
Protocol: UDP
Device mode: tun
Server host: Main office WAN IP
Server port: 11194
TLS Authentication enabled
TLS key copied from Server
Peer CA: downloaded from Server
Client Cert: SITE A's set of cert/key from server's cert manager
Encryption AES-128-CBC
IPv4 Tunnel Network: 10.20.1.0/24
IPv4 Remote Nework: 172.16.0.0/23
Compression: LZO Checked
Advanced: Blank

Client Settings:
Site B:
Server mode: Peer-to-Peer (SSL/TLS)
Protocol: UDP
Device mode: tun
Server host: Main office WAN IP
Server port: 11194
TLS Authentication enabled
TLS key copied from Server
Peer CA: downloaded from Server
Client Cert: SITE B's set of cert/key from server's cert manager
Encryption AES-128-CBC
IPv4 Tunnel Network: 10.20.1.0/24
IPv4 Remote Nework: 172.16.0.0/23
Compression: LZO Checked
Advanced: Blank

gsmithe

I know this is a couple weeks old, but I just ran into this and found a solution.

My symptoms were that each site had the same IP listed on the Hub server's OpenVPN status page and the only site that had connectivity was the last site to connect.

Site A Client Specific Options:
Common Name: (Matches with Cert for Site A)
Tunnel Network 10.20.1.0/24
Advanced: iroute 192.168.6.0 255.255.255.0

I did something similar for my 5 remote sites.  Remove the entry

Tunnel Network 10.20.1.0/24

That's what I did and each site then got a unique IP and all sites connected fine.

• GS

WillCT1

Thanks! Worked perfectly.