Multi-site OpenVPN, pfSense issuing the same IP for the Tunnel network.



  • We had a discrete box running OpenVPN left over from our pre-pfSense days that I am finally converting over to use pfSense's openvpn server.  Everything is fine if I connect one site to the pfSense OpenVPN, but if I connect two sites pfSense issues them the same "virtual address", even thought the CIDR bit is set to /24.  Do I need to specify a different tunnel network for each site?  That isn't how I had it set up on the existing OpenVPN.  All the sites are running pfSense 2.1.5-Release (i386).  For now i am testing with 2 sites, I will migrate the other 5 sites after the first 2 are working.

    On the pfSense Main OpenVPN status page it shows both Site A and Site B have a Virtual Address of 10.20.1.2

    Here are my settings:

    172.16.0.0/23 is the main office
    192.168.6.0/24 is Site A
    192.168.10.0/24 is Site B

    Main Office (Server):
    Server
    Server mode: Peer to Peer (SSL/TLS)
    Protocol: UDP
    Device Mode: TUN
    local Port 11194 (existing 1194 is taken by the legacy setup, will switch to standard ports after the migration)
    TLS Authentication is checked, using the pfSense auto-generated TLS key
    Peer Certificate Authority was created in the Cert Manager
    No Peer Certificate Revocation list (Will implement later)
    Server Certificate created in Cert Manager
    DH Parameter Length 2048
    Encryption: AES-128-CBC
    No Hardware Crypto
    Tunnel Network: 10.20.1.0/24
    IPv4 Local Network: 172.16.0.0/23
    IPv4 Remote Network: 192.168.6.0/24, 192.168.10.0/24
    Compress LZO: Checked
    Advanced Options are blank

    Site A Client Specific Options:
    Common Name: (Matches with Cert for Site A)
    Tunnel Network 10.20.1.0/24
    Advanced: iroute 192.168.6.0 255.255.255.0

    Site B Client Specific Options:
    Common Name: (Matches with Cert for Site B)
    Tunnel Network 10.20.1.0/24
    Advanced: iroute 192.168.10.0 255.255.255.0

    Client Settings:
    Site A:
    Server mode: Peer-to-Peer (SSL/TLS)
    Protocol: UDP
    Device mode: tun
    Server host: Main office WAN IP
    Server port: 11194
    TLS Authentication enabled
    TLS key copied from Server
    Peer CA: downloaded from Server
    Client Cert: SITE A's set of cert/key from server's cert manager
    Encryption AES-128-CBC
    IPv4 Tunnel Network: 10.20.1.0/24
    IPv4 Remote Nework: 172.16.0.0/23
    Compression: LZO Checked
    Advanced: Blank

    Client Settings:
    Site B:
    Server mode: Peer-to-Peer (SSL/TLS)
    Protocol: UDP
    Device mode: tun
    Server host: Main office WAN IP
    Server port: 11194
    TLS Authentication enabled
    TLS key copied from Server
    Peer CA: downloaded from Server
    Client Cert: SITE B's set of cert/key from server's cert manager
    Encryption AES-128-CBC
    IPv4 Tunnel Network: 10.20.1.0/24
    IPv4 Remote Nework: 172.16.0.0/23
    Compression: LZO Checked
    Advanced: Blank



  • I know this is a couple weeks old, but I just ran into this and found a solution.

    My symptoms were that each site had the same IP listed on the Hub server's OpenVPN status page and the only site that had connectivity was the last site to connect.

    Site A Client Specific Options:
    Common Name: (Matches with Cert for Site A)
    Tunnel Network 10.20.1.0/24
    Advanced: iroute 192.168.6.0 255.255.255.0

    I did something similar for my 5 remote sites.  Remove the entry

    Tunnel Network 10.20.1.0/24
    

    That's what I did and each site then got a unique IP and all sites connected fine.

    • GS


  • Thanks! Worked perfectly.


Log in to reply