Does this scenario work on pfsense? OpenVPN server multiple client remote nets



  • Hi all, I've been troubleshooting a site-to-site configuration for a week now without much luck.

    My application:

    pfsense 2.2 RC running OpenVPN server.
    Eventually, I want to be able to have a hub-spoke network using remote openwrt units.
    Network arch is full routed, no NAT (site-site).
    I would like to only need to maintain one openVPN server instance for the "satellites", so I'm planning on adding the remote networks via client overrides, and having the openvpn tunnel network "shared" between the satellites. Note that I'm also OK with different tunnel nets per site, so long as I don't need more than one server instance.

    Question:
    Is this a supported scenario? Pfsense does not want to seem to add the routes for the remote networks unless the remote routes are specified in the server instance as well as the client overrides. I have been able to get this scenario to work when I set up separate server instances for each "satellite" client, but this gets tough to manage as the number of remote sites increase.
    If I do try to add the remote networks to the server, diagnostics–>routes shows that pfsense wants to add all remote routes to a single openvpn tunnel IP (e.g. 10.0.0.2), which does not work since I need route 1 @ 10.0.0.2, route 2 @ 10.0.0.3, and so on.

    I've attached server, client, and openvpn status pictures. Note that the openvpn status routes table clearly shows the correct remote network, but when I search diagnostics-->routes, pfsense does not have the remote route on the routing table, and I'm unable to send traffic to the remote network. Is there something I'm missing? Any help would be appreciated.







  • LAYER 8 Netgate

    Can you dictate the LAN addressing scheme for the remote sites?  If so, then pick something like 172.26.0.0/16.  Put that in the remote network in your server instance.  That will put a route in pfSense telling it to send all traffic for 172.26.0.0/16 into OpenVPN.

    Then, in your client-specific overrides do something like this:

    Site 1: "iroute 172.26.1.0 255.255.255.0"
    Site 2: "iroute 172.26.2.0 255.255.255.0"
    Site 3: "iroute 172.26.3.0 255.255.255.0"
    Site 4: "iroute 172.26.4.0 255.255.255.0"
    Site 5: "iroute 172.26.5.0 255.255.255.0"

    iroutes are internal to OpenVPN so when OpenVPN receives traffic from pfSense for 172.26.3.12 it knows to send it out Site 3's tunnel.

    Doing this allows you to leave the server instance alone when you add/move/change sites (changing the remote networks in the server instance restarts the server).  Changing client specific overrides doesn't.



  • @Derelict:

    Can you dictate the LAN addressing scheme for the remote sites?  If so, then pick something like 172.26.0.0/16.  Put that in the remote network in your server instance.  That will put a route in pfSense telling it to send all traffic for 172.26.0.0/16 into OpenVPN.

    Then, in your client-specific overrides do something like this:

    Site 1: "iroute 172.26.1.0 255.255.255.0"
    Site 2: "iroute 172.26.2.0 255.255.255.0"
    Site 3: "iroute 172.26.3.0 255.255.255.0"
    Site 4: "iroute 172.26.4.0 255.255.255.0"
    Site 5: "iroute 172.26.5.0 255.255.255.0"

    iroutes are internal to OpenVPN so when OpenVPN receives traffic from pfSense for 172.26.3.12 it knows to send it out Site 3's tunnel.

    Doing this allows you to leave the server instance alone when you add/move/change sites (changing the remote networks in the server instance restarts the server).  Changing client specific overrides doesn't.

    I'm testing it now and it looks like it might be working correctly. I will test a bit more over the week before marking this resolved.
    Supernetting… it's always a simple answer  :o Thanks for your reply


Log in to reply