Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does this scenario work on pfsense? OpenVPN server multiple client remote nets

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Strider3000
      last edited by

      Hi all, I've been troubleshooting a site-to-site configuration for a week now without much luck.

      My application:

      pfsense 2.2 RC running OpenVPN server.
      Eventually, I want to be able to have a hub-spoke network using remote openwrt units.
      Network arch is full routed, no NAT (site-site).
      I would like to only need to maintain one openVPN server instance for the "satellites", so I'm planning on adding the remote networks via client overrides, and having the openvpn tunnel network "shared" between the satellites. Note that I'm also OK with different tunnel nets per site, so long as I don't need more than one server instance.

      Question:
      Is this a supported scenario? Pfsense does not want to seem to add the routes for the remote networks unless the remote routes are specified in the server instance as well as the client overrides. I have been able to get this scenario to work when I set up separate server instances for each "satellite" client, but this gets tough to manage as the number of remote sites increase.
      If I do try to add the remote networks to the server, diagnostics–>routes shows that pfsense wants to add all remote routes to a single openvpn tunnel IP (e.g. 10.0.0.2), which does not work since I need route 1 @ 10.0.0.2, route 2 @ 10.0.0.3, and so on.

      I've attached server, client, and openvpn status pictures. Note that the openvpn status routes table clearly shows the correct remote network, but when I search diagnostics-->routes, pfsense does not have the remote route on the routing table, and I'm unable to send traffic to the remote network. Is there something I'm missing? Any help would be appreciated.

      status.jpg_thumb
      status.jpg
      client.jpg_thumb
      client.jpg
      server.jpg_thumb
      server.jpg

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Can you dictate the LAN addressing scheme for the remote sites?  If so, then pick something like 172.26.0.0/16.  Put that in the remote network in your server instance.  That will put a route in pfSense telling it to send all traffic for 172.26.0.0/16 into OpenVPN.

        Then, in your client-specific overrides do something like this:

        Site 1: "iroute 172.26.1.0 255.255.255.0"
        Site 2: "iroute 172.26.2.0 255.255.255.0"
        Site 3: "iroute 172.26.3.0 255.255.255.0"
        Site 4: "iroute 172.26.4.0 255.255.255.0"
        Site 5: "iroute 172.26.5.0 255.255.255.0"

        iroutes are internal to OpenVPN so when OpenVPN receives traffic from pfSense for 172.26.3.12 it knows to send it out Site 3's tunnel.

        Doing this allows you to leave the server instance alone when you add/move/change sites (changing the remote networks in the server instance restarts the server).  Changing client specific overrides doesn't.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          Strider3000
          last edited by

          @Derelict:

          Can you dictate the LAN addressing scheme for the remote sites?  If so, then pick something like 172.26.0.0/16.  Put that in the remote network in your server instance.  That will put a route in pfSense telling it to send all traffic for 172.26.0.0/16 into OpenVPN.

          Then, in your client-specific overrides do something like this:

          Site 1: "iroute 172.26.1.0 255.255.255.0"
          Site 2: "iroute 172.26.2.0 255.255.255.0"
          Site 3: "iroute 172.26.3.0 255.255.255.0"
          Site 4: "iroute 172.26.4.0 255.255.255.0"
          Site 5: "iroute 172.26.5.0 255.255.255.0"

          iroutes are internal to OpenVPN so when OpenVPN receives traffic from pfSense for 172.26.3.12 it knows to send it out Site 3's tunnel.

          Doing this allows you to leave the server instance alone when you add/move/change sites (changing the remote networks in the server instance restarts the server).  Changing client specific overrides doesn't.

          I'm testing it now and it looks like it might be working correctly. I will test a bit more over the week before marking this resolved.
          Supernetting… it's always a simple answer  :o Thanks for your reply

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.