Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Multiple Site-to-Site routing

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guto_voigt
      last edited by

      Hello.

      I'm trying to reach the following scenario with OpenVPN and pfsense, but i'd get stuck with the routing thing.

      What i'm trying to do is connect together 2 client's with different subnet's under a pfSense OpenVPN Server (hub n' spoke topology), and be able to Client A talk with Client B and vice-versa.

      Client A
      /
      ||
      /
      OpenVPN Server
      /
      ||
      /
      Client B

      I've already setup the site-to-site vpns with success, where Clients A and B talk to OpenVPN Server and vice-versa, but those client's can't talk with each other.

      This is the setup i made so far:

      OpenVPN Server:
      LAN: 192.168.248.0/24
      WAN: 192.168.0.2/24
      Tunnel: 172.16.0.0/24

      Client A: 192.168.246.0/24
      Client B: 192.168.249.0/24

      OpenVPN Server Config:

      Server Mode: Peer to Peer ( SSL/TLS )
      Protocol: UDP
      Device Mode: tun
      Interface: WAN
      Local port: 1194
      IPv4 Tunnel Network: 172.16.0.0/24
      IPv6 Tunnel Network: blank
      Redirect Gateway: blank
      IPv4 Local Network/s: 192.168.248.0/24
      IPv6 Local Network/s: blank
      IPv4 Remote Network/s: blank
      IPv6 Remote Network/s: blank
      Compression: No preference
      Type-of-Service: blank
      Duplicate Connections: blank
      Disable IPv6: blank

      Advanced configuration:

      route 192.168.246.0 255.255.255.0 172.16.0.2;
      route 192.168.249.0 255.255.255.0 172.16.0.2;
      push "route 192.168.246.0 255.255.255.0";
      push "route 192.168.249.0 255.255.255.0";

      Client Specific Override

      Client A:

      Common name: (matching with certificate name)
      Tunnel Network: blank
      IPv4 Local Network/s: blank
      IPv6 Local Network/s: blank
      IPv4 Remote Network/s: blank
      IPv6 Remote Network/s: blank
      Redirect Gateway: blank
      Advanced: iroute 192.168.246.0 255.255.255.0;

      Client B:

      Common name: (matching with certificate name)
      Tunnel Network: blank
      IPv4 Local Network/s: blank
      IPv6 Local Network/s: blank
      IPv4 Remote Network/s: blank
      IPv6 Remote Network/s: blank
      Redirect Gateway: blank
      Advanced: iroute 192.168.249.0 255.255.255.0;

      Any help is appreciated.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What's on the OpenVPN tabs in firewall rules in each of the three locations?

        Are we looking at the tunnels not coming up at all or they're coming up and both can route to the hub or what?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          If you're building this out from scratch and can change the remote networks at will, I would consider putting all the remote sites on subnet boundaries.

          For instance in order to encompass both 192.168.246.0/24 and 192.168.249.0/24 in one route, you have to go all the way to a /20 (192.168.240.0 - 192.168.255.255).  And you're covering your local LAN in the same subnet.

          I would probably pick a brand new random subnet for the spokes.  Say you select 172.19.224.0/19.  That gives you 172.19.224.0 - 172.19.255.0 as /24s.

          You could then just do this (changes in red):

          OpenVPN Server:
          LAN: 192.168.248.0/24
          WAN: 192.168.0.2/24
          Tunnel: 172.16.0.0/24

          Client A: 172.19.224.0/24
          Client B: 172.19.225.0/24

          OpenVPN Server Config:

          Server Mode: Peer to Peer ( SSL/TLS )
          Protocol: UDP
          Device Mode: tun
          Interface: WAN
          Local port: 1194
          IPv4 Tunnel Network: 172.16.0.0/24
          IPv6 Tunnel Network: blank
          Redirect Gateway: blank
          IPv4 Local Network/s: 192.168.248.0/24
          IPv6 Local Network/s: blank
          IPv4 Remote Network/s: 172.19.224.0/19
          IPv6 Remote Network/s: blank
          Compression: No preference
          Type-of-Service: blank
          Duplicate Connections: blank
          Disable IPv6: blank

          Advanced configuration:

          route 192.168.246.0 255.255.255.0 172.16.0.2;
          route 192.168.249.0 255.255.255.0 172.16.0.2;

          push "route 172.19.224.0 255.255.224.0";
          push "route 192.168.249.0 255.255.255.0";

          Client Specific Override

          Client A:

          Common name: (matching with certificate name)
          Tunnel Network: blank
          IPv4 Local Network/s: blank
          IPv6 Local Network/s: blank
          IPv4 Remote Network/s: blank
          IPv6 Remote Network/s: blank
          Redirect Gateway: blank
          Advanced: iroute 172.19.224.0 255.255.255.0;

          Client B:

          Common name: (matching with certificate name)
          Tunnel Network: blank
          IPv4 Local Network/s: blank
          IPv6 Local Network/s: blank
          IPv4 Remote Network/s: blank
          IPv6 Remote Network/s: blank
          Redirect Gateway: blank
          Advanced: iroute 172.19.225.0 255.255.255.0;

          Then if you want a fully-open hub and spoke, all sites need firewall rules on the appropriate OpenVPN tabs or interface tabs passing traffic from 172.19.224.0/19 and 192.168.248.0/24 to either any or to the local network or whatever assets you want them to have access to.

          I think that'd do what you want.  It's not absolutely necessary but I like to supernet to OpenVPN then use iroutes for the individual sites.  The main reason I do so is so I don't have to bounce your OpenVPN server to change the IPv4 Remote Network/s: 172.19.224.0/19 or the advanced settings.  If you add a site, doing it the way I described, you don't have to touch the server.  All you have to add is the client-specific override with is hitless to everyone else.

          I also like to be able to refer to all remote OpenVPN sites in one network statement.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          M 1 Reply Last reply Reply Quote 0
          • G
            guto_voigt
            last edited by

            Oh great, that's all i needed :D

            Yeah, i'm building this from scratch on a test lab.

            I'm gonna try this setup tomorrow and let you updated.

            Thanks for the help.

            1 Reply Last reply Reply Quote 0
            • G
              guto_voigt
              last edited by

              Thanks for the help Derelict. After a week this configuration is working flawless.

              This topic can be closed, and marked as solved.

              :D

              1 Reply Last reply Reply Quote 0
              • C
                chris4916
                last edited by

                @guto_voigt:

                This topic can be closed, and marked as solved.  :D

                ;D I'm afraid you will have to do it by yourself, editing first post title  ;)

                Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                1 Reply Last reply Reply Quote 0
                • M
                  micro8765 @Derelict
                  last edited by

                  I know this is an old post but it is directly relevant to my needs.

                  I've had a hub and spoke pfsense/openvpn for years but only using the basic config fields with no advanced 'push' or 'iroute' commands. For the most part routing works but sometimes there are issues and I'm wondering if this is a better way.

                  For reference my current setup is detailed in a recent post:

                  OpenVPN hub and spoke with AD/DNS on spoke

                  I'd like to try the configuration suggested in this thread but I don't have the luxury of changing to contiguous subnets - I have 5 spokes and their subnets are all over the place (mix of 192.168.x.x, 172.x.x.x & 10.x.x.x).

                  Therefore I'd like to understand if I have the config right in this case. Looking at the OP's original subnets, I'm wondering if the following config would have worked. I've added a third spoke for completeness. The only tweaks are in the server's IPv4 Remote Network/s field, the server's advanced 'push' commands, and the CSO 'iroute' commands.

                  OpenVPN Server:
                  LAN: 192.168.248.0/24
                  Tunnel: 172.16.0.0/24

                  Client A: 192.168.246.0/24
                  Client B: 192.168.249.0/24
                  Client C: 172.27.30.0/24

                  OpenVPN Server Config:

                  Server Mode: Peer to Peer ( SSL/TLS )
                  Protocol: UDP
                  Device Mode: tun
                  Interface: WAN
                  Local port: 1194
                  IPv4 Tunnel Network: 172.16.0.0/24
                  IPv6 Tunnel Network: blank
                  Redirect Gateway: blank
                  IPv4 Local Network/s: 192.168.248.0/24
                  IPv6 Local Network/s: blank
                  IPv4 Remote Network/s: 192.168.246.0/24,192.168.249.0/24,172.27.30.1
                  IPv6 Remote Network/s: blank
                  Compression: No preference
                  Type-of-Service: blank
                  Duplicate Connections: blank
                  Disable IPv6: blank

                  Advanced configuration:

                  push "192.168.246.0 255.255.255.0";
                  push "192.168.249.0 255.255.255.0";
                  push "172.27.30.1 255.255.255.0";

                  Client Specific Override

                  Client A:

                  Common name: (matching with certificate name)
                  Tunnel Network: blank
                  IPv4 Local Network/s: blank
                  IPv6 Local Network/s: blank
                  IPv4 Remote Network/s: blank
                  IPv6 Remote Network/s: blank
                  Redirect Gateway: blank
                  Advanced:

                  iroute 192.168.249.0 255.255.255.0;
                  iroute 172.27.30.1.0 255.255.255.0;

                  Client B:

                  Common name: (matching with certificate name)
                  Tunnel Network: blank
                  IPv4 Local Network/s: blank
                  IPv6 Local Network/s: blank
                  IPv4 Remote Network/s: blank
                  IPv6 Remote Network/s: blank
                  Redirect Gateway: blank
                  Advanced:

                  iroute 192.168.246.0 255.255.255.0;
                  iroute 172.27.30.0 255.255.255.0;

                  Client C:

                  Common name: (matching with certificate name)
                  Tunnel Network: blank
                  IPv4 Local Network/s: blank
                  IPv6 Local Network/s: blank
                  IPv4 Remote Network/s: blank
                  IPv6 Remote Network/s: blank
                  Redirect Gateway: blank
                  Advanced:

                  iroute 192.168.246.0 255.255.255.0;
                  iroute 192.168.249.0 255.255.255.0;

                  Any comments or advice is very much appreciated.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.