OpenVPN Multiple Site-to-Site routing

guto_voigt

Hello.

I'm trying to reach the following scenario with OpenVPN and pfsense, but i'd get stuck with the routing thing.

What i'm trying to do is connect together 2 client's with different subnet's under a pfSense OpenVPN Server (hub n' spoke topology), and be able to Client A talk with Client B and vice-versa.

Client A
/
||
/
OpenVPN Server
/
||
/
Client B

I've already setup the site-to-site vpns with success, where Clients A and B talk to OpenVPN Server and vice-versa, but those client's can't talk with each other.

This is the setup i made so far:

OpenVPN Server:
LAN: 192.168.248.0/24
WAN: 192.168.0.2/24
Tunnel: 172.16.0.0/24

Client A: 192.168.246.0/24
Client B: 192.168.249.0/24

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 172.16.0.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 192.168.248.0/24
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Compression: No preference
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank

Advanced configuration:

route 192.168.246.0 255.255.255.0 172.16.0.2;
route 192.168.249.0 255.255.255.0 172.16.0.2;
push "route 192.168.246.0 255.255.255.0";
push "route 192.168.249.0 255.255.255.0";

Client Specific Override

Client A:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced: iroute 192.168.246.0 255.255.255.0;

Client B:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced: iroute 192.168.249.0 255.255.255.0;

Any help is appreciated.

Derelict

What's on the OpenVPN tabs in firewall rules in each of the three locations?

Are we looking at the tunnels not coming up at all or they're coming up and both can route to the hub or what?

Derelict

If you're building this out from scratch and can change the remote networks at will, I would consider putting all the remote sites on subnet boundaries.

For instance in order to encompass both 192.168.246.0/24 and 192.168.249.0/24 in one route, you have to go all the way to a /20 (192.168.240.0 - 192.168.255.255).  And you're covering your local LAN in the same subnet.

I would probably pick a brand new random subnet for the spokes.  Say you select 172.19.224.0/19.  That gives you 172.19.224.0 - 172.19.255.0 as /24s.

You could then just do this (changes in red):

OpenVPN Server:
LAN: 192.168.248.0/24
WAN: 192.168.0.2/24
Tunnel: 172.16.0.0/24

Client A: 172.19.224.0/24
Client B: 172.19.225.0/24

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 172.16.0.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 192.168.248.0/24
IPv6 Local Network/s: blank
IPv4 Remote Network/s: 172.19.224.0/19
IPv6 Remote Network/s: blank
Compression: No preference
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank

Advanced configuration:

route 192.168.246.0 255.255.255.0 172.16.0.2;
route 192.168.249.0 255.255.255.0 172.16.0.2;
push "route 172.19.224.0 255.255.224.0";
push "route 192.168.249.0 255.255.255.0";

Client Specific Override

Client A:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced: iroute 172.19.224.0 255.255.255.0;

Client B:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced: iroute 172.19.225.0 255.255.255.0;

Then if you want a fully-open hub and spoke, all sites need firewall rules on the appropriate OpenVPN tabs or interface tabs passing traffic from 172.19.224.0/19 and 192.168.248.0/24 to either any or to the local network or whatever assets you want them to have access to.

I think that'd do what you want.  It's not absolutely necessary but I like to supernet to OpenVPN then use iroutes for the individual sites.  The main reason I do so is so I don't have to bounce your OpenVPN server to change the IPv4 Remote Network/s: 172.19.224.0/19 or the advanced settings.  If you add a site, doing it the way I described, you don't have to touch the server.  All you have to add is the client-specific override with is hitless to everyone else.

I also like to be able to refer to all remote OpenVPN sites in one network statement.

guto_voigt

Oh great, that's all i needed :D

Yeah, i'm building this from scratch on a test lab.

I'm gonna try this setup tomorrow and let you updated.

Thanks for the help.

guto_voigt

Thanks for the help Derelict. After a week this configuration is working flawless.

This topic can be closed, and marked as solved.

:D

chris4916

@guto_voigt:

This topic can be closed, and marked as solved.  :D

;D I'm afraid you will have to do it by yourself, editing first post title  ;)