OpenVPN Multiple Site-to-Site routing



  • Hello.

    I'm trying to reach the following scenario with OpenVPN and pfsense, but i'd get stuck with the routing thing.

    What i'm trying to do is connect together 2 client's with different subnet's under a pfSense OpenVPN Server (hub n' spoke topology), and be able to Client A talk with Client B and vice-versa.

    Client A
    /
    ||
    /
    OpenVPN Server
    /
    ||
    /
    Client B

    I've already setup the site-to-site vpns with success, where Clients A and B talk to OpenVPN Server and vice-versa, but those client's can't talk with each other.

    This is the setup i made so far:

    OpenVPN Server:
    LAN: 192.168.248.0/24
    WAN: 192.168.0.2/24
    Tunnel: 172.16.0.0/24

    Client A: 192.168.246.0/24
    Client B: 192.168.249.0/24

    OpenVPN Server Config:

    Server Mode: Peer to Peer ( SSL/TLS )
    Protocol: UDP
    Device Mode: tun
    Interface: WAN
    Local port: 1194
    IPv4 Tunnel Network: 172.16.0.0/24
    IPv6 Tunnel Network: blank
    Redirect Gateway: blank
    IPv4 Local Network/s: 192.168.248.0/24
    IPv6 Local Network/s: blank
    IPv4 Remote Network/s: blank
    IPv6 Remote Network/s: blank
    Compression: No preference
    Type-of-Service: blank
    Duplicate Connections: blank
    Disable IPv6: blank

    Advanced configuration:

    route 192.168.246.0 255.255.255.0 172.16.0.2;
    route 192.168.249.0 255.255.255.0 172.16.0.2;
    push "route 192.168.246.0 255.255.255.0";
    push "route 192.168.249.0 255.255.255.0";

    Client Specific Override

    Client A:

    Common name: (matching with certificate name)
    Tunnel Network: blank
    IPv4 Local Network/s: blank
    IPv6 Local Network/s: blank
    IPv4 Remote Network/s: blank
    IPv6 Remote Network/s: blank
    Redirect Gateway: blank
    Advanced: iroute 192.168.246.0 255.255.255.0;

    Client B:

    Common name: (matching with certificate name)
    Tunnel Network: blank
    IPv4 Local Network/s: blank
    IPv6 Local Network/s: blank
    IPv4 Remote Network/s: blank
    IPv6 Remote Network/s: blank
    Redirect Gateway: blank
    Advanced: iroute 192.168.249.0 255.255.255.0;

    Any help is appreciated.


  • Netgate

    What's on the OpenVPN tabs in firewall rules in each of the three locations?

    Are we looking at the tunnels not coming up at all or they're coming up and both can route to the hub or what?


  • Netgate

    If you're building this out from scratch and can change the remote networks at will, I would consider putting all the remote sites on subnet boundaries.

    For instance in order to encompass both 192.168.246.0/24 and 192.168.249.0/24 in one route, you have to go all the way to a /20 (192.168.240.0 - 192.168.255.255).  And you're covering your local LAN in the same subnet.

    I would probably pick a brand new random subnet for the spokes.  Say you select 172.19.224.0/19.  That gives you 172.19.224.0 - 172.19.255.0 as /24s.

    You could then just do this (changes in red):

    OpenVPN Server:
    LAN: 192.168.248.0/24
    WAN: 192.168.0.2/24
    Tunnel: 172.16.0.0/24

    Client A: 172.19.224.0/24
    Client B: 172.19.225.0/24

    OpenVPN Server Config:

    Server Mode: Peer to Peer ( SSL/TLS )
    Protocol: UDP
    Device Mode: tun
    Interface: WAN
    Local port: 1194
    IPv4 Tunnel Network: 172.16.0.0/24
    IPv6 Tunnel Network: blank
    Redirect Gateway: blank
    IPv4 Local Network/s: 192.168.248.0/24
    IPv6 Local Network/s: blank
    IPv4 Remote Network/s: 172.19.224.0/19
    IPv6 Remote Network/s: blank
    Compression: No preference
    Type-of-Service: blank
    Duplicate Connections: blank
    Disable IPv6: blank

    Advanced configuration:

    route 192.168.246.0 255.255.255.0 172.16.0.2;
    route 192.168.249.0 255.255.255.0 172.16.0.2;

    push "route 172.19.224.0 255.255.224.0";
    push "route 192.168.249.0 255.255.255.0";

    Client Specific Override

    Client A:

    Common name: (matching with certificate name)
    Tunnel Network: blank
    IPv4 Local Network/s: blank
    IPv6 Local Network/s: blank
    IPv4 Remote Network/s: blank
    IPv6 Remote Network/s: blank
    Redirect Gateway: blank
    Advanced: iroute 172.19.224.0 255.255.255.0;

    Client B:

    Common name: (matching with certificate name)
    Tunnel Network: blank
    IPv4 Local Network/s: blank
    IPv6 Local Network/s: blank
    IPv4 Remote Network/s: blank
    IPv6 Remote Network/s: blank
    Redirect Gateway: blank
    Advanced: iroute 172.19.225.0 255.255.255.0;

    Then if you want a fully-open hub and spoke, all sites need firewall rules on the appropriate OpenVPN tabs or interface tabs passing traffic from 172.19.224.0/19 and 192.168.248.0/24 to either any or to the local network or whatever assets you want them to have access to.

    I think that'd do what you want.  It's not absolutely necessary but I like to supernet to OpenVPN then use iroutes for the individual sites.  The main reason I do so is so I don't have to bounce your OpenVPN server to change the IPv4 Remote Network/s: 172.19.224.0/19 or the advanced settings.  If you add a site, doing it the way I described, you don't have to touch the server.  All you have to add is the client-specific override with is hitless to everyone else.

    I also like to be able to refer to all remote OpenVPN sites in one network statement.



  • Oh great, that's all i needed :D

    Yeah, i'm building this from scratch on a test lab.

    I'm gonna try this setup tomorrow and let you updated.

    Thanks for the help.



  • Thanks for the help Derelict. After a week this configuration is working flawless.

    This topic can be closed, and marked as solved.

    :D



  • @guto_voigt:

    This topic can be closed, and marked as solved.  :D

    ;D I'm afraid you will have to do it by yourself, editing first post title  ;)