OpenVPN Multiple Site-to-multiSites routing
-
Yes sure,
But my topology was it to have 4 networks /22 and must be like that :)
and my answer for the question of divsys about 1 server for all clients (sites) was it the issus of the same tunnels ip in the clients this is my reason for changing 1 server for each client but thanks for every person who contibuate for this subject.
I will trying the New parameter and answer for the result -
That gives you four networks - a /22 - at each site.
You're just making it hard on yourself.
Unless you're telling me you are unwilling or unable to renumber the end sites.
-
Why does it matter that the sites have the same tunnel addresses?
The tunnel is used by the OpenVPN server and clients to encapsulate the traffic you want routed.
In general they don't participate in your network traffic, just make sure the tunnel doesn't overlap any of your LAN subnets (the numbers I gave previously are fine).
In general a simpler design is a superior one IMHO…......
-
hi ,
I try many times without successthis my configuration
i just upload somes sceenshots of my config:
you will see rules of WAN/OPENVPN in site A (server) and rule in site B
you will see my setup in server for openvpn to site b
you will see also Client Specific Override in server
and you will see external setup client i just change the tunnel adress from 10.0.11.0/24 to 10.0.10.0/24 because i remove the site D from my topologyhope this screenshots help to resolve my problem.
 -
You obviously don't understand how the firewall rules work yet. Until you do you are going to have a rough go of things.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
On your server's OpenVPN tab (OpenVpn Rule Site A Server.png) you have a rule passing traffic with a source of LAN net. You should NEVER see traffic coming INTO your pfSense node from OpenVPN clients with a source address of LAN net. if you do, you probably want it to be blocked, not passed.
None of the rules after the pass IPv4 any any any rules on your OpenVPN tabs will ever be hit, because the first match, top down, stops rule processing. I would just delete them.
OMG you're trying to configure a Remote Access (road warrior) VPN as a site-to-site/peer-to-peer. That will never work.
-
Some good points about the setup here, but he has explained he is getting connected to his remote server without an issue and even talking to the local network of the firewall he is connected into. It's the remote worker to site to site network routing that isn't working.
I think it is an issue with telling the Client PC to actually route over the tunnel. I noticed in the remote server setup screenshot that the "Redirect Gateway" option isn't checked.
I just tested in my lab successfully. I used the "Redirect Gateway" option to force all client generated traffic through the tunnel.
My remote worker VPN server was setup with network 10.1.1.0/24.
My site to site VPN server on the Firewall A was setup like:
IPv4 Tunnel Network: 10.10.10.0/30
IPV4 Local Networks: 192.168.1.0/24,10.1.1.0/24
IPV4 Remote networks: 192.168.230.0/24My site to site VPN Client on Firewall B was setup like:
IPv4 Tunnel Network: 10.10.10.0/30
IPV4 Remote networks: 192.168.1.0/24,10.1.1.0/24I am not pushing any routes over my tunnels.
Rules for OpenVPN was set to a simple "IPV4 Allow Any Any" on both A and B (to make things easier for testing).
I was able to successfully ping from my client PC to LAN Gateway on A, the LAN Gateway on B, and a LAN device on B. Here is a traceroute screenshoot.
 -
thank you jdp0418
problem resolved all is working .
-
thank you jdp0418
problem resolved all is working .
have same requirement here, could u share u'r configuration ?
-
is it possible to use the same configuration explained in the example, but using preshared key instead certificates?
-
Bump!
I too have this same question.
I am using PEER to PEER with preshared key. A second connection to the server never generates an entry in the server the two seem to hack each other (when on is up the other is down) so I went to a separate Server for each client connection too.
I used different TUNNEL Ip's if that matters, 172.16 /24 and 172.17/24 for the tunnel ips.
Anyway with my multiple Servers at site A, I have established both client connections, to sites B and C. A to B works fine and I can ping and both directions from A->B and B->A fine. However I CANNOT do the same for A->C or C->A!!!
Can not figure it out. All Client settings ate the same except for those specific to the client.
What would cause this? I can ping from PFSENSE console at site C to ip's at site A, but from any PC at site C I cannot ping anything at site A.
Rules look fine, again everthing is IDENTICAL in Clients/Server settings for B and C. Cant figure it out!
Thanks,
MP
