OpenVPN PSK multi site to site



  • Hello there,

    I'm trying to setup a multi site to site VPN using openvpn  (hub and spoke)

    One location (A) is the server,  the rest (branch offices) will be clients to this server

    Setup on the server is very basic:

    runs on port 1194 UDP
    pfsense created the shared key
    IPv4 Tunnel Network  10.0.68.0/24 
    IPv4 Local Network/s   10.0.33.0/24    (this is the LAN network on site A, the server LAN network)

    IPv4 Remote Network/s 10.32.0.0/22,192.168.0.0/22,192.168.36.0/21      (comma separated list of remote LAN networks of branch offices B, C ,…)

    Trying to setup a client like this, site B

    IPv4 Tunnel Network    10.0.68.0/24    (<–-- same as above on the server, site A)
    IPv4 Remote Network/s  10.0.33.0/24    (<---- the LAN network on the server side, site A)

    I've setup several client branches to connect to site 1, the tunnels come up but I'm having a problem where apparently only 1 tunnel is active .

    Example, I can ping from site A to B and the tunnel is up, after this I ping something in site C, the tunnel comes up after some seconds, but at the same time tunnel to site A goes down.

    I guess there's something with the routes wrong ?

    Anybody else who setup multi site to site with open VPN as hub and spoke setup and knows what I'm doing wrong?

    thanks in advance for any help!


  • Rebel Alliance Global Moderator

    "IPv4 Remote Network/s  10.32.0.0/22,192.168.0.0/22,192.168.36.0/21      (comma separated list of remote LAN networks of branch offices B, C ,…)"

    So how does pfsense know which tunnel send traffic through if you have multiple clients?  I would think need to setup a server client pair for each spoke.  And then on pair setup the networks correctly for that pair.



  • That's a good remark Johnpoz I have been thinking about this also.

    I'm just wondering if the correct way to setup multi site hub and spoke is by using several openvpn servers at the main office. I just seems a little bit "strange"  creating 10 servers , one for each branch office… But could be the way it's meant to be.

    It would be great if somebody using this in production could confirm this is the way it should be setup.


  • Rebel Alliance Global Moderator

    Did you create the iroutes to tell pfsense which specific tunnel to use..



  • no i didn't create any rules so far?  I actually tried your idea to create separate tunnels for each branch office but so far only the first one connected but the others don't work.

    I edited the local / remote networks thinking that's enough ?  Thanks for your help !



  • "IPv4 Remote Network/s  10.32.0.0/22,192.168.0.0/22,192.168.36.0/21      (comma separated list of remote LAN networks of branch offices B, C ,…)"

    So how does pfsense know which tunnel send traffic through if you have multiple clients?

    Did you create the iroutes to tell pfsense which specific tunnel to use..

    There's no need to create a different OpenVPN server for every spoke, there's a much more elegant solution.
    In this case iroute is the key, but it has to be in the correct place - the "Client Specific Configuration" tab under OpenVPN.

    You create an entry for each spoke that has the EXACT Common name for that spoke's client, the tunnel subnet, and the subnets that need to be routed for that spoke.

    Create them all and then restart the OpenVPN server, and force the spokes to restart.
    If you check the status log, you she see the OpenVPN server referencing the respective CSC entry for each client.

    I have this setup in a number of locations, it works great.



  • Thanks for the confirmation divsys!

    I'm using pre shared key,  "the EXACT Common name for that spoke's client"
    -> does this apply when using shared keys? If I hear common name I think about certificates?  What should be filled in in my case ?

    did you fill in the tunnel network on the client side  ?



  • I've always used individual certificates for my setups.

    The only way I can see a single shared key can possibly work is if you add in username/password authentication at the client and the  "username-as-common-name" directive to allow the server to differentiate.  Probably more trouble than it's worth.

    So your stuck with either creating separate server instances which should have their own keys anyway, or creating separate keys for each client and manage the whole thing in one OpenVPN server instance.  I personally lean toward the second case, but that's just my $.02.



  • Thanks for the hint,

    OK , I started converting everything to PKI setup with client side overrides.
    So far I converted 4 sites, first 2 worked immediately , last 2 don't work so far.

    I'll doublecheck asap what's wrong the last 2.  What surprises me is that according to the status page the last 2 tunnels are also up,
    but I can't reach anything on the other end.

    It's not firewall rule related, everything has an allow all in the openvpn firewall tab for testing purpose.

    some questions:

    • when you configure the client, do you fill in the tunnel network or is it enough to define this on the server ?

    • on the server > advanced;  do I understand it correct I have to add the route for every extra branch office ?

    eg

    Advanced: push "route <ip range="" server="" lan="">255.255.255.0";route <ip subnet="" branch1="">255.255.255.0;route <ip subnet="" branch2="">255.255.255.0;

    That's what I did for the 4 sites I tested and  2 of them work so far.

    Thanks again for any pointers</ip></ip></ip>



    • when you configure the client, do you fill in the tunnel network or is it enough to define this on the server ?

    I always do to make sure it's correct at both ends, I use a /24 subnet even though it's often overkill.  It needs to be the same in the Client Specific Configuration entry for each client as well.

    • on the server > advanced;  do I understand it correct I have to add the route for every extra branch office ?

    Yes that's correct, you list the all subnets that the server will route to any of the clients and then add a specific "iroute" in the CSC entry for each client according to the subnet that client needs.

    In pfSense 2.2.4, it's easier to use the "IPv4 Local Network/s" and "IPv4 Remote Network/s" boxes (although the "old" Advanced box method still works).
    The "Local" box is a comma delimited list of all of the Server's subnets, while the "Remote" box is a comma delimited list of all of the Client's subnets.

    As noted above, CSC entries split them where they need to go.

    The only other thing I've run into when adding new pieces to an existing OpenVPN setup is that pfSense does a fairly good job of trying to keep it's pfSense servers and clients up and running.  That sometimes means when you make changes on the fly, you have to explicitly stop the server and client one at a time and then restart both to make sure your changes are in place.  Changing/adding certificates on the fly can be very problematic sometimes.

    Seeing as you have two sites working OK, you probably have the basic techniques done correctly.  I would make all the entries in the server for all the clients, then reboot the pfSense server box.  Then you can work on each client one by one and see the changes in the server's OpenVPN status log to see what's going on.

    In the end I find this stuff takes more time to describe than to actually get going, especially if you've managed to get two clients working already.

    Keep at it and let us know how it goes.