Designing site-to-site OpenVPN solutions pfsense server + 50 DD-WRT clients



  • Hello,

    I am in the process of testing if pfsense would allow me to have the following setup.

    [main hq ~ 100 users]<–lan-->[pfsense]<–-----internet  (openvpn)----->50 x [linksys wrt54gl dd-wrt v24 vpn]<–lan-->[branch ~ 10 users]

    I would like to configure 50 always on site-to-site connections.

    main hq ip address pool 10.100.100.0/24
    branch ip address pools 192.168.[1-50].0/24

    First questions is if I should use shared key or pki. From what I read, if I use shared key I will have to create 50 tunnels in pfsense and if I use pki i would just need to create 50 client keys. it seems like PKI is the way to go, is this correct?

    Is it possible to configure dd-wrt routers to connect to the pfsense server?

    Anybody has any experience with a setup like this? Any advice, recomendation and/or howto would be greatly appreciated.

    Thanks



  • Usually it's better to have shared key setups for site-to-site.
    a PKI is generally for Roadwarriors.

    If you have that many branch offices it is debatable if you want to use a PKI.
    It certainly is "possible".
    Although you have to add client-specific commands. (VPN–>OpenVPN-->"Client-specific configuration") since you want to push/add different routes for different clients.

    Take a look at the man pages on http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

    Look for the route and the iroute command.



  • So in case of using shared key approach, do I still need separate entry on a different port in VPN>OpenVPN>Server for every branch?



  • If you're going the shared key setup, you will have multiple instances of openVPN running.
    So yes you would need a seperate port for each site.

    I'm not sure if with so many site-to-site connection, i wouldn't go the PKI way too.

    For smaller setups (maybe up to 5 site-to-sites?) i think it's just better to use multiple shared key tunnels.

    Could you maybe set up a testenviroment where you could test this with 3 PKI-site-to-site connections?



  • I have no problem testing in a real environment, I have several adsl/cable connections that I am planning to test on before moving to production. I do need some walktrough and help setting everything up since I have little experience with openvpn [few ipcop installations]. I've read a lot on these forums and did a lot of google search, but I can't find a decent pfsense+dd-wrt manual. I am definitelly planning to document all this and post it if it turns out to work.



  • I cannot help you on the dd-wrt side.

    Maybe it would be best at first, if you just try to connect a dd-wrt as PKI client to pfSense.
    Then create a client specific configuration on pfSense with route / iroute entries for the subnet behind the client.
    If you get that to work it shouldnt be a problem to setup the rest.

    For HOWTO's just read the documentation on http://openVPN.net –> documentation.
    Everything you need you find there.



  • ok here is my plan

    my main office will have the range 192.168.0.0/24
    and the branches will run from 192.168.[1-50].0/24

    address pool (is this the address pool for the tunnel endpoints?) 10.10.10.0/24

    i will try the pki setup, i've generated certificates following this guide http://forum.pfsense.org/index.php/topic,7840.0.html

    on the pfsense server in vpn>openvpn>server>remote network i supose that it will be all the subnets of the branches.. if so the CIDR in this case would be 192.168.0.0/18  (summary route for 192.168.[1-50].0/24).

    Do I understand everything correctly?



  • To be honest i would not use the 192.168.0.0/16 ip range.
    I'd rather go with 10.x.x.x for the offices, and 172.x.x.x for the tunnel. (172.16.x.x to 172.31.x.x)

    Since you're trying to connect multiple remote subnets, dont set the "remote network" field on the main config page.

    Did you read the man pages for the iroute command?
    You create the "remote network" entries in the client specific configuration.
    Use the iroute comman here as custom option.

    You really should read yourself through the man-pages of OpenVPN. The best place to start are the example-configs.

    You're trying to set something up that is possible if you know what commands to use.
    You cannot just press a button on pfSense and it works.
    You HAVE to familiarize yourself with the options of OpenVPN.



  • GruensFroeschli,

    I am very interested to hear why you recommend the addressing scheme using 10.x.x.x for the offices, and 172.x.x.x for the tunnel as opposed to addresses in the 192.168.[1-50].0/24 range?



  • @EscArtist:

    Now, I am not able to browse any shared on either side. I can ping all clients from/to both sides.

    The fact that I can ping any host/router on both networks proves layer 7 (osi) connectivity (I am also able to ssh to the routers and use rdp). The problems with the files shared I guess is because I have no WINS server handling this. I will set up a samba with wins support and see if I will be able to have this working.



  • @flachance:

    GruensFroeschli,
    I am very interested to hear why you recommend the addressing scheme using 10.x.x.x for the offices, and 172.x.x.x for the tunnel as opposed to addresses in the 192.168.[1-50].0/24 range?

    192.168.x.x is often used per default by soho devices.
    If you have a setup where you use this range and connect a new device which has per default IP's you're already using….....

    And i prefer to use different IP ranges (10.x.x.x and 172.x.x.x) for the offices and the tunnels, because you imediately see what you are dealing with.

    @EscArtist: Are you trying to connect to the shares via name? Does it work if you try to access directly via IP?



  • @GruensFroeschli:

    @EscArtist: Are you trying to connect to the shares via name? Does it work if you try to access directly via IP?

    Both via name and ip. I am guessing IP is more reliable (basic) test. I can SSH to the routers LAN ip in the branches and I can RDP to the workstations behind the router.

    This led me to believe that there was definitelly something wrong with the workstations. Turned out that it was the windows firewall. By default it allows connections only from the local subnet. Adding the additional remove branch/hq subnet made it work.

    I will experiment with this a bit more and then post a better structure manual based on my experience.

    Now my dillema is still if it is smarter better to use static keys or pki. Static keys are easier way to go from administration point of view. I open a firewall port, set up openvpn server and I am pretty much done. On the other hand I run a lot more instances of openvpn and open a lot more ports on the firewall (security problem?!)

    I would also like to have my branches be able to see eachother. I would push some routes when using static key, or use client-to-client although I think client-to-client would allow me to access only the enpoint addresses as it doesn't know the subnets behind it. It may be that pushing a summary route would be the right thing.



  • I dont think a shared key setup is easier to manage with 50+ different tunnels.

    In a shared key setup you dont use pushes on the server to add routes to the clients.
    You have to add the routes in the client config directly.
    Meaning if you ever add a new office you will have to change the configuration of every client.

    If you use a PKI you just add a push command on the server and reinitialize the connections.
    If you want to use pushes you have to use a PKI.



  • @GruensFroeschli:

    I dont think a shared key setup is easier to manage with 50+ different tunnels.

    In a shared key setup you dont use pushes on the server to add routes to the clients.
    You have to add the routes in the client config directly.
    Meaning if you ever add a new office you will have to change the configuration of every client.

    If you use a PKI you just add a push command on the server and reinitialize the connections.
    If you want to use pushes you have to use a PKI.

    What about starting 50 instances of openvpn with shared key. Is it considerable load for the system or there is no real way to tell?

    I will look into the PKI setup.


Log in to reply