PfSense as OpenVPN client to multiple VPN networks - routes not working

caldwell

I have a pfSense (2.latest) with OpenVPN.  Scenario below:

1. pfSense locally is running 192.168.10.0/24

2. pfSense connects as a client to VPN server 1 which should be the default gateway for all traffic in general.  It runs a 10.x.x.x network.

3. pfSense needs to connect to VPN server 2 which has VPN network 192.168.11.0/24.  Behind VPN server 2 is network 192.168.12.0/24.  I need to connect to that network from machines on my LAN.

4. pfSense needs to connect to VPN server 3 which has VPN network 172.16.20.0/24.  Behind VPN server 3 is network 172.16.0.0/21.  I need to connect to that network from machines on my LAN.

Does anyone have a working set of steps to do this?  Looking for a clear step-by-step how to.

TIA.

divsys

What you're describing is a typical (for me anyway) group of Site-Site networks using SSL/TLS.

Your home network is a "client" to each of the other "server" networks

I do this all the time my home network connects to 25+ clients simultaneously allowing me access to all their subnets (takes a little planning to make sure the subnets don't overlap).

My suggestion would be to get the server1 site-site up and running properly and then add the others one at a time.

The pfSense docs have a number of writeups on the topic :http://doc.pfsense.org/index.php/Category:OpenVPN

This one is probably closest to what you need for a single site-site setup: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

Try and get one up and running, we'll be here to help with any questions.

Once you have one up, you really just add another client for every server you want to connect.

Let us know how it goes  ;)

caldwell

I've gotten a basic site-to-site working with my main VPN server which I use as the default gateway.  For this to work, I

1. assigned a VPN interface
2. created a gateway under Routing
3. created a route statement to use the gateway under Routing
4. created a firewall rule for all traffic to be allowed over that VPN network through the gateway

I had found a document online which described this somewhat convoluted way of doing things so that instead of using the ISP as the default route, it uses the main VPN as the default route.  I need that and am happy with it, although it did seem convoluted and not at all intuitive.

I have created site-to-site client VPN configurations and can get them to connect.  But I can't get any of the routing to work to the other sites for my machines.

I can, for instance, ping a remote machine on one of the secondary VPNs from the pfSense box itself.  But if I try to ping the same machine from my laptop, it doesn't work.

Traceroutes stop AT the pfSense box.

So, I'm still no further than I was.

divsys

Can we try to solve this with a simplified version of your setup?

I would suggest  that we pick 3 sites:
The "main" OpenVPN server - Site1
First VPN client - Site2
Next VPN client - Site3

For each Site we need:

Site 1 LAN Subnet ????
Site 1 OpenVPN Tunnel Subnet ???
Site 2 LAN Subnet ????
Site 2 OpenVPN Tunnel Subnet ???
Site 3 LAN Subnet ????
Site 3 OpenVPN Tunnel Subnet ???

Can you post the OpenVPN server config screens for Site1 and the client config screens for Site 2 and Site 3?