Server to server openvpn.

Wazza20

Hello, my name is Sorin and I just implemented pfsense as our main "router" for the company that I work with. I really wish to get rid of all the clutter of cables and mess, running all the core functions of our network within that one dedicated server.
The only problem that I have now is that on the old server I had a vpn server connected to another vpn server across the country in another city ( site to site ). I really need to replicate that on pfsense to be all good.
I could just keep pfsense and that openvpn separate on another dedicated server but since i've gone so far maybe you guys could help me accomplish this.

L.E. : I have lots of experience in linux itself so if you guys know something to do directly as root in shell, go forward with that ( don't bash me yet, I know freebsd is more unix than linux ).

heper

as you don't state the problem:
https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

Wazza20

I don't really understood your answer. I said server to server not client to server, that mode is almost useless to me. I will try something tonight when the employees go home :) .
Untill then if you have any other sugestions, don't hesitate.

L.E. : I don't have a pfsense box in that other city, if i had this would not be a problem.

mer

Maybe more information about your setup would help?
You say:
"… old server I had a vpn server connected to another vpn server across the country in another city ..."
In the other city are local users connecting to the VPN server in that city?
If you are connected to the vpn server in that city, do you automatically have routes to the vpn server near the new pfSense box?
Is there anything that prevents you from having a single VPN server?
Even if you have 2 VPN servers, at any point in time one of them can be considered the "client" of the other. Have the remote VPN server automatically connect as a client to the vpn server near the pfSense box, set up the routing tables correctly. Then if someone in the other city connects to the remote VPN server as a client, it should be able to get to your resources near your pfSense box.

Think of your VPN server across the country as a client of VPN server near the pfSense box, because it is.

That is exactly what the link heper posted is saying.

Wazza20

Lets get it systematic :

Current config :
Point A ( Bucharest ) - Point B ( Brasov )
Two ubuntu server connected with each other via tun10 openvpn so that we have access to the lan network over there and viceversa.

New config ( in progress ) :
Point A ( Bucharest ) - Point B ( Brasov )
One pfsense box point A - one ubuntu server point b.

Now the question remains, how can i config the openvpn server in pfsense to connect remotly to that ip in point B ? ( i tried installing openvpn directly on the os itself but are too many dir changes to modify it in time - too much of a learning curve )
I think if i setup it as a client ( Point A ) then the point B lan network would not have access to the lan network in point A ( sort of tested ).

Solution ?

Thanks in advance.

heper

I dont understand the problem?

You just need to follow the guide i linked to?

Wazza20

How can i follow your guide if point B isnt a pfsense box. Its just a ubuntu server.
I can apply your guide only if a install pfsense on point B or configure the point b ubuntu server just as a client. I will add an attachment to better understand the curent config.

Can i add a remote ip to pfsense openvpn server config ?

Untitled.png_thumb

divsys

How can i follow your guide if point B isnt a pfsense box. Its just a ubuntu server.
I can apply your guide only if a install pfsense on point B or configure the point b ubuntu server just as a client. I will add an attachment to better understand the curent config.

A Site-Site connection involves one side being labelled as a "Server" and the other as a "Client". For pfSense on both sides you just pick one to be the "Server".

In your case I would setup the pfSense end as an OpenVPN Server and setup your Ubuntu server as Site-Site "client" based on the many Ubuntu how-to's out there (Google is your friend).
pfSense as the "Server" will give you good control over how the link works, plus the Certificate Manager makes it easy to create the required keys.

Can i add a remote ip to pfsense openvpn server config ?

Short answer is yes, but when you've got your link up and running, the question might have already been answered.

Wazza20

Ok got it. So either way i can't configure pfsense to be a server too and then connect it somehow to that ubuntu server like i did it ubuntu to ubuntu ( both servers and clients to each other ). I think i'll keep pfsense as the client for now and try some routing to allow that end of the tunnel to reach the client side ( i've seen that done already on my friend google ).

Thank you for your answer. I'll keep this topic open for one more day, maybe a savior will come in the meantime , haha.

divsys

As I said before, the concept of "Server" and "Client" in OpenVPN is more about terminology than the roles of a traditional server and client you may be used to.

Specifically the OpenVPN Server is the end of the connection that listens on a port for the start of a connection, the Client is the end that initially makes the call from the outside.

Once the two have negotiated a valid connection, routing information is passed between them and the routing really can be from either end.

I'm not really sure what your getting hung up on as far as who's the Server and the Client.

If you really want to have both ends to be Server and Client, there's nothing stopping you from creating two OpenVPN instances on each end, one a Server and Client the other a Client and Server. If you go with that type of design, you'll need to use distinct port and certificates as well as figure out which end will route what information.