Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Site-to-Site + OSPF [Solved]

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ajrg
      last edited by

      I'm not sure if I'm missing something really simple here, but I'm struggling to get OpenVPN and OSPF to work on 2.2.6.

      What I've set up so far;
      Site 1: CARP, OpenVPN tunnels running on WAN VIPs
      Site 2: CARP, OpenVPN tunnels running on WAN VIPs
      Site 3: Standalone, OpenVPN tunnels running on WAN addresses
      Site 4: Standalone, OpenVPN tunnels running on WAN addresses

      Every WAN connection (whether it is a CARP VIP or a standard WAN IP) has an OpenVPN /30 tunnel to every other WAN connection, as long as it is on a different site - effectively creating a mesh.
      The /30 subnets are outside the site's normal IP allocation (each site has a /16 divided up into VLANs).

      To test with, I have installed Quagga OSPF at Site 1 and Site 4. OSPF is bound to the OpenVPN tunnel interface (which gets created when you set up site-to-site), and has a stub configured in the management VLAN at both sites.

      The OSPF output suggests that no neighbours have been found. Firewall rules at both ends of the tunnel allow Any <–> Any for OSPF traffic.
      It also suggests that the OpenVPN tunnel interface is operating as a /32 rather than a /30 - which also concerns me.

      I am thinking that this might be down to the fact I've not set up any loopback interfaces to use as the Router ID - is this required?
      Do I need to assign the automatically created OpenVPN tunnel as an interface within webconfigurator?
      Should I be using TAP rather than TUN mode for OpenVPN?

      Or have I missed something during configuration?

      1 Reply Last reply Reply Quote 0
      • R
        rubic
        last edited by

        Try 'topology subnet' in the OpenVPN: Server - Advanced configuration

        1 Reply Last reply Reply Quote 0
        • A
          ajrg
          last edited by

          Cheers - I'll have a try with that tomorrow!

          Out of curiosity, in this mode, would I be better to assign a larger subnet and have all sites connecting to the server daemon, or would it still be better with each site connecting to it's own daemon?

          1 Reply Last reply Reply Quote 0
          • A
            ajrg
            last edited by

            Still no dice!

            Do I need to manually create a loopback address for the Router ID to use (like you do with Cisco kit)?

            1 Reply Last reply Reply Quote 0
            • A
              ajrg
              last edited by

              For anyone else who runs into this;
              https://forum.pfsense.org/index.php?topic=106559.0

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.