David, I am by no means an expert, but am piping up to speak to the quality of the documentation.
Just follow the OpenVPN site to site docs, and you should be good. The tricky bit for me was realizing that the OpenVPN tunnels rely on their own IP space, independent of whatever your regular network addressing scheme is. In your case, if site A is 10.0.0.X and site B is 10.1.0.X, in the setup of the OpenVPN server, your IPV4 tunnel network will be a completely different address space–192.168.1.X/30 or something... When I setup a site to site IPSEC, it didn't require that, so that is what tripped me up. pfSense (or openVPN) uses that separate subnet for all traffic between those 2 sites. When you setup the tunnel for Site A to C, you'll use another subnet (192.168.2.X/30). Once I wrapped my head around that, everything went pretty smoothly. (On another project, I had a unit that I'd purchased from the pfSense store, and got to work with their support to get me over the final hump, so if you do have a supported product, don't hesitate to give them a shout... they were awesome). Aloha, Jeremy On Tue, Jun 7, 2016 at 9:03 AM, David White <dmwhite...@gmail.com> wrote: > I have a question about setting up persistent OpenVPN connections between a > corporate office and several branch offices. > > I know that this can be done, but I've never actually done it. Are there > some good resources I can review, besides > https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site? For branch > offices, > I do NOT want to route public internet traffic through the VPN at > Corporate. Instead, their internet needs to just use their local ISP > connection (so I do not want this: > > https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 > ). > > - We'll have pfSense running both in Corporate as well as in each branch > office > - We want branch office internet traffic to use local ISP, but for > traffic hitting the 10.0.0.0/8 network to route through the VPN (I plan > on giving each office it's own /16 network > - i.e. managed network for the network equipment will get > 10.1.0.0/16, > Corp will get 10.2.0.0/16 and branch office 1 will get 10.3.0.0/16, > and so on. > > > Any pointers would be great. > > Thanks, > David > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
