Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup
On Tue, Jun 7, 2016 at 3:03 PM, David White wrote: > I know that this can be done, but I've never actually done it. Are there > some good resources I can review, besides > https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site > > ? For branch offices, > If you can manage it, and the remotes are on static IPs, I'd suggest trying IPSec. If you are going with OpenVPN, then you basically will need to set up one "server" per remote, each on its own port number. I like to only open the firewall to that port from the IP of the remote that will use it. Depending on how many you have and how tight you want it, you could just make an alias of all the ports and an alias of all the remote IPs and set up one rule to allow all of that at one shot. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup
David, I am by no means an expert, but am piping up to speak to the quality of the documentation. Just follow the OpenVPN site to site docs, and you should be good. The tricky bit for me was realizing that the OpenVPN tunnels rely on their own IP space, independent of whatever your regular network addressing scheme is. In your case, if site A is 10.0.0.X and site B is 10.1.0.X, in the setup of the OpenVPN server, your IPV4 tunnel network will be a completely different address space–192.168.1.X/30 or something... When I setup a site to site IPSEC, it didn't require that, so that is what tripped me up. pfSense (or openVPN) uses that separate subnet for all traffic between those 2 sites. When you setup the tunnel for Site A to C, you'll use another subnet (192.168.2.X/30). Once I wrapped my head around that, everything went pretty smoothly. (On another project, I had a unit that I'd purchased from the pfSense store, and got to work with their support to get me over the final hump, so if you do have a supported product, don't hesitate to give them a shout... they were awesome). Aloha, Jeremy On Tue, Jun 7, 2016 at 9:03 AM, David White wrote: > I have a question about setting up persistent OpenVPN connections between a > corporate office and several branch offices. > > I know that this can be done, but I've never actually done it. Are there > some good resources I can review, besides > https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site? For branch > offices, > I do NOT want to route public internet traffic through the VPN at > Corporate. Instead, their internet needs to just use their local ISP > connection (so I do not want this: > > https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 > ). > >- We'll have pfSense running both in Corporate as well as in each branch >office >- We want branch office internet traffic to use local ISP, but for >traffic hitting the 10.0.0.0/8 network to route through the VPN (I plan >on giving each office it's own /16 network > - i.e. managed network for the network equipment will get > 10.1.0.0/16, > Corp will get 10.2.0.0/16 and branch office 1 will get 10.3.0.0/16, > and so on. > > > Any pointers would be great. > > Thanks, > David > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Question about OpenVPN Point-to-Multi-Point Setup
I have a question about setting up persistent OpenVPN connections between a corporate office and several branch offices. I know that this can be done, but I've never actually done it. Are there some good resources I can review, besides https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site? For branch offices, I do NOT want to route public internet traffic through the VPN at Corporate. Instead, their internet needs to just use their local ISP connection (so I do not want this: https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 ). - We'll have pfSense running both in Corporate as well as in each branch office - We want branch office internet traffic to use local ISP, but for traffic hitting the 10.0.0.0/8 network to route through the VPN (I plan on giving each office it's own /16 network - i.e. managed network for the network equipment will get 10.1.0.0/16, Corp will get 10.2.0.0/16 and branch office 1 will get 10.3.0.0/16, and so on. Any pointers would be great. Thanks, David ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Ipsec and Double Nat
Hi, we try to converge all our WANS to one pfsense box. We intend to simplify our inter vlan routingand flexibility for internet connexions. Actually some of our wans maintain site to site VPN Ipsec tunnels. They are mostly PPPoe and Bridge DHCP modems. Local : LAN - pfsense WAN PPPoe + VPN IPSEc modem bridge Internet other side is same config but router may not be pfsense : LAN - routerWAN PPPoe + VPN IPSEc modem bridge Internet Problem on local side is 2 same ISP have same gateway which generates routing conflicts on same box. To acheive this we need to move bridge modem to router modem with pppoE config in it. Double NAT will then Occur. Is redirecting all incomming traffic on modem to pfsense enough for IPSEC VPNs ? Thank you. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold