Openvpn multiple remote routers - how to connect

[paluchgda]

Hello, I am asking for advice

I need to connect several remote offices using openvpn. Each office has a teltonika with a local network 192.168.1.0/24. What is the best way to connect these offices to my server? Creating one openvpn server with one tunnel address, e.g. 192.168.205.0/24 and each teltonika will be a client, or creating as many openvpn servers with different tunnel address, e.g. 192.168.205.0/24 (teltonika 1), 192.168.206.0/24 (teltonika 2), etc.? For this I would have to create as many interfaces as there are teltonikas

[viragomann]

You only need interfaces for special purposes, e.g. policy routing. Presuming you just want to run site-to-site connections, you don't need it.

The recommended way is to run a single server. In this case you need a single CA and a unique certificate for each client.
For each you also need to create a client specific override, where you state the respective clients local network.
As well you have to enter all client sites networks into the server settings "remote networks" box.

[paluchgda]

Thank you for your answer. Should I enter the address of my local network of the main office (192.168.200.0/24) in the "local network" field and the address of the network on the remote routers (192.168.1.0/24) in the "remote network" field? Each of these remote routers has the same local network. Will this work?

edit:

the connection method between the main office is rather road warrior than S2S. Remote routers have dynamic external addresses (GSM cards)

[viragomann]

Should I enter the address of my local network of the main office (192.168.200.0/24) in the "local network" field

Yes, this will push the route to the clients.

BTW: if you want to enable communication between connected clients you have enter all the remote networks here as well, even they are also in the remote networks field.

and the address of the network on the remote routers (192.168.1.0/24) in the "remote network" field?

Yes, this is essential for routing traffic to the clients on the server site.

Each of these remote routers has the same local network. Will this work?

No, you should have all remote networks unique.

Alternatively you can masquerade them on the client site, but I don't know if the Teltonika are capable of this.

[paluchgda]

When I enter 192.168.1.0/24 in the "remote network" field and start a tunnel on Teltonika, the computer connected to it has no access to the Internet. There is access to network resources in the main office. If I remove this entry, the Internet works correctly. Do I need any additional rules for the firewall?

edit:
it didn't work because when creating a vpn server, a gateway is also created automatically (I don't know why). I turned it off and it started.

[viragomann]

When I enter 192.168.1.0/24 in the "remote network" field

On the server? This is the server site local network and hence has to be entered in the "local networks" field.

it didn't work because when creating a vpn server, a gateway is also created automatically (I don't know why). I turned it off and it started.

Did you assign an interface to the client instance?

[paluchgda]

my conf on server site

192.168.200.0/24 its network in my head office

192.168.1.0/24 its a network in my remote "office".

as a reminder. Remote hosts is a routers with GSM and dynamic IP. I can't treat them as S2S connections but roadwarrior. Right?

[viragomann]

Ok, my assumption was, that 192.168.1.0/24 was the head office.

You can still configure a s2s. The client has to connect to the server. It doesn't matter if its IP is dynamic.
The server need to either have a static IP or at least a static host name (dynamic DNS).