3 Sites OpenVPN

Started by NFKhalaychidi, February 27, 2025, 11:04:36 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 27, 2025, 11:04:36 AM
Please help me in solving the problem.
There is a network shown in the attached diagram.
There are three OPNsense routers in it.
There is an OpenVPN tunnel (172.16.1.0/24) between routers site1-gw and site2-gw, and the same tunnel between routers site1-gw and site3-gw (172.16.2.0/24).
What should I configure so that the computer in Site 2 can access the computer in Site 3 and vice versa?
At the same time we can't set up another VPN tunnel between Site2 and Site3 for administrative reasons.
February 27, 2025, 02:17:01 PM #1
You just need to set the "Remote Networks" properly to route the traffic for the respectively other site over the VPN.

Presuming the routes between site 1 - 2 and 1 - 3 are working already, there is nothing else to do at site 1.

At site 2 the "Remote Network" settings should be
Code Select
192.168.10.0/24,192.168.30.0/24
and at site 3
Code Select
192.168.10.0/24,192.168.20.0/24
February 27, 2025, 02:34:25 PM #2
Quote from: viragomann on February 27, 2025, 02:17:01 PMYou just need to set the "Remote Networks" properly to route the traffic for the respectively other site over the VPN.
It's always so simple, but I often can't find the answer because I always think that it must be hard.
Thanks a lot!
April 21, 2025, 08:23:22 PM #3 Last Edit: April 21, 2025, 10:03:06 PM by tivoti
Help. I can't figure out what the problem is!

VPN tunnel 10.0.2.0 is set up. I can ping Serv4 from Serv3, but not vice versa



traceroute to 192.168.5.11 (192.168.5.11), 30 hops max, 60 byte packets
1  _gateway (192.168.7.1)  1.011 ms  0.936 ms  0.912 ms
2  10.0.2.1 (10.0.2.1)  2.844 ms  2.855 ms  2.809 ms
3  192.168.5.11 (192.168.5.11)  3.948 ms  4.044 ms  3.998 ms


traceroute to 192.168.7.11 (192.168.7.11), 30 hops max, 60 byte packets
1  _gateway (192.168.5.1)  1.093 ms  1.036 ms  1.012 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  *^C

I did everything according to the instructions but it only works in one direction.
https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html
April 21, 2025, 08:58:17 PM #4
Quote from: NFKhalaychidi on February 27, 2025, 11:04:36 AMPlease help me in solving the problem.
There is a network shown in the attached diagram.
There are three OPNsense routers in it.
There is an OpenVPN tunnel (172.16.1.0/24) between routers site1-gw and site2-gw, and the same tunnel between routers site1-gw and site3-gw (172.16.2.0/24).
What should I configure so that the computer in Site 2 can access the computer in Site 3 and vice versa?
At the same time we can't set up another VPN tunnel between Site2 and Site3 for administrative reasons.
Can you show me your configuration?
Maybe I made a mistake somewhere
April 22, 2025, 09:12:01 AM #5
Quote from: tivoti on April 21, 2025, 08:58:17 PMCan you show me your configuration?
Maybe I made a mistake somewhere

Attached

Looks like it's not a configuration error
Check firewalls on all devices
April 22, 2025, 11:18:37 AM #6
Quote from: NFKhalaychidi on April 22, 2025, 09:12:01 AM
Quote from: tivoti on April 21, 2025, 08:58:17 PMCan you show me your configuration?
Maybe I made a mistake somewhere

Attached

Looks like it's not a configuration error
Check firewalls on all devices


Help with firewall settings. I don't quite understand either.

The settings are the same on both OPNSense
April 22, 2025, 02:19:33 PM #7
On the OpenVPN interface you have to open the source for the remote sites LAN.
April 22, 2025, 03:32:47 PM #8 Last Edit: April 22, 2025, 03:36:39 PM by tivoti
Quote from: viragomann on April 22, 2025, 02:19:33 PMOn the OpenVPN interface you have to open the source for the remote sites LAN.

It's not quite clear. Go to Interfaces - Port assignment - Add the created VPN as an interface?
In the rules - Assignment specify LAN

April 22, 2025, 03:44:15 PM #9
I was talking about the firewall rule, your screenshot above shows on the OpenVPN tab. This limits traffic to source IP out of the tunnel subnet. But you need to allow the remote site's LAN.

Assigning an interface to the OpenVPN instance is not mandatory as long as you don't need it for routing purposes. But you can do it if you want and define the firewall rules on it then.
April 22, 2025, 03:47:53 PM #10
Quote from: viragomann on April 22, 2025, 02:19:33 PMOn the OpenVPN interface you have to open the source for the remote sites LAN.
Just allow all traffic at Firewall:Rules:OpenVPN for testing
April 22, 2025, 04:06:11 PM #11
No restrictions
It still only works one way
April 22, 2025, 04:08:18 PM #12
April 22, 2025, 04:10:10 PM #13
April 22, 2025, 04:12:46 PM #14
Print
Go Up Pages1 2
User actions