|
Title: EFW2.5.1 OpenVPN 3 sites connection Post by: tim_fatter on Tuesday 27 March 2012, 11:00:15 pm Hi all,
I'm trying to connect 3 sites with OpenVPN and want to make them communicate with each other. I have site A as vpn server, sites B and C connets to A using Gw2Gw. Now I can successfully configure individual communication for A<->B and A<->C, but I don't know how to configure the B<->C, as they are both "client" to site A. I tried on site A to configure the VPN firewall rule set as efw02 -> efw03 and efw03 -> efw02 where efw02 is the user for site B and efw03 is the user for site C. but this not gonna work. Is there anyone out there who can provide suggestion? Thank you! Title: Re: EFW2.5.1 OpenVPN 3 sites connection Post by: mrkroket on Wednesday 28 March 2012, 03:10:10 am There are two options:
Create another VPN tunnel to directly connect B<->C. It will be faster than routing through A, and simplier. But you need an static IP on either B or C (or use DynDNS). No matter if B or C are OpenVPN clients of A, they can be Servers too. The second option is to properly configure the tunnels. 1-Push subnets to each client. i.e. To B push subnet from A & C. To C push subnets from A & B. 2-On OpenVPN server, make sure that "Don't block traffic between clients:" option is marked. Otherwise it will block traffic between clients. 3-Configure correctly your VPN Firewall. Do not disable it, configure it properly. The simplest option is an allow all rule. Log the traffic for debug purposes. Start doing traceroutes, first from firewalls and then from final clients. Make sure traceroutes never go via internet, they shouldn't. I found out a bit complex to achieve a mesh VPN on OpenVPN, but can be done. Title: Re: EFW2.5.1 OpenVPN 3 sites connection Post by: tim_fatter on Thursday 29 March 2012, 01:28:11 pm Hi Kroket,
Actually I choosed the 2nd option, I did like the following 1. Marked the "Don't block traffic between clients; 2. On each client(both B & C) I setup a very generic ruleset like: vpnuser <-> GREEN + OPENVPN 3. On vpnserver I setup vpn ruleset like vpnuserB <-> vpnuserC after all those settings, the connection between A & B and A & C still can work, but B & C can NOT work also. but if I setup for vnpuser(B/C) property on A with "push these networks only" block, the trafic will be blocked, there was a note under the "push these networks only" saying "If this box is empty routes to each of the networks of the other clients will be pushed to this client whenever it connects", I think it means if I leave this blank, the routes between clients' network will be automatically connected between B & C in my case, right? Rgds, Tim Title: Re: EFW2.5.1 OpenVPN 3 sites connection Post by: laythingy59 on Thursday 26 April 2012, 06:41:45 pm Im doing exactly the same thing re the 3 offices. I have services scattered about which isn't ideal for me but it suits the users.
I used this option yesterday "Create another VPN tunnel to directly connect B<->C. It will be faster than routing through A, and simplier. But you need an static IP on either B or C (or use DynDNS). No matter if B or C are OpenVPN clients of A, they can be Servers too." kroket, With the second option, do you not need to do the above anyway?? I've not configured the push subnets option yet, but the vpn firewall rule and don't block traffic is in place. Trace Routes are successful so its seems to be working, but is it efficient. Thanks Adam |