I have the same issue. We manage firewalls for a growing business, and currently everything links to their 'corp' office. But their corp office connection is overloaded with all the traffic going between offices.
When I ran plain Linux boxes with Shorewall installed, I wrote a tool called 'openmesher' that would automatically generate all the link combinations and create DEB packages to install the SITE-to-SITE.conf file in /etc/openvpn/ along with shared keys. Then my boss decided he wanted a GUI to manage the firewalls, so we switched to pfSense. Unfortunately there is no API or easy way to automate the configuration (XML, ugh!) ...but I'm working on modifying openmesher to generate the XML snippet for OpenVPN configs. You still have to copy/paste in to your config file, but it'll still save a bunch of clinking. I love pfSense, but I *hate* XML and the lack of an API. The power of *nix comes from the tools to rapidly edit simple text files and interop through simple APIs. *wonders about funding the next pfSense hackathon with an eye towards an API* -A On Thu, May 15, 2014 at 11:55 PM, Karl Fife <karlf...@gmail.com> wrote: > This is exactly what we do. > > We make the hub the OpenVPN server, and the spokes the clients because the > hub IP is static, and we can manage all of the OpenVPN listeners on one > instance. > > If your whole network is a /16, and each spoke is a /24, all you need is a > route directive on each of the spokes for the entire /16. In OpenVPN > Advanced "route 192.168.0.0 255.255.0.0;" > > You don't need any routing directives on the 'hub' because the addition of > each connection will take care of that. > > With respect to rules: > We find it best to make the first rule on the hub's OpenVPN interface this: > "Any source/port NOT destined for THIS hub subnet is allowed to pass". > That way each branch can manage their ingress policy privately because the > hub will just route anything not destined for its subnet. > > We also find it best to set up DNS forwarders to the spoke networks, i.e. > Hub: mybranch.mycompany.com dns dips are at 192.168.11.1. Spokes can dip > the hub if so configured which can in turn dip OTHER spokes if so > configured. Inverse lookups work too. For example, add a dns forwarder > of 10.168.192.in-addr.arpa to allow inverse lookups in the spoke in the > subnet 192.168.10.0/24 > > It's been rock-solid for many years now! > > Good luck. > > > > > > > On 5/16/2014 1:16 AM, A Mohan Rao wrote: > > its very simple...! > first u have to configure a main vpn site to site vpn server at your main > branch then u can easily configure a b c etc. > with share key and tunnel network. > > > On Fri, May 16, 2014 at 2:53 AM, Alex Threlfall <a...@cyberprog.net>wrote: > >> Hi All, >> >> >> >> I currently have a number of sites which have VPN’s >> between them, with each site having a VPN to one another. This is becoming >> harder to manage, we currently have 5 sites, (6 if you include my home) and >> it would make sense to me to adopt more of a star architecture with a >> central site. >> >> >> >> However, I can’t work out how to configure this! Each >> site has it’s own /24 of private address, and I have a central branch. How >> can I configure things so that the if branch B needs to get to branch C, it >> knows that it must go via branch A? >> >> >> >> Branch A has the best connectivity – bonded FTTC’s, so >> would make sense as well as it being our “hub” branch for the stock control >> system also. >> >> >> >> Any advice would be appreciated! >> >> >> >> -- >> >> Alex Threlfall >> >> Cyberprog New Media >> >> www.cyberprog.net >> >> >> >> _______________________________________________ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list >> > > > > _______________________________________________ > List mailing > listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list > > > > _______________________________________________ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
