Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[WebDawg]

On Jun 8, 2016 1:31 PM, "Vick Khera"  wrote:
>
> On Wed, Jun 8, 2016 at 2:41 PM, Jeremy Bennett <
jbenn...@hikitechnology.com>
> wrote:
>
> > If you won't have mobile users, IPSec could be a viable option.
> >
>
> iPhone mobile VPN works great with IPSec, no additional software needed.
It
> is all built in. Do not know about Android.
> ___

I think this is the additional software part but they have open VPN connect
for Android and iOS. The additional software works great and it even has
settings to keep the connection alive or resume the connection after device
wake it is more integrated into iOS at least then it was before
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Oliver Hansen]

I've had OpenVPN set up with around 20 remote sites for years. Fairly low
bandwidth but I prefer the configuration myself. My remote sites don't
route all traffic back to HQ ; It all depends on the routes you push to the
remote sites.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[David White]

Thanks for your advice. I've only worked with OpenVPN, but I'll do some
more research on IPSec.

Good thing the hardware that I most like to use for pfSense deployments has
an Intel Atom processor that does support AES (
http://ark.intel.com/products/77988/Intel-Atom-Processor-C2758-4M-Cache-2_40-GHz).
:)

On Wed, Jun 8, 2016 at 8:05 AM, Vick Khera  wrote:

> On Wed, Jun 8, 2016 at 6:31 AM, David White  wrote:
>
> > I didn't think I would have to setup a new server / port for each remote
> > office. I thought that, with the SSL/TLS setup, I could have a single
> > server and configure it so that clients can see & interact with each
> other.
> >
>
> When you configure the OpenVPN server side, you need to specify the remote
> IP network. How will you do that for 20 different remote sites with one
> server config?
>
> The IPSec config will be much cleaner, I think, and much lower overhead.
>
> With either case, make sure you have hardware crypto support (usually that
> means AES-NI feature in your CPU) and choose the ciphers that are supported
> by it, specifically AES128 (or AES256) with SHA. The clients could probably
> get away without the hardware acceleration, but if you are pushing lots of
> traffic through the hub then you will need it.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
David White
Founder & CEO

423-693-4234
@developCENTS 
https://developcents.com

*Develop CENTS*
Computing, Equipping, Networking, Training & Supporting for small
businesses and nonprofits
Providing: Web Hosting, Technical Support & IT Consulting

*Signup to our Newsletter at
https://developcents.com/contact/
*
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Vick Khera]

On Wed, Jun 8, 2016 at 6:31 AM, David White  wrote:

> I didn't think I would have to setup a new server / port for each remote
> office. I thought that, with the SSL/TLS setup, I could have a single
> server and configure it so that clients can see & interact with each other.
>

When you configure the OpenVPN server side, you need to specify the remote
IP network. How will you do that for 20 different remote sites with one
server config?

The IPSec config will be much cleaner, I think, and much lower overhead.

With either case, make sure you have hardware crypto support (usually that
means AES-NI feature in your CPU) and choose the ciphers that are supported
by it, specifically AES128 (or AES256) with SHA. The clients could probably
get away without the hardware acceleration, but if you are pushing lots of
traffic through the hub then you will need it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Watson Kamanga]

Hi 
Basically running a similar setup . 
Pfsense with four ports . 
bce0 Wan
bce1 Lan 
bce2 BGP to the rest of the offices .
bce3 Open VPN for out of office connectivity . 

You will need to seat with your IP engineers and properly design your network 
address scheme.



Regards

Watz

From: List <list-boun...@lists.pfsense.org> on behalf of David White 
<dmwhite...@gmail.com>
Sent: Wednesday, June 8, 2016 12:31 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

Jeremy & Vick,
I'm open to considering an IPSec if that's the best option for this use
case. We're talking about 8 locations starting out, with a 9th office
opening shortly thereafter, and the possibility of going up to a total of
15-20 sites within 1-2 years after that.

When I read https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site, I see
that an OpenVPN setup with SSL/TLS would be the way to go.

I didn't think I would have to setup a new server / port for each remote
office. I thought that, with the SSL/TLS setup, I could have a single
server and configure it so that clients can see & interact with each other.

I have pfSense with OpenVPN in my own office, and seem to recall seeing
this setting in the past.

On Tue, Jun 7, 2016 at 8:02 PM, Vick Khera <vi...@khera.org> wrote:

> On Tue, Jun 7, 2016 at 3:03 PM, David White <dmwhite...@gmail.com> wrote:
>
> > I know that this can be done, but I've never actually done it. Are there
> > some good resources I can review, besides
> > https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
> >
> > ? For branch offices,
> >
>
> If you can manage it, and the remotes are on static IPs, I'd suggest trying
> IPSec.
>
> If you are going with OpenVPN, then you basically will need to set up one
> "server" per remote, each on its own port number. I like to only open the
> firewall to that port from the IP of the remote that will use it. Depending
> on how many you have and how tight you want it, you could just make an
> alias of all the ports and an alias of all the remote IPs and set up one
> rule to allow all of that at one shot.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



--
David White
Founder & CEO

423-693-4234
@developCENTS <https://twitter.com/developcents>
https://developcents.com

*Develop CENTS*
Computing, Equipping, Networking, Training & Supporting for small
businesses and nonprofits
Providing: Web Hosting, Technical Support & IT Consulting

*Signup to our Newsletter at
<https://developcents.com/contact>https://developcents.com/contact/
<https://developcents.com/contact/>*
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[David White]

Jeremy & Vick,
I'm open to considering an IPSec if that's the best option for this use
case. We're talking about 8 locations starting out, with a 9th office
opening shortly thereafter, and the possibility of going up to a total of
15-20 sites within 1-2 years after that.

When I read https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site, I see
that an OpenVPN setup with SSL/TLS would be the way to go.

I didn't think I would have to setup a new server / port for each remote
office. I thought that, with the SSL/TLS setup, I could have a single
server and configure it so that clients can see & interact with each other.

I have pfSense with OpenVPN in my own office, and seem to recall seeing
this setting in the past.

On Tue, Jun 7, 2016 at 8:02 PM, Vick Khera  wrote:

> On Tue, Jun 7, 2016 at 3:03 PM, David White  wrote:
>
> > I know that this can be done, but I've never actually done it. Are there
> > some good resources I can review, besides
> > https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
> >
> > ? For branch offices,
> >
>
> If you can manage it, and the remotes are on static IPs, I'd suggest trying
> IPSec.
>
> If you are going with OpenVPN, then you basically will need to set up one
> "server" per remote, each on its own port number. I like to only open the
> firewall to that port from the IP of the remote that will use it. Depending
> on how many you have and how tight you want it, you could just make an
> alias of all the ports and an alias of all the remote IPs and set up one
> rule to allow all of that at one shot.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
David White
Founder & CEO

423-693-4234
@developCENTS 
https://developcents.com

*Develop CENTS*
Computing, Equipping, Networking, Training & Supporting for small
businesses and nonprofits
Providing: Web Hosting, Technical Support & IT Consulting

*Signup to our Newsletter at
https://developcents.com/contact/
*
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Vick Khera]

On Tue, Jun 7, 2016 at 3:03 PM, David White  wrote:

> I know that this can be done, but I've never actually done it. Are there
> some good resources I can review, besides
> https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
>
> ? For branch offices,
>

If you can manage it, and the remotes are on static IPs, I'd suggest trying
IPSec.

If you are going with OpenVPN, then you basically will need to set up one
"server" per remote, each on its own port number. I like to only open the
firewall to that port from the IP of the remote that will use it. Depending
on how many you have and how tight you want it, you could just make an
alias of all the ports and an alias of all the remote IPs and set up one
rule to allow all of that at one shot.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[Jeremy Bennett]

David,

I am by no means an expert, but am piping up to speak to the quality of the
documentation.

Just follow the OpenVPN site to site docs, and you should be good.

The tricky bit for me was realizing that the OpenVPN tunnels rely on their
own IP space, independent of whatever your regular network addressing
scheme is. In your case, if site A is 10.0.0.X and site B is 10.1.0.X, in
the setup of the OpenVPN server, your IPV4 tunnel network will be a
completely different address space–192.168.1.X/30 or something...

When I setup a site to site IPSEC, it didn't require that, so that is what
tripped me up. pfSense (or openVPN) uses that separate subnet for all
traffic between those 2 sites.

When you setup the tunnel for Site A to C, you'll use another subnet
(192.168.2.X/30).

Once I wrapped my head around that, everything went pretty smoothly.

(On another project, I had a unit that I'd purchased from the pfSense
store, and got to work with their support to get me over the final hump, so
if you do have a supported product, don't hesitate to give them a shout...
they were awesome).

Aloha,
Jeremy

On Tue, Jun 7, 2016 at 9:03 AM, David White  wrote:

> I have a question about setting up persistent OpenVPN connections between a
> corporate office and several branch offices.
>
> I know that this can be done, but I've never actually done it. Are there
> some good resources I can review, besides
> https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site? For branch
> offices,
> I do NOT want to route public internet traffic through the VPN at
> Corporate. Instead, their internet needs to just use their local ISP
> connection (so I do not want this:
>
> https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1
> ).
>
>- We'll have pfSense running both in Corporate as well as in each branch
>office
>- We want branch office internet traffic to use local ISP, but for
>traffic hitting the 10.0.0.0/8 network to route through the VPN (I plan
>on giving each office it's own /16 network
>   - i.e. managed network for the network equipment will get
> 10.1.0.0/16,
>   Corp will get 10.2.0.0/16 and branch office 1 will get 10.3.0.0/16,
>   and so on.
>
>
> Any pointers would be great.
>
> Thanks,
> David
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold