I’m running multiple parallel OpenVPN tunnels, each carrying a single VLAN, eg. workstations, telephony, back-ups, separately.
At least that’s what I believed. Since upgrading to PfSense CE 2.8, I get many connections blocked because of asymmetric routing.
Does it make sense to have parallel OpenVPN tunnels, and should I spent time improving my config - Question : how?
Or should I just abandon the parallel tunnel concept and have all VLANs passing though a single tunnel? Question : What are possible risks un this scenario?
Thanks for sharing your insights. Please be gentle with me this is my first post -
If this is a single site-to-site VPN, then I’d just do one tunnel. You can always filter traffic at both ends of the link. I can’t think of any advantage to using multiple tunnels in this situation, but I could be missing something.
Thanks for the initial thoughts. In the current set-up, there’s only two sites.
However, we envisage to extend the network into a central site with several remote sites with each one of the remote sites having its own vpn tunnel to the central sites. Remote sites should be able to communicate not only to the central site, but also to other remote sites.
In a hub-and-spoke setup, I’d just let each spoke have it’s own VPN link. I’ve done this with OpenVPN & IPsec in the past, but I use wireguard now. OpenVPN can work fine for most cases.
This hub-and-spoke setup works well if the hub site has fast stable internet, and the throughput to remote sites is not that demanding. If you notice throughput becoming impaired from remote site A to remote site B, then you want to think about setting up a VPN link directly between those two sites. But for most traffic (like VOIP), this is typically not necessary.
Also, keep in mind to add remote routes as needed. You’ll want to make sure remote site A knows about the subnets of remote site B, and can route packets to that subnet through the VPN link.
If this is mission critical and your company has a budget, I’d build all this VPN infrastructure off the router.
