Multi Site2Site VPN

[i82register]

Looking to set up a multi-site (3 for now, 4 soon) VPN tunnel(s), one for just LAN access and and another to route internet traffic for select devices.
Any advice on how to adapt this guide https://www.snbforums.com/threads/site2site-openvpn-connection-between-two-asus-routers.55747/, or if there is a better way

 

[ZebMcKayhan]

Looking to set up a multi-site (3 for now, 4 soon) VPN tunnel(s), one for just LAN access and and another to route internet traffic for select devices.
Any advice on how to adapt this guide https://www.snbforums.com/threads/site2site-openvpn-connection-between-two-asus-routers.55747/, or if there is a better way

Wireguard could do it. Cant comment if its better or not, you decide: https://github.com/ZebMcKayhan/WireguardManager#site-2-multisite--mesh

 

[i82register]

Managed to configure it and it works well between 3 sites, two and a main hub that the two connect to.

In case someone could use it going forward:

I got three sites, which I configured as:
192.168.111.1 - the main one, which acts as the VPN server the clients connect to
192.168.112.1 - Site2
192.168.211.1 - Site3

I attached a screenshot of the configuration of the three sites (from left to right - main, site 2, site 3), along with the VPN profile for the main site which the clients should use to connect to.
Configure your site as I did, and dont forget to:

Using Putty you need to create a config file for each client (Site2, Site3 in this case). To do so,
1. Under /jffs/configs/openvpn/ccd1 (note: assuming you are using VPN Server1, if using Server 2 use ccd2 instead of ccd1. If you don't have that folder(s), create it using mkdir)
2. run "vi Site2" to create the file (note: Site2 must be the same as the username that you used to config as the login - remember you configure that in the VPN Server 1 (or 2) webpage where you enter the user name and password for connection)

In this file you should have:
For site 2:
iroute 192.168.112.0 255.255.255.0 => Notifies the VPN server that this Site2 owns this subnet (if you are using a different one, change it here)
push "route 192.168.221.0 255.255.255.0"=> Notifies the VPN server which the clients connect to, to push this subnet of Site3 to the Site2 (note that the main server 192.168.111.1 is pushed via the VPN server configuration via "push "route 192.168.111.0 255.255.255.0")

For site 3:
iroute 192.168.211.0 255.255.255.0
push "route 192.168.112.0 255.255.255.0"

So if you have more than two sites connecting:
1. Make the appropriate number of config files in /jffs/configs/openvpn/ccd1, one for each site that is connecting to the main hub
2. Add to each file the "push route" command so that each site "knows" about all the other sites (or only some of them, if that's your use case)

So you will have in each config file
iroute (AKA "this is the subnect of the client connecting to me")
push (site 2) "I am letting this client know that site2 exists"
push (site 3)
push (site 4)
and so on...