Users on the data VLAN in our HQ and future remote office(s) will need to access files, floating network licenses etc. from distant servers, so we will need a site-to-site VPN for the data network(s). When setting up our HQ I thought I was being clever by using a large (class B aka 255.255.0.0) subnet for the data VLAN and that a site-to-site VPN would simply allow us to expand the same subnet across all future offices and have users anywhere seamlessly connect to any of the servers in any of the locations. However, now that I come to set up the VPN, I have read that this is bad practice due to the latency involved with broadcast traffic across the internet.
I have a pair of rack boxes each running pfSense in a Hyper-V VM. These will become the firewalls for each site with a site-to-site VPN between them. The pfSense configuration options for a site-to-site VPN (I'm assuming OpenVPN in SSL/TLS mode is the most-secure option) asks for three networks, the tunnel network, remote network and local network. My question is how large does the tunnel network need to be? Can it be a class C (255.255.255.0) network with one IP for each office or does it need to be large enough to provide an address for every device across all the offices? If the latter, I clearly wouldn't be able to give each office a 255.255.0.0 subnet (not that I think that would be needed), but would I have to reduce the size of the HQ subnet (it probably has under 500 hosts currently despite having tens of thousands of IP addresses available) that was originally intended to be our global network?
