Wiki

User Tools

Site Tools

Trace:
pfsense:vpn:openvpn:openvpn_site-to-site_setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:vpn:openvpn:openvpn_site-to-site_setup [2021/02/16 16:19] – [Resolving / Reaching devices over the VPN by Hostname] peterpfsense:vpn:openvpn:openvpn_site-to-site_setup [2022/08/18 07:16] (current) 185.198.243.242
Line 3: Line 3:
 An OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client. An OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client.
  
-<WRAP info+<WRAP warning
-This is NOT for setting up an OpenVPN server for Windows or smartphone clients to connect to a remote network over a VPN.+**WARNING:**  This is NOT for setting up an OpenVPN server for clients to connect to a remote network over a VPN.
  
-It is assumed in this tutorial that the pfSense box running the OpenVPN server is getting public (internet) IP address on its WAN interface. +This setup is for single remote clientnot multiple remote clients.
- +
-If the pfSense box is behind another routing device and using a local IP address from this devicethis tutorial won’t work without port forwarding or placing the pfSense device in the upstream modem/router’s DMZ. +
- +
-The Main Office device will be on a 192.168.1.0/24 subnet and the Satellite Office will be on a 192.168.2.0/24 subnet.+
 </WRAP> </WRAP>
  
Line 18: Line 14:
  
 <WRAP info> <WRAP info>
-These instructions are for the configuration on the **Main Office** pfSense device where a Satellite pfSense client will connect to.+These instructions are for the configuration of the **Primary** pfSense device; and is where the **Remote** pfSense client will connect to
 + 
 +The **Primary** will require a static WAN IP address from their ISP to avoid the VPN going down when their public IP address is changed. 
 + 
 +  * If they don’t, you will have to setup a DDNS account. 
 + 
 +If the **Primary** pfSense box is behind another routing device and using a local IP address from this device, then additional port forwarding rules may be needed.
  
-The **Main Office** will require a static WAN IP address from their ISP to avoid the VPN going down when their public IP address is changed.  If they don’t, you will have to setup a DDNS account.  These instructions don’t cover how to do that. 
 </WRAP> </WRAP>
  
-On the pfSense at the **Main Office** location.+On the pfSense at the **Primary** location.
  
 Navigate to **VPN -> OpenVPN**. Navigate to **VPN -> OpenVPN**.
Line 44: Line 45:
  
 <WRAP info> <WRAP info>
-**NOTE:**  Port 1195 is used here instead of the usual Port 1194.+**NOTE:**  Port 1195 is used here instead of the usual OpenVPN Port 1194.
  
   * Port 1194 is usually used for multiple client based VPNs.   * Port 1194 is usually used for multiple client based VPNs.
-  * Therefore port 1194 will be left just in case it is needed in the future.+  * This setup is not for multiple clients, so therefore port 1194 will be left just in case it is needed in the future.
  
 </WRAP> </WRAP>
Line 59: Line 60:
   * Encryption Algorithm:  **AES-128-CBC (128 bit key, 128 bit block)**.   * Encryption Algorithm:  **AES-128-CBC (128 bit key, 128 bit block)**.
   * Enable NCP:  **Checked**   * Enable NCP:  **Checked**
-  * NCP Algorithms:  **AES-128-GCM**.  Default.  Do not change anything here.+  * NCP Algorithms:  **AES-128-GCM**.  Default.
   * Auth digest algorithm: **SHA256 (256–bit)**.   * Auth digest algorithm: **SHA256 (256–bit)**.
-  * Hardware Crypto: **Intel RDRAND engine - RAND**.  If the hardware does not support encryption leave as **No Hardware Crypto Acceleration**.+  * Hardware Crypto: **Intel RDRAND engine - RAND**.  If the hardware does not this then leave as **No Hardware Crypto Acceleration**.
   * Certificate-Depth:  **One (Client+Server)**.  The default.   * Certificate-Depth:  **One (Client+Server)**.  The default.
  
Line 70: Line 71:
   * IPv4 Tunnel Network:  **10.0.1.0/24**.   * IPv4 Tunnel Network:  **10.0.1.0/24**.
   * IPv6 Tunnel Network:  **blank**.   * IPv6 Tunnel Network:  **blank**.
-  * IPv4 Remote Network(s):  **192.168.2.0/24**.  Change as needed. +  * IPv4 Remote Network(s):  **192.168.2.0/24**.  Enter the subnet of the Remote pfSense device.  Change as needed.
-    * Enter the subnet of your Satelite (client) pfSense device. +
-    * For example, if the Main Office device running OpenVPN Server is on a **192.168.1.0/24** subnet and the Satellite device running pfSense is on a **192.168.2/24** subnet, you would enter in **192.168.2.0/24**).+
   * IPv6 Remote network(s):  **blank**.   * IPv6 Remote network(s):  **blank**.
   * Concurrent connections:  **2**.   * Concurrent connections:  **2**.
   * Compression:  **Omit Preference (Use OpenVPN Default)**.   * Compression:  **Omit Preference (Use OpenVPN Default)**.
   * Type-of-Service: **Unchecked**   * Type-of-Service: **Unchecked**
 +
 +<WRAP info>
 +**NOTE:**  If the **Remote** client does not have a static IP address a Dynamic DNS account could be used.
 +</WRAP>
 +
  
 ---- ----
Line 93: Line 97:
 ---- ----
  
-==== Extract Shared Key to use for Satelite Office ====+==== Extract the Shared Key to use for the Remote client ====
  
-On the pfSense at your **Main Office** location.+On the pfSense at the **Primary** location.
  
 Navigate to **VPN -> OpenVPN**. Navigate to **VPN -> OpenVPN**.
  
   * Click on the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.   * Click on the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.
-  * Under the Cryptographic Settings copy the whole Shared Key that is in the dialog box.  (Click in there and do a ctrl+A and then ctrl+C)+  * In **Cryptographic Settings**: 
-  * Save it in a text file to use it in the next steps.+    * Copy the whole **Shared Key** that is in the dialog box.  Click in there and do a CTRL+A and then CTRL+C. 
 +  * Save as a text file.
  
 <WRAP important> <WRAP important>
-**WARNING:**  Make sure to delete or secure this key once you are finished with it.+**WARNING:**  This will be used in the next step for setting up the Remote client. 
 + 
 +Make sure to delete or secure this key once you are finished with it.
  
 It could give anyone in its possession access to your network. It could give anyone in its possession access to your network.
Line 112: Line 119:
 ---- ----
  
-===== Step 2: Setup the pfSense device in the Satellite office to connect as an OpenVPN Client ===== +===== Step 2: Setup the pfSense device at the Remote Client to connect as an OpenVPN Client =====
- +
-These configuration changes need to be done on the **Satellite** Office pfSense device so it can connect back to the Main Office location.+
  
 ==== Part 1: Setup the OpenVPN Client ==== ==== Part 1: Setup the OpenVPN Client ====
  
-On the pfSense at the **Satellite Office** location.+On the pfSense at the **Remote** location.
  
 Navigate to **VPN -> OpenVPN**. Navigate to **VPN -> OpenVPN**.
Line 136: Line 141:
   * Interface:  **WAN**   * Interface:  **WAN**
   * Local Port:  **blank**   * Local Port:  **blank**
-  * Server host or address:  **The public IP address of the Main Office location**.  i.e.  The **OpenVPN server**+  * Server host or address:  **The public IP address of the Primary location**.  i.e.  The **OpenVPN Server**. 
-    * If the client does not have a static IP address a no-ip DDNS account could be used+  * Server port:  **1195**.
-  * Server port: **1195**.+
   * Proxy host or address:  **blank**.   * Proxy host or address:  **blank**.
   * Proxy port:  **blank**.   * Proxy port:  **blank**.
-  * Proxy Authentication: **none**.+  * Proxy Authentication:  **none**.
   * Description:  **Site to Site OpenVPN**.   * Description:  **Site to Site OpenVPN**.
 +
 +<WRAP info>
 +**NOTE:**  If the **Primary**  server does not have a static IP address a Dynamic DNS account could be used.
 +</WRAP>
 +
  
 ---- ----
Line 149: Line 158:
  
   * Auto generate: **Not Checked**.   * Auto generate: **Not Checked**.
-  * Shared Key:   **Paste the Shared Key from the Main Office here**.+  * Shared Key:   **Paste the Shared Key from the Primary Server here**.
   * Encryption Algorithm: **AES-128-CBC (128 bit key, 128 bit block)**   * Encryption Algorithm: **AES-128-CBC (128 bit key, 128 bit block)**
-  * Enable NCP: **Checked**. +  * Enable NCP:  **Checked**. 
-  * NCP Algorithms: **do not change anything in here**. +  * NCP Algorithms:  **AES-128-GCM**.  Default
-  * Auth digest algorithm: **SHA256 (256–bit)**.+  * Auth digest algorithm:  **SHA256 (256–bit)**.
   * Hardware Crypto:  **Intel RDRAND engine - RAND**.  If the hardware does not support this, use **No Hardware Crypto Acceleration**.   * Hardware Crypto:  **Intel RDRAND engine - RAND**.  If the hardware does not support this, use **No Hardware Crypto Acceleration**.
  
Line 159: Line 168:
 **NOTE:**  To find the Shared key on the OpenVPN Server: **NOTE:**  To find the Shared key on the OpenVPN Server:
  
-  * Login to the **pfSense** at the Main Office.+On the pfSense at the **Primary** location. 
   * Navigate to **VPN -> OpenVPN**.   * Navigate to **VPN -> OpenVPN**.
   * Click the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.   * Click the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.
   * In **Cryptographic Settings**:   * In **Cryptographic Settings**:
-    * Copy the whole Shared Key that is in the dialog box.  (Click in there and do a Ctrl+A and then Ctrl+C)+    * Copy the whole Shared Key that is in the dialog box.  Click in there and do a CTRL+A and then CTRL+C. 
-  * Paste that Shared key into the Satellite Office pfSense Shared key dialog box.+  * Paste that Shared key into the Remote pfSense box.
  
 </WRAP> </WRAP>
Line 174: Line 184:
   * IPv4 Tunnel Network:  **10.0.1.0/24**.   * IPv4 Tunnel Network:  **10.0.1.0/24**.
   * IPv6 Tunnel Network:  **blank**.   * IPv6 Tunnel Network:  **blank**.
-  * IPv4 Remote network(s):  **192.168.1.0/24**.  The subnet address for the **Main Office** location. +  * IPv4 Remote network(s):  **192.168.1.0/24**.  The subnet address for the **Primary** location. 
   * IPv6 Remote network(s):  **blank**.   * IPv6 Remote network(s):  **blank**.
   * Limit outgoing bandwidth:  **blank**.   * Limit outgoing bandwidth:  **blank**.
Line 196: Line 206:
 ==== Part 2: Configure the Firewall Rules ==== ==== Part 2: Configure the Firewall Rules ====
  
-Login to **pfSense (Satellite Office)**:+On the pfSense at the **Remote** location.
  
 Navigate to **Firewall -> Rules**. Navigate to **Firewall -> Rules**.
  
   * Click the **OpenVPN** tab.   * Click the **OpenVPN** tab.
-  * Click the **Add** button that is pointing **UP** +  * Click the **Add (up arrow)**. 
-  * Action: **Pass** +  * Action: .**Pass**. 
-  * Disabled: **unchecked** +  * Disabled: .**Not Cecked** 
-  * Interface: **OpenVPN** +  * Interface:  **OpenVPN**. 
-  * Address Family: **IPv4** +  * Address Family:  **IPv4**. 
-  * Protocol: **any**+  * Protocol: **any**.
   * Source:   * Source:
     * Invert match: **Not Checked**.     * Invert match: **Not Checked**.
Line 224: Line 234:
 Test the OpenVPN connection to see if it works. Test the OpenVPN connection to see if it works.
  
-Login to pfSense on the **Main office Router**.+On the pfSense at the **Primary** location.
  
   * Click on the **Status -> OpenVPN**.   * Click on the **Status -> OpenVPN**.
  
 <WRAP info> <WRAP info>
-**NOTE:**  If the OpenVPN connection is working this should show the IP address of the connected pfSense router at the Satellite location.+**NOTE:**  If the OpenVPN connection is working this should show the IP address of the connected pfSense router at the **Remote** location.
  
 </WRAP> </WRAP>
  
-From the Main Office, try to ping the Local IP address of the Satellite Office device.+From the **Primary** location, try to ping the Local IP address of the **Remote** location.
  
 <code bash> <code bash>
Line 240: Line 250:
  
 <WRAP info> <WRAP info>
-**NOTE:**  If the ping is successful it means traffic is passing across the tunnel and the Main Office can see the Satellite office.+**NOTE:**  If the ping is successful it means traffic is passing across the tunnel and the Primary location can see the Remote location.
 </WRAP> </WRAP>
  
-From the Satellite Office, try to ping the Local IP address of the Main Office device.+----
  
-  * If you get a result back it means traffic is passing across the tunnel and the Main Office can see the Satellite office.+From the **Remote** location, try to ping the Local IP address of the **Primary** location. 
 + 
 +  * If you get a result back it means traffic is passing across the tunnel and the Remote location can see the Primary location.
  
 <code bash> <code bash>
Line 252: Line 264:
  
 <WRAP info> <WRAP info>
-**NOTE**:  Just because you can ping the routers at both ends does not necessarily mean you will be able to see Windows machines and ping them. +**NOTE**:  Be aware that systems at either end may have Firewall rules preventing pings.
- +
-If a Windows machine does not have File and Print Sharing open in its Firewall settings you will not be able to ping it.+
 </WRAP> </WRAP>
  
pfsense/vpn/openvpn/openvpn_site-to-site_setup.1613492387.txt.gz · Last modified: 2021/02/16 16:19 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki