====== PFSense - VPN - OpenVPN - OpenVPN Site-to-Site Setup ======
An OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client.
**WARNING:** This is NOT for setting up an OpenVPN server for clients to connect to a remote network over a VPN.
This setup is for a single remote client, not multiple remote clients.
----
===== Step 1: Setup the OpenVPN Server =====
These instructions are for the configuration of the **Primary** pfSense device; and is where the **Remote** pfSense client will connect to.
The **Primary** will require a static WAN IP address from their ISP to avoid the VPN going down when their public IP address is changed.
* If they don’t, you will have to setup a DDNS account.
If the **Primary** pfSense box is behind another routing device and using a local IP address from this device, then additional port forwarding rules may be needed.
On the pfSense at the **Primary** location.
Navigate to **VPN -> OpenVPN**.
Select **Server**.
* Click the **Add** button.
----
In **General Information**:
* Disabled: **Unchecked**
* Server mode: **Peer to Peer (Shared Key)**
* Protocol: **UDP on IPv4 only**
* Device mode: **tun – Layer 3 Tunnel Mode**
* Interface: **WAN**
* Local port: **1195**.
* Description: **Site to Site OpenVPN**.
**NOTE:** Port 1195 is used here instead of the usual OpenVPN Port 1194.
* Port 1194 is usually used for multiple client based VPNs.
* This setup is not for multiple clients, so therefore port 1194 will be left just in case it is needed in the future.
----
In ** Cryptographic Settings**:
* TLS keydir direction: **Use default direction**. The default.
* Shared Key: **Checked**.
* Encryption Algorithm: **AES-128-CBC (128 bit key, 128 bit block)**.
* Enable NCP: **Checked**
* NCP Algorithms: **AES-128-GCM**. Default.
* Auth digest algorithm: **SHA256 (256–bit)**.
* Hardware Crypto: **Intel RDRAND engine - RAND**. If the hardware does not this then leave as **No Hardware Crypto Acceleration**.
* Certificate-Depth: **One (Client+Server)**. The default.
----
In **Tunnel Settings**:
* IPv4 Tunnel Network: **10.0.1.0/24**.
* IPv6 Tunnel Network: **blank**.
* IPv4 Remote Network(s): **192.168.2.0/24**. Enter the subnet of the Remote pfSense device. Change as needed.
* IPv6 Remote network(s): **blank**.
* Concurrent connections: **2**.
* Compression: **Omit Preference (Use OpenVPN Default)**.
* Type-of-Service: **Unchecked**
**NOTE:** If the **Remote** client does not have a static IP address a Dynamic DNS account could be used.
----
In **Advanced Configuration**:
* Custom options: **blank**.
* UDP Fast I/O: **Not Checked**.
* Exit Notify: **Disabled**.
* Send/Receive Buffer: **Default**.
* Gateway creation: **Both**.
* Verbosity level: **default**.
* Click **Save**.
----
==== Extract the Shared Key to use for the Remote client ====
On the pfSense at the **Primary** location.
Navigate to **VPN -> OpenVPN**.
* Click on the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.
* In **Cryptographic Settings**:
* Copy the whole **Shared Key** that is in the dialog box. Click in there and do a CTRL+A and then CTRL+C.
* Save as a text file.
**WARNING:** This will be used in the next step for setting up the Remote client.
Make sure to delete or secure this key once you are finished with it.
It could give anyone in its possession access to your network.
----
===== Step 2: Setup the pfSense device at the Remote Client to connect as an OpenVPN Client =====
==== Part 1: Setup the OpenVPN Client ====
On the pfSense at the **Remote** location.
Navigate to **VPN -> OpenVPN**.
Click the **Clients** tab.
* Click on the **Add** button.
----
In **General Information**:
* Disabled: **Not Checked**.
* Server mode: **Peer to Peer (Shared Key)**.
* Protocol: **UDP on IPv4 only**.
* Device mode: **tun-layer 3 Tunnel Mode**.
* Interface: **WAN**
* Local Port: **blank**
* Server host or address: **The public IP address of the Primary location**. i.e. The **OpenVPN Server**.
* Server port: **1195**.
* Proxy host or address: **blank**.
* Proxy port: **blank**.
* Proxy Authentication: **none**.
* Description: **Site to Site OpenVPN**.
**NOTE:** If the **Primary** server does not have a static IP address a Dynamic DNS account could be used.
----
In **Cryptographic Settings**:
* Auto generate: **Not Checked**.
* Shared Key: **Paste the Shared Key from the Primary Server here**.
* Encryption Algorithm: **AES-128-CBC (128 bit key, 128 bit block)**
* Enable NCP: **Checked**.
* NCP Algorithms: **AES-128-GCM**. Default.
* Auth digest algorithm: **SHA256 (256–bit)**.
* Hardware Crypto: **Intel RDRAND engine - RAND**. If the hardware does not support this, use **No Hardware Crypto Acceleration**.
**NOTE:** To find the Shared key on the OpenVPN Server:
On the pfSense at the **Primary** location.
* Navigate to **VPN -> OpenVPN**.
* Click the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.
* In **Cryptographic Settings**:
* Copy the whole Shared Key that is in the dialog box. Click in there and do a CTRL+A and then CTRL+C.
* Paste that Shared key into the Remote pfSense box.
----
In **Tunnel Settings**:
* IPv4 Tunnel Network: **10.0.1.0/24**.
* IPv6 Tunnel Network: **blank**.
* IPv4 Remote network(s): **192.168.1.0/24**. The subnet address for the **Primary** location.
* IPv6 Remote network(s): **blank**.
* Limit outgoing bandwidth: **blank**.
* Compression: **Omit Preference (Use OpenVPN Default)**.
* Type-of-Service: **Not Checked**.
* Don’t add/remove routes: **Not Checked**.
----
In **Advanced Configuration**:
* Custom options: **blank**.
* UDP Fast I/O: **Unchecked**.
* Exit Notify: **Disabled**.
* Send/Receive Buffer: **Default**.
* Gateway creation: **Both**.
* Verbosity level: **default**.
----
==== Part 2: Configure the Firewall Rules ====
On the pfSense at the **Remote** location.
Navigate to **Firewall -> Rules**.
* Click the **OpenVPN** tab.
* Click the **Add (up arrow)**.
* Action: .**Pass**.
* Disabled: .**Not Cecked**
* Interface: **OpenVPN**.
* Address Family: **IPv4**.
* Protocol: **any**.
* Source:
* Invert match: **Not Checked**.
* Source: **any**.
* Destination:
* Invert match: **Not Checked**.
* Destination: **any**.
* Log: **Not Checked**
* Description: **OpenVPN for Site-to-Site OpenVPN on 1195**.
* Click **Save**.
* Click **Apply changes**.
----
===== Test the OpenVPN connection =====
Test the OpenVPN connection to see if it works.
On the pfSense at the **Primary** location.
* Click on the **Status -> OpenVPN**.
**NOTE:** If the OpenVPN connection is working this should show the IP address of the connected pfSense router at the **Remote** location.
From the **Primary** location, try to ping the Local IP address of the **Remote** location.
ping 192.168.2.1
**NOTE:** If the ping is successful it means traffic is passing across the tunnel and the Primary location can see the Remote location.
----
From the **Remote** location, try to ping the Local IP address of the **Primary** location.
* If you get a result back it means traffic is passing across the tunnel and the Remote location can see the Primary location.
ping 192.168.1.1
**NOTE**: Be aware that systems at either end may have Firewall rules preventing pings.
----
===== Resolving / Reaching devices over the VPN by Hostname =====
It is very likely you will not be able to **resolve** or **reach** devices by hostname over the new Site-to-Site VPN without some adjustments.
In pfsense DHCP settings it is usually best to add the local DNS servers to support resolving issues.
pfsense also includes the option **Register connected OpenVPN clients in the DNS Resolver**.
----
===== References =====
https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)