This is an old revision of the document!
Table of Contents
PFSense - OpenVPN - OpenVPN Site-to-Site Setup
This tutorial is for an OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client.
This tutorial is not for setting up an OpenVPN server for Windows or smartphone clients to connect to a remote network over a VPN.
It is assumed in this tutorial that the pfSense box running the OpenVPN server is getting a public (internet) IP address on its WAN interface.
If the pfSense box is behind another routing device and using a local IP address from this device, this tutorial won’t work without port forwarding or placing the pfSense device in the upstream modem/router’s DMZ.
For this tutorial, the Main Office device will be on a 192.168.5.0/24 subnet and the Satellite Office will be on a 192.168.10.0/24 subnet. You will need to change these values in the tutorial to match your own network’s IP addressing scheme.
Step 1: Setting up the OpenVPN Server
These instructions are for the configuration on the Main Office pfSense device where Satellite pfSense client will connect to.
The Main Office will require a static WAN IP address from their ISP to avoid the VPN going down when their public IP address is changed. If they don’t, you will have to setup a DDNS account. These instructions don’t cover how to do that.
- Login to pfSense at your Main Office location.
- Click on VPN→OpenVPN
- Within the Servers tab Click on green Add button
- Fill out the following information:
- IPv4 Tunnel Network: 10.0.1.0/24
- IPv6 Tunnel Network: blank
- General Information
- Disabled: Unchecked
- Server mode: Peer to Peer (Shared Key)
- Protocol: UDP on IPv4 only
- Device mode: tun – Layer 3 Tunnel Mode
- Interface: WAN
- Local port: 1195
- note: We are using 1195 instead of 1194 as that is more commonly used for multiple client based VPNs. We’ll save port 1194 if we need it in the future or if we already have a Client Based VPN setup for Windows clients to connect into.
- Description: Site_to_Site_OpenVPN
- Cryptographic Settings
- Shared Key: Checked
- Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
- Enable NCP: Checked
- NCP Algorithms: do not change anything in here
- Auth digest algorithm: SHA1 (160 –bit)
- Hardware Crypto: No Hardware Crypto Acceleration
- Tunnel Settings:
- IPv4 Tunnel Network: 10.0.1.0/24
- IPv6 Tunnel Network: blank
- IPv4 Remote Network(s): 192.168.10.0/24
- (Please note: this is the tutorial value. To adjust this for your own scenario, enter the subnet of your Satelite (client) pfSense device For example, if the Main Office device running OpenVPN Server is on a 192.168.5.0/24 subnet and the Satellite device running pfSense is on a 192.168.10/24 subnet, you would enter in 192.168.10.0/24)
- IPv6 Remote network(s): blank
- Concurrent connections: 2
- Compression: Omit Preference (Use OpenVPN Default)
- Type-of-Service: Unchecked
- Advanced Configuration:
- Custom options: blank
- UDP Fast I/O: Unchecked
- Send/Receive Buffer: Default
- Gateway creation: Both
- Verbosity level: default
- Click on the blue Save button.
Before moving on: If you won’t be able to easily access your Main Office pfSense device running your OpenVPN server while simultaneously accessing your Satellite Office pfSense device, stop and copy the Shared Key on your Main Office pfSense OpenVPN server by following the instructions below. If you will be able to access them both at the same time, move on to Step 2.
- Login to pfSense (At the MAIN OFFICE LOCATION!)
- Click on VPN→OpenVPN.
- Click on the Pencil icon to edit the Site_to_Site_OpenVPN (tun).
- Under the Cryptographic Settings copy the whole Shared Key that is in the dialog box. (Click in there and do a ctrl+A and then ctrl+C)
- Save it in a text file and email it to yourself so you can use it in the next steps.
- Make sure to delete or secure this key once you’re finished at it could give anyone in its possession access to your network.
Step 2: Setup the pfSense device in your Satellite office to connect as an OpenVPN Client
These configuration changes need to be done on the Satellite Office pfSense device so it can connect back to the Main Office location.
Part 1: Setup the OpenVPN Client
- Login to pfSense (Satellite office)
Click on VPN→OpenVPN
Click on the Clients tab.
Click on the green Add button.
Fill out the following information:
General Information:
Disabled: Unchecked
Server mode: Peer to Peer (Shared Key)
Protocol: UDP on IPv4 only
Device mode: tun-layer 3 Tunnel Mode
Server mode: Peer to Peer (Shared Key)
Interface: WAN
Local Port: blank
Server host or address: This is going to be the public IP address of the Main Office location where your pfSense device is running the OpenVPN server. If the client does not have a static IP address from their ISP it would be a good idea to setup a no-ip DDNS account. This is not covered in this tutorial.
Server port: 1195
Proxy host or address: blank
Proxy port: blank
Proxy Authentication: none
Description: Site_to_Site_OpenVPN
Cryptographic Settings:
Auto generate: unchecked
Shared Key: You will need to log back into the pfSense device at the Main Office location and copy the Shared Key and paste it into this box. You will find the Shared key by the following steps:
Login to pfSense (At the MAIN OFFICE LOCATION!)
Click on VPN→OpenVPN.
Click on the Pencil icon to edit the Site_to_Site_OpenVPN (tun).
Under the Cryptographic Settings copy the whole Shared Key that is in the dialog box. (Click in there and do a Ctrl+A and then Ctrl+C)
Paste that Shared key into the Satellite Office PfSense Shared key dialog box
Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
Enable NCP: Checked
NCP Algorithms: do not change anything in here
Auth digest algorithm: SHA1 (160 –bit)
Hardware Crypto: No Hardware Crypto Acceleration
Tunnel Settings:
IPv4 Tunnel Network: 10.0.1.0/24
IPv6 Tunnel Network: blank
IPv4 Remote network(s): 192.168.5.0/24
(Please note: this is the tutorial value. To adjust this for our own scenario, enter the subnet address for your Main Office location. For example, if the Main Office device running pfSense with your OpenVPN Server is on a 192.168.5.0/24 subnet and the Satellite Office device running pfSense with your OpenVPN Client is on a 192.168.10/24 subnet, you would enter in 192.168.5.0/24.
IPv6 Remote network(s): blank
Limit outgoing bandwidth: blank
Compression: Omit Preference (Use OpenVPN Default)
Type-of-Service: Unchecked
Don’t add/remove routes: Unchecked
Advanced Configuration:
Custom options: blank
UDP Fast I/O: Unchecked
Send/Receive Buffer: Default
Gateway creation: Both
Verbosity level: default
Part 2: Configure the Firewall Rules
Login to pfSense (Satellite Office)
Click on Firewall→Rules
Click on the OpenVPN tab.
Within the OpenVPN tab Click on the green Add button that is pointing UP
Fill out the following information:
Edit the Firewall Rule
Action: Pass
Disabled: unchecked
Interface: OpenVPN
Address Family: IPv4
Protocol: any
Source:
Source: Invert match: unchecked —> any
Destination:
Destination: Invert match: unchecked —> any
Extra Option:
Log: Unchecked
Description: OpenVPN for Site-to-Site OpenVPN on 1195
Click the blue Save button.
Click the green Apply changes button.
You now need to test the OpenVPN connection to see if it works. Here is how to do that.
Login to pfSense on the Main office Router Click on the Status→OpenVPN If the OpenVPN connection is working you should see the IP address of the connected pfSense router at the Satellite location. Open up a command prompt on a Windows machine and try pinging the Local IP address of the Satellite Office device. In the example we used for this tutorial 192.168.10.1 was the IP of the MAIN location and 192.168.5.1 was the location of the Satellite location. If you get a result back it means traffic is passing across the tunnel and the Main Office can see the Satellite office. Now you need to do the opposite. Open up a command prompt on a Windows machine that is at the Satellite office. Try pinging the Local IP address of the Main office router. In the example we used for this tutorial 192.168.10.1 was the IP of the MAIN location and 192.168.5.1 was the location of the Satellite location. So we’ll ping 192.168.10.1. If you get a result back it means traffic is passing across the tunnel and the Main Office can see the Satellite office.
Keep in mind, just because you can ping the routers at both ends doesn’t necessarily mean you will be able to see Windows machines and ping them. If a Windows machine does not have File and Print Sharing open in its Firewall settings you won’t be able to ping it. Resolving / Reaching devices over the VPN by Hostname
It’s very likely you won’t be able to resolve or reach devices by hostname over your new Site-to-Site VPN without some adjustments. For more information on getting DNS to work in different VPN scenarios, see our Getting DNS to work over a Site-to-Site OpenVPN connection in pfSense Guide.