Wiki

User Tools

Site Tools

Trace: create_vpn_interface openvpn_site-to-site_setup
pfsense:vpn:openvpn:openvpn_site-to-site_setup

This is an old revision of the document!

Table of Contents

PFSense - VPN - OpenVPN - OpenVPN Site-to-Site Setup

An OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client.

NOTE: This is NOT for setting up an OpenVPN server for clients to connect to a remote network over a VPN.

Step 1: Setup the OpenVPN Server

These instructions are for the configuration of the Primary pfSense device; and is where the Remote pfSense client will connect to.

The Primary will require a static WAN IP address from their ISP to avoid the VPN going down when their public IP address is changed.

  • If they don’t, you will have to setup a DDNS account.

If the Primary pfSense box is behind another routing device and using a local IP address from this device, then additional port forwarding rules may be needed.

On the pfSense at the Primary location.

Navigate to VPN → OpenVPN.

Select Server.

  • Click the Add button.

In General Information:

  • Disabled: Unchecked
  • Server mode: Peer to Peer (Shared Key)
  • Protocol: UDP on IPv4 only
  • Device mode: tun – Layer 3 Tunnel Mode
  • Interface: WAN
  • Local port: 1195.
  • Description: Site to Site OpenVPN.

NOTE: Port 1195 is used here instead of the usual OpenVPN Port 1194.

  • Port 1194 is usually used for multiple client based VPNs.
  • This setup is not for multiple clients, so therefore port 1194 will be left just in case it is needed in the future.

In Cryptographic Settings:

  • TLS keydir direction: Use default direction. The default.
  • Shared Key: Checked.
  • Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block).
  • Enable NCP: Checked
  • NCP Algorithms: AES-128-GCM. Default. Do not change anything here.
  • Auth digest algorithm: SHA256 (256–bit).
  • Hardware Crypto: Intel RDRAND engine - RAND. If the hardware does not support encryption leave as No Hardware Crypto Acceleration.
  • Certificate-Depth: One (Client+Server). The default.

In Tunnel Settings:

  • IPv4 Tunnel Network: 10.0.1.0/24.
  • IPv6 Tunnel Network: blank.
  • IPv4 Remote Network(s): 192.168.2.0/24. Enter the subnet of the Satellite (client) pfSense device. Change as needed.
  • IPv6 Remote network(s): blank.
  • Concurrent connections: 2.
  • Compression: Omit Preference (Use OpenVPN Default).
  • Type-of-Service: Unchecked

In Advanced Configuration:

  • Custom options: blank.
  • UDP Fast I/O: Not Checked.
  • Exit Notify: Disabled.
  • Send/Receive Buffer: Default.
  • Gateway creation: Both.
  • Verbosity level: default.
  • Click Save.

Extract Shared Key to use for Satelite Office

On the pfSense at your Main Office location.

Navigate to VPN → OpenVPN.

  • Click on the Pencil icon to edit the Site to Site OpenVPN (tun).
  • Under the Cryptographic Settings copy the whole Shared Key that is in the dialog box. (Click in there and do a ctrl+A and then ctrl+C).
  • Save it in a text file to use it in the next steps.

WARNING: Make sure to delete or secure this key once you are finished with it.

It could give anyone in its possession access to your network.

Step 2: Setup the pfSense device in the Satellite office to connect as an OpenVPN Client

These configuration changes need to be done on the Satellite Office pfSense device so it can connect back to the Main Office location.

Part 1: Setup the OpenVPN Client

On the pfSense at the Satellite Office location.

Navigate to VPN → OpenVPN.

Click the Clients tab.

  • Click on the Add button.

In General Information:

  • Disabled: Not Checked.
  • Server mode: Peer to Peer (Shared Key).
  • Protocol: UDP on IPv4 only.
  • Device mode: tun-layer 3 Tunnel Mode.
  • Interface: WAN
  • Local Port: blank
  • Server host or address: The public IP address of the Main Office location. i.e. The OpenVPN server.
    • If the client does not have a static IP address a no-ip DDNS account could be used.
  • Server port: 1195.
  • Proxy host or address: blank.
  • Proxy port: blank.
  • Proxy Authentication: none.
  • Description: Site to Site OpenVPN.

In Cryptographic Settings:

  • Auto generate: Not Checked.
  • Shared Key: Paste the Shared Key from the Main Office here.
  • Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
  • Enable NCP: Checked.
  • NCP Algorithms: do not change anything in here.
  • Auth digest algorithm: SHA256 (256–bit).
  • Hardware Crypto: Intel RDRAND engine - RAND. If the hardware does not support this, use No Hardware Crypto Acceleration.

NOTE: To find the Shared key on the OpenVPN Server:

  • Login to the pfSense at the Main Office.
  • Navigate to VPN → OpenVPN.
  • Click the Pencil icon to edit the Site to Site OpenVPN (tun).
  • In Cryptographic Settings:
    • Copy the whole Shared Key that is in the dialog box. (Click in there and do a Ctrl+A and then Ctrl+C).
  • Paste that Shared key into the Satellite Office pfSense Shared key dialog box.

In Tunnel Settings:

  • IPv4 Tunnel Network: 10.0.1.0/24.
  • IPv6 Tunnel Network: blank.
  • IPv4 Remote network(s): 192.168.1.0/24. The subnet address for the Main Office location.
  • IPv6 Remote network(s): blank.
  • Limit outgoing bandwidth: blank.
  • Compression: Omit Preference (Use OpenVPN Default).
  • Type-of-Service: Not Checked.
  • Don’t add/remove routes: Not Checked.

In Advanced Configuration:

  • Custom options: blank.
  • UDP Fast I/O: Unchecked.
  • Exit Notify: Disabled.
  • Send/Receive Buffer: Default.
  • Gateway creation: Both.
  • Verbosity level: default.

Part 2: Configure the Firewall Rules

Login to pfSense (Satellite Office):

Navigate to Firewall → Rules.

  • Click the OpenVPN tab.
  • Click the Add button that is pointing UP
  • Action: Pass
  • Disabled: unchecked
  • Interface: OpenVPN
  • Address Family: IPv4
  • Protocol: any
  • Source:
    • Invert match: Not Checked.
    • Source: any.
  • Destination:
    • Invert match: Not Checked.
    • Destination: any.
  • Log: Not Checked
  • Description: OpenVPN for Site-to-Site OpenVPN on 1195.
  • Click Save.
  • Click Apply changes.

Test the OpenVPN connection

Test the OpenVPN connection to see if it works.

Login to pfSense on the Main office Router.

  • Click on the Status → OpenVPN.

NOTE: If the OpenVPN connection is working this should show the IP address of the connected pfSense router at the Satellite location.

From the Main Office, try to ping the Local IP address of the Satellite Office device. 

ping 192.168.2.1

NOTE: If the ping is successful it means traffic is passing across the tunnel and the Main Office can see the Satellite office.

From the Satellite Office, try to ping the Local IP address of the Main Office device.

  • If you get a result back it means traffic is passing across the tunnel and the Main Office can see the Satellite office.
ping 192.168.1.1

NOTE: Just because you can ping the routers at both ends does not necessarily mean you will be able to see Windows machines and ping them.

If a Windows machine does not have File and Print Sharing open in its Firewall settings you will not be able to ping it.

Resolving / Reaching devices over the VPN by Hostname

It is very likely you will not be able to resolve or reach devices by hostname over the new Site-to-Site VPN without some adjustments.

In pfsense DHCP settings it is usually best to add the local DNS servers to support resolving issues.

pfsense also includes the option Register connected OpenVPN clients in the DNS Resolver.

References

https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)

pfsense/vpn/openvpn/openvpn_site-to-site_setup.1613493372.txt.gz · Last modified: 2021/02/16 16:36 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki