Wiki

User Tools

Site Tools

Trace:
pfsense:vpn:openvpn:openvpn_site-to-site_setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:vpn:openvpn:openvpn_site-to-site_setup [2021/02/16 16:36] – [Step 1: Setup the OpenVPN Server] peterpfsense:vpn:openvpn:openvpn_site-to-site_setup [2022/08/18 07:16] (current) 185.198.243.242
Line 3: Line 3:
 An OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client. An OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client.
  
-<WRAP info+<WRAP warning
-**NOTE:**  This is NOT for setting up an OpenVPN server for clients to connect to a remote network over a VPN.+**WARNING:**  This is NOT for setting up an OpenVPN server for clients to connect to a remote network over a VPN
 + 
 +This setup is for a single remote client, not multiple remote clients.
 </WRAP> </WRAP>
  
Line 58: Line 60:
   * Encryption Algorithm:  **AES-128-CBC (128 bit key, 128 bit block)**.   * Encryption Algorithm:  **AES-128-CBC (128 bit key, 128 bit block)**.
   * Enable NCP:  **Checked**   * Enable NCP:  **Checked**
-  * NCP Algorithms:  **AES-128-GCM**.  Default.  Do not change anything here.+  * NCP Algorithms:  **AES-128-GCM**.  Default.
   * Auth digest algorithm: **SHA256 (256–bit)**.   * Auth digest algorithm: **SHA256 (256–bit)**.
-  * Hardware Crypto: **Intel RDRAND engine - RAND**.  If the hardware does not support encryption leave as **No Hardware Crypto Acceleration**.+  * Hardware Crypto: **Intel RDRAND engine - RAND**.  If the hardware does not this then leave as **No Hardware Crypto Acceleration**.
   * Certificate-Depth:  **One (Client+Server)**.  The default.   * Certificate-Depth:  **One (Client+Server)**.  The default.
  
Line 69: Line 71:
   * IPv4 Tunnel Network:  **10.0.1.0/24**.   * IPv4 Tunnel Network:  **10.0.1.0/24**.
   * IPv6 Tunnel Network:  **blank**.   * IPv6 Tunnel Network:  **blank**.
-  * IPv4 Remote Network(s):  **192.168.2.0/24**.  Enter the subnet of the Satellite (client) pfSense device.  Change as needed.+  * IPv4 Remote Network(s):  **192.168.2.0/24**.  Enter the subnet of the Remote pfSense device.  Change as needed.
   * IPv6 Remote network(s):  **blank**.   * IPv6 Remote network(s):  **blank**.
   * Concurrent connections:  **2**.   * Concurrent connections:  **2**.
   * Compression:  **Omit Preference (Use OpenVPN Default)**.   * Compression:  **Omit Preference (Use OpenVPN Default)**.
   * Type-of-Service: **Unchecked**   * Type-of-Service: **Unchecked**
 +
 +<WRAP info>
 +**NOTE:**  If the **Remote** client does not have a static IP address a Dynamic DNS account could be used.
 +</WRAP>
 +
  
 ---- ----
Line 90: Line 97:
 ---- ----
  
-==== Extract Shared Key to use for Satelite Office ====+==== Extract the Shared Key to use for the Remote client ====
  
-On the pfSense at your **Main Office** location.+On the pfSense at the **Primary** location.
  
 Navigate to **VPN -> OpenVPN**. Navigate to **VPN -> OpenVPN**.
  
   * Click on the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.   * Click on the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.
-  * Under the Cryptographic Settings copy the whole Shared Key that is in the dialog box.  (Click in there and do a ctrl+A and then ctrl+C)+  * In **Cryptographic Settings**: 
-  * Save it in a text file to use it in the next steps.+    * Copy the whole **Shared Key** that is in the dialog box.  Click in there and do a CTRL+A and then CTRL+C. 
 +  * Save as a text file.
  
 <WRAP important> <WRAP important>
-**WARNING:**  Make sure to delete or secure this key once you are finished with it.+**WARNING:**  This will be used in the next step for setting up the Remote client. 
 + 
 +Make sure to delete or secure this key once you are finished with it.
  
 It could give anyone in its possession access to your network. It could give anyone in its possession access to your network.
Line 109: Line 119:
 ---- ----
  
-===== Step 2: Setup the pfSense device in the Satellite office to connect as an OpenVPN Client ===== +===== Step 2: Setup the pfSense device at the Remote Client to connect as an OpenVPN Client =====
- +
-These configuration changes need to be done on the **Satellite** Office pfSense device so it can connect back to the Main Office location.+
  
 ==== Part 1: Setup the OpenVPN Client ==== ==== Part 1: Setup the OpenVPN Client ====
  
-On the pfSense at the **Satellite Office** location.+On the pfSense at the **Remote** location.
  
 Navigate to **VPN -> OpenVPN**. Navigate to **VPN -> OpenVPN**.
Line 133: Line 141:
   * Interface:  **WAN**   * Interface:  **WAN**
   * Local Port:  **blank**   * Local Port:  **blank**
-  * Server host or address:  **The public IP address of the Main Office location**.  i.e.  The **OpenVPN server**+  * Server host or address:  **The public IP address of the Primary location**.  i.e.  The **OpenVPN Server**. 
-    * If the client does not have a static IP address a no-ip DDNS account could be used+  * Server port:  **1195**.
-  * Server port: **1195**.+
   * Proxy host or address:  **blank**.   * Proxy host or address:  **blank**.
   * Proxy port:  **blank**.   * Proxy port:  **blank**.
-  * Proxy Authentication: **none**.+  * Proxy Authentication:  **none**.
   * Description:  **Site to Site OpenVPN**.   * Description:  **Site to Site OpenVPN**.
 +
 +<WRAP info>
 +**NOTE:**  If the **Primary**  server does not have a static IP address a Dynamic DNS account could be used.
 +</WRAP>
 +
  
 ---- ----
Line 146: Line 158:
  
   * Auto generate: **Not Checked**.   * Auto generate: **Not Checked**.
-  * Shared Key:   **Paste the Shared Key from the Main Office here**.+  * Shared Key:   **Paste the Shared Key from the Primary Server here**.
   * Encryption Algorithm: **AES-128-CBC (128 bit key, 128 bit block)**   * Encryption Algorithm: **AES-128-CBC (128 bit key, 128 bit block)**
-  * Enable NCP: **Checked**. +  * Enable NCP:  **Checked**. 
-  * NCP Algorithms: **do not change anything in here**. +  * NCP Algorithms:  **AES-128-GCM**.  Default
-  * Auth digest algorithm: **SHA256 (256–bit)**.+  * Auth digest algorithm:  **SHA256 (256–bit)**.
   * Hardware Crypto:  **Intel RDRAND engine - RAND**.  If the hardware does not support this, use **No Hardware Crypto Acceleration**.   * Hardware Crypto:  **Intel RDRAND engine - RAND**.  If the hardware does not support this, use **No Hardware Crypto Acceleration**.
  
Line 156: Line 168:
 **NOTE:**  To find the Shared key on the OpenVPN Server: **NOTE:**  To find the Shared key on the OpenVPN Server:
  
-  * Login to the **pfSense** at the Main Office.+On the pfSense at the **Primary** location. 
   * Navigate to **VPN -> OpenVPN**.   * Navigate to **VPN -> OpenVPN**.
   * Click the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.   * Click the **Pencil** icon to edit the **Site to Site OpenVPN (tun)**.
   * In **Cryptographic Settings**:   * In **Cryptographic Settings**:
-    * Copy the whole Shared Key that is in the dialog box.  (Click in there and do a Ctrl+A and then Ctrl+C)+    * Copy the whole Shared Key that is in the dialog box.  Click in there and do a CTRL+A and then CTRL+C. 
-  * Paste that Shared key into the Satellite Office pfSense Shared key dialog box.+  * Paste that Shared key into the Remote pfSense box.
  
 </WRAP> </WRAP>
Line 171: Line 184:
   * IPv4 Tunnel Network:  **10.0.1.0/24**.   * IPv4 Tunnel Network:  **10.0.1.0/24**.
   * IPv6 Tunnel Network:  **blank**.   * IPv6 Tunnel Network:  **blank**.
-  * IPv4 Remote network(s):  **192.168.1.0/24**.  The subnet address for the **Main Office** location. +  * IPv4 Remote network(s):  **192.168.1.0/24**.  The subnet address for the **Primary** location. 
   * IPv6 Remote network(s):  **blank**.   * IPv6 Remote network(s):  **blank**.
   * Limit outgoing bandwidth:  **blank**.   * Limit outgoing bandwidth:  **blank**.
Line 193: Line 206:
 ==== Part 2: Configure the Firewall Rules ==== ==== Part 2: Configure the Firewall Rules ====
  
-Login to **pfSense (Satellite Office)**:+On the pfSense at the **Remote** location.
  
 Navigate to **Firewall -> Rules**. Navigate to **Firewall -> Rules**.
  
   * Click the **OpenVPN** tab.   * Click the **OpenVPN** tab.
-  * Click the **Add** button that is pointing **UP** +  * Click the **Add (up arrow)**. 
-  * Action: **Pass** +  * Action: .**Pass**. 
-  * Disabled: **unchecked** +  * Disabled: .**Not Cecked** 
-  * Interface: **OpenVPN** +  * Interface:  **OpenVPN**. 
-  * Address Family: **IPv4** +  * Address Family:  **IPv4**. 
-  * Protocol: **any**+  * Protocol: **any**.
   * Source:   * Source:
     * Invert match: **Not Checked**.     * Invert match: **Not Checked**.
Line 221: Line 234:
 Test the OpenVPN connection to see if it works. Test the OpenVPN connection to see if it works.
  
-Login to pfSense on the **Main office Router**.+On the pfSense at the **Primary** location.
  
   * Click on the **Status -> OpenVPN**.   * Click on the **Status -> OpenVPN**.
  
 <WRAP info> <WRAP info>
-**NOTE:**  If the OpenVPN connection is working this should show the IP address of the connected pfSense router at the Satellite location.+**NOTE:**  If the OpenVPN connection is working this should show the IP address of the connected pfSense router at the **Remote** location.
  
 </WRAP> </WRAP>
  
-From the Main Office, try to ping the Local IP address of the Satellite Office device.+From the **Primary** location, try to ping the Local IP address of the **Remote** location.
  
 <code bash> <code bash>
Line 237: Line 250:
  
 <WRAP info> <WRAP info>
-**NOTE:**  If the ping is successful it means traffic is passing across the tunnel and the Main Office can see the Satellite office.+**NOTE:**  If the ping is successful it means traffic is passing across the tunnel and the Primary location can see the Remote location.
 </WRAP> </WRAP>
  
-From the Satellite Office, try to ping the Local IP address of the Main Office device.+---- 
 + 
 +From the **Remote** location, try to ping the Local IP address of the **Primary** location.
  
-  * If you get a result back it means traffic is passing across the tunnel and the Main Office can see the Satellite office.+  * If you get a result back it means traffic is passing across the tunnel and the Remote location can see the Primary location.
  
 <code bash> <code bash>
Line 249: Line 264:
  
 <WRAP info> <WRAP info>
-**NOTE**:  Just because you can ping the routers at both ends does not necessarily mean you will be able to see Windows machines and ping them. +**NOTE**:  Be aware that systems at either end may have Firewall rules preventing pings.
- +
-If a Windows machine does not have File and Print Sharing open in its Firewall settings you will not be able to ping it.+
 </WRAP> </WRAP>
  
pfsense/vpn/openvpn/openvpn_site-to-site_setup.1613493372.txt.gz · Last modified: 2021/02/16 16:36 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki