PFSense - VPN - OpenVPN - OpenVPN Site-to-Site Setup

PFSense - VPN - OpenVPN - OpenVPN Site-to-Site Setup

An OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client.

WARNING: This is NOT for setting up an OpenVPN server for clients to connect to a remote network over a VPN.

This setup is for a single remote client, not multiple remote clients.

Step 1: Setup the OpenVPN Server

These instructions are for the configuration of the Primary pfSense device; and is where the Remote pfSense client will connect to.

The Primary will require a static WAN IP address from their ISP to avoid the VPN going down when their public IP address is changed.

If they don’t, you will have to setup a DDNS account.

If the Primary pfSense box is behind another routing device and using a local IP address from this device, then additional port forwarding rules may be needed.

On the pfSense at the Primary location.

Navigate to VPN → OpenVPN.

Select Server.

Click the Add button.

In General Information:

Disabled: Unchecked
Server mode: Peer to Peer (Shared Key)
Protocol: UDP on IPv4 only
Device mode: tun – Layer 3 Tunnel Mode
Interface: WAN
Local port: 1195.
Description: Site to Site OpenVPN.

NOTE: Port 1195 is used here instead of the usual OpenVPN Port 1194.

Port 1194 is usually used for multiple client based VPNs.
This setup is not for multiple clients, so therefore port 1194 will be left just in case it is needed in the future.

In Cryptographic Settings:

TLS keydir direction: Use default direction. The default.
Shared Key: Checked.
Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block).
Enable NCP: Checked
NCP Algorithms: AES-128-GCM. Default.
Auth digest algorithm: SHA256 (256–bit).
Hardware Crypto: Intel RDRAND engine - RAND. If the hardware does not this then leave as No Hardware Crypto Acceleration.
Certificate-Depth: One (Client+Server). The default.

In Tunnel Settings:

IPv4 Tunnel Network: 10.0.1.0/24.
IPv6 Tunnel Network: blank.
IPv4 Remote Network(s): 192.168.2.0/24. Enter the subnet of the Remote pfSense device. Change as needed.
IPv6 Remote network(s): blank.
Concurrent connections: 2.
Compression: Omit Preference (Use OpenVPN Default).
Type-of-Service: Unchecked

NOTE: If the Remote client does not have a static IP address a Dynamic DNS account could be used.

In Advanced Configuration:

Custom options: blank.
UDP Fast I/O: Not Checked.
Exit Notify: Disabled.
Send/Receive Buffer: Default.
Gateway creation: Both.
Verbosity level: default.

Click Save.

Extract the Shared Key to use for the Remote client

On the pfSense at the Primary location.

Navigate to VPN → OpenVPN.

Click on the Pencil icon to edit the Site to Site OpenVPN (tun).
In Cryptographic Settings:
- Copy the whole Shared Key that is in the dialog box. Click in there and do a CTRL+A and then CTRL+C.
Save as a text file.

WARNING: This will be used in the next step for setting up the Remote client.

Make sure to delete or secure this key once you are finished with it.

It could give anyone in its possession access to your network.

Step 2: Setup the pfSense device at the Remote Client to connect as an OpenVPN Client

Part 1: Setup the OpenVPN Client

On the pfSense at the Remote location.

Navigate to VPN → OpenVPN.

Click the Clients tab.

Click on the Add button.

In General Information:

Disabled: Not Checked.
Server mode: Peer to Peer (Shared Key).
Protocol: UDP on IPv4 only.
Device mode: tun-layer 3 Tunnel Mode.
Interface: WAN
Local Port: blank
Server host or address: The public IP address of the Primary location. i.e. The OpenVPN Server.
Server port: 1195.
Proxy host or address: blank.
Proxy port: blank.
Proxy Authentication: none.
Description: Site to Site OpenVPN.

NOTE: If the Primary server does not have a static IP address a Dynamic DNS account could be used.

In Cryptographic Settings:

Auto generate: Not Checked.
Shared Key: Paste the Shared Key from the Primary Server here.
Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
Enable NCP: Checked.
NCP Algorithms: AES-128-GCM. Default.
Auth digest algorithm: SHA256 (256–bit).
Hardware Crypto: Intel RDRAND engine - RAND. If the hardware does not support this, use No Hardware Crypto Acceleration.

NOTE: To find the Shared key on the OpenVPN Server:

On the pfSense at the Primary location.

Navigate to VPN → OpenVPN.
Click the Pencil icon to edit the Site to Site OpenVPN (tun).
In Cryptographic Settings:
- Copy the whole Shared Key that is in the dialog box. Click in there and do a CTRL+A and then CTRL+C.
Paste that Shared key into the Remote pfSense box.

In Tunnel Settings:

IPv4 Tunnel Network: 10.0.1.0/24.
IPv6 Tunnel Network: blank.
IPv4 Remote network(s): 192.168.1.0/24. The subnet address for the Primary location.
IPv6 Remote network(s): blank.
Limit outgoing bandwidth: blank.
Compression: Omit Preference (Use OpenVPN Default).
Type-of-Service: Not Checked.
Don’t add/remove routes: Not Checked.

In Advanced Configuration:

Custom options: blank.
UDP Fast I/O: Unchecked.
Exit Notify: Disabled.
Send/Receive Buffer: Default.
Gateway creation: Both.
Verbosity level: default.

Part 2: Configure the Firewall Rules

On the pfSense at the Remote location.

Navigate to Firewall → Rules.

Click the OpenVPN tab.
Click the Add (up arrow).
Action: .Pass.
Disabled: .Not Cecked
Interface: OpenVPN.
Address Family: IPv4.
Protocol: any.
Source:
- Invert match: Not Checked.
- Source: any.
Destination:
- Invert match: Not Checked.
- Destination: any.
Log: Not Checked
Description: OpenVPN for Site-to-Site OpenVPN on 1195.
Click Save.
Click Apply changes.

Test the OpenVPN connection

Test the OpenVPN connection to see if it works.

On the pfSense at the Primary location.

Click on the Status → OpenVPN.

NOTE: If the OpenVPN connection is working this should show the IP address of the connected pfSense router at the Remote location.

From the Primary location, try to ping the Local IP address of the Remote location.

ping 192.168.2.1

NOTE: If the ping is successful it means traffic is passing across the tunnel and the Primary location can see the Remote location.

From the Remote location, try to ping the Local IP address of the Primary location.

If you get a result back it means traffic is passing across the tunnel and the Remote location can see the Primary location.

ping 192.168.1.1

NOTE: Be aware that systems at either end may have Firewall rules preventing pings.

Resolving / Reaching devices over the VPN by Hostname

It is very likely you will not be able to resolve or reach devices by hostname over the new Site-to-Site VPN without some adjustments.

In pfsense DHCP settings it is usually best to add the local DNS servers to support resolving issues.

pfsense also includes the option Register connected OpenVPN clients in the DNS Resolver.

References

https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)

Table of Contents

PFSense - VPN - OpenVPN - OpenVPN Site-to-Site Setup

Step 1: Setup the OpenVPN Server

Extract the Shared Key to use for the Remote client

Step 2: Setup the pfSense device at the Remote Client to connect as an OpenVPN Client

Part 1: Setup the OpenVPN Client

Part 2: Configure the Firewall Rules

Test the OpenVPN connection

Resolving / Reaching devices over the VPN by Hostname

References