pfSense – OpenVPN Site-to-Site Setup

Before you begin:

  • This tutorial is for an OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client.
  • This tutorial is not for setting up an OpenVPN server for Windows or smartphone clients to connect to a remote network over a VPN.
  • It is assumed in this tutorial that the pfSense box running the OpenVPN server is getting a public (internet) IP address on its WAN interface. If the pfSense box is behind another routing device and using a local IP address from this device, this tutorial won’t work without port forwarding or placing the pfSense device in the upstream modem/router’s DMZ.
  • For this tutorial, the Main Office device will be on a 192.168.5.0/24 subnet and the Satellite Office will be on a 192.168.10.0/24 subnet. You will need to change these values in the tutorial to match your own network’s IP addressing scheme.

Step 1: Setting up the OpenVPN Server

Things to note:

  • These instructions are for the configuration on the Main Office pfSense device where Satellite pfSense client will connect to.
  • The Main Office will require a static WAN IP address from their ISP to avoid the VPN going down when their public IP address is changed.  If they don’t, you will have to setup a DDNS account. These instructions don’t cover how to do that.
    1. Login to pfSense at your Main Office location.
    2. Click on VPNOpenVPN
    3. Within the Servers tab Click on green Add button
    4. Fill out the following information:
      • IPv4 Tunnel Network: 10.0.1.0/24
      • IPv6 Tunnel Network: blank
      • General Information
        • Disabled: Unchecked
        • Server mode: Peer to Peer (Shared Key)
        • Protocol: UDP on IPv4 only
        • Device mode: tun – Layer 3 Tunnel Mode
        • Interface: WAN
        • Local port: 1195
          note: We are using 1195 instead of 1194 as that is more commonly used for multiple client based VPNs.  We’ll save port 1194 if we need it in the future or if we already have a Client Based VPN setup for Windows clients to connect into.
        • Description: Site_to_Site_OpenVPN
      • Cryptographic Settings
        • Shared Key: Checked
        • Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
        • Enable NCP: Checked
        • NCP Algorithms: do not change anything in here
        • Auth digest algorithm: SHA1 (160 –bit)
        • Hardware Crypto: No Hardware Crypto Acceleration
      • Tunnel Settings:
        • IPv4 Tunnel Network: 10.0.1.0/24
        • IPv6 Tunnel Network: blank
        • IPv4 Remote Network(s):  192.168.10.0/24 
          (Please note: this is the tutorial value. To adjust this for your own scenario, enter the subnet of your Satelite (client) pfSense device  For example, if the Main Office device running OpenVPN Server is on a 192.168.5.0/24 subnet and the Satellite device running pfSense is on a 192.168.10/24 subnet, you would enter in 192.168.10.0/24)
        • IPv6 Remote network(s): blank
        • Concurrent connections: 2
        • Compression: Omit Preference (Use OpenVPN Default)
        • Type-of-Service: Unchecked
        • Advanced Configuration:
          • Custom options: blank
          • UDP Fast I/O: Unchecked
          • Send/Receive Buffer: Default
          • Gateway creation: Both
          • Verbosity level: default
        • Click on the blue Save button.

Before moving on: If you won’t be able to easily access your Main Office pfSense device running your OpenVPN server while simultaneously accessing your Satellite Office pfSense device, stop and copy the Shared Key on your Main Office pfSense OpenVPN server by following the instructions below. If you will be able to access them both at the same time, move on to Step 2.

  • Login to pfSense (At the MAIN OFFICE LOCATION!)
  • Click on VPNOpenVPN.
  • Click on the Pencil icon to edit the Site_to_Site_OpenVPN (tun).
  • Under the Cryptographic Settings copy the whole Shared Key that is in the dialog box.  (Click in there and do a ctrl+A and then ctrl+C)
  • Save it in a text file and email it to yourself so you can use it in the next steps.
  • Make sure to delete or secure this key once you’re finished at it could give anyone in its possession access to your network.

 

Step 2: Setup the pfSense device in your Satellite office to connect as an OpenVPN Client

These configuration changes need to be done on the Satellite Office pfSense device so it can connect back to the Main Office location.

Part 1: Setup the OpenVPN Client

    1. Login to pfSense (Satellite office)
    2. Click on VPNOpenVPN
    3. Click on the Clients tab.
    4. Click on the green Add button.
    5. Fill out the following information:
      • General Information:
        • Disabled: Unchecked
        • Server mode: Peer to Peer (Shared Key)
        • Protocol: UDP on IPv4 only
        • Device mode: tun-layer 3 Tunnel Mode
        • Server mode: Peer to Peer (Shared Key)
        • Interface: WAN
        • Local Port: blank
        • Server host or address:  This is going to be the public IP address of the Main Office location where your pfSense device is running the OpenVPN server.  If the client does not have a static IP address from their ISP it would be a good idea to setup a no-ip DDNS account.  This is not covered in this tutorial.
        • Server port: 1195
        • Proxy host or address: blank
        • Proxy port: blank
        • Proxy Authentication: none
        • Description: Site_to_Site_OpenVPN
      • Cryptographic Settings:
        • Auto generate: unchecked
        • Shared Key: You will need to log back into the pfSense device at the Main Office location and copy the Shared Key and paste it into this box.  You will find the Shared key by the following steps:
          • Login to pfSense (At the MAIN OFFICE LOCATION!)
          • Click on VPNOpenVPN.
          • Click on the Pencil icon to edit the Site_to_Site_OpenVPN (tun).
          • Under the Cryptographic Settings copy the whole Shared Key that is in the dialog box.  (Click in there and do a Ctrl+A and then Ctrl+C)
          • Paste that Shared key into the Satellite Office PfSense Shared key dialog box
        • Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
        • Enable NCP: Checked
        • NCP Algorithms: do not change anything in here
        • Auth digest algorithm: SHA1 (160 –bit)
        • Hardware Crypto: No Hardware Crypto Acceleration
        • Tunnel Settings:
          • IPv4 Tunnel Network: 10.0.1.0/24
          • IPv6 Tunnel Network: blank
          • IPv4 Remote network(s): 192.168.5.0/24
            (Please note: this is the tutorial value. To adjust this for our own scenario, enter the subnet address for your Main Office location. For example, if the Main Office device running pfSense with your OpenVPN Server is on a 192.168.5.0/24 subnet and the Satellite Office device running pfSense with your OpenVPN Client is on a 192.168.10/24 subnet, you would enter in 192.168.5.0/24.
          • IPv6 Remote network(s): blank
          • Limit outgoing bandwidth: blank
          • Compression: Omit Preference (Use OpenVPN Default)
          • Type-of-Service: Unchecked
          • Don’t add/remove routes: Unchecked
        • Advanced Configuration:
          • Custom options: blank
          • UDP Fast I/O: Unchecked
          • Send/Receive Buffer: Default
          • Gateway creation: Both
          • Verbosity level: default

Part 2: Configure the Firewall Rules

  1. Login to pfSense (Satellite Office)
  2. Click on FirewallRules
  3. Click on the OpenVPN tab.
  4. Within the OpenVPN tab Click on the green Add button that is pointing UP
  5. Fill out the following information:
    • Edit the Firewall Rule
      • Action: Pass
      • Disabled: unchecked
      • Interface: OpenVPN
      • Address Family: IPv4
      • Protocol: any
    • Source:
      • Source: Invert match: unchecked —> any
    • Destination:
      • Destination: Invert match: unchecked —> any
    • Extra Option:
      • Log: Unchecked
      • Description: OpenVPN for Site-to-Site OpenVPN on 1195
  6. Click the blue Save button.
  7. Click the green Apply changes button.

You now need to test the OpenVPN connection to see if it works.  Here is how to do that.

  1. Login to pfSense on the Main office Router
  2. Click on the StatusOpenVPN
  3. If the OpenVPN connection is working you should see the IP address of the connected pfSense router at the Satellite location.
  4. Open up a command prompt on a Windows machine and try pinging the Local IP address of the Satellite Office device.  In the example we used for this tutorial 192.168.10.1 was the IP of the MAIN location and 192.168.5.1 was the location of the Satellite location.
  5. If you get a result back it means traffic is passing across the tunnel and the Main Office can see the Satellite office.
  6. Now you need to do the opposite.  Open up a command prompt on a Windows machine that is at the Satellite office.  Try pinging the Local IP address of the Main office router.  In the example we used for this tutorial 192.168.10.1 was the IP of the MAIN location and 192.168.5.1 was the location of the Satellite location. So we’ll ping 192.168.10.1.
  7. If you get a result back it means traffic is passing across the tunnel and the Main Office can see the Satellite office.

Keep in mind, just because you can ping the routers at both ends doesn’t necessarily mean you will be able to see Windows machines and ping them.  If a Windows machine does not have File and Print Sharing open in its Firewall settings you won’t be able to ping it.

Resolving / Reaching devices over the VPN by Hostname

It’s very likely you won’t be able to resolve or reach devices by hostname over your new Site-to-Site VPN without some adjustments. For more information on getting DNS to work in different VPN scenarios, see our Getting DNS to work over a Site-to-Site OpenVPN connection in pfSense Guide.

Mayfield IT Consulting