Differences

This shows you the differences between two versions of the page.

--- pages:howtos:pfsense:simple-site-to-site-vpn-with-pfsense-and-openvpn [2021/03/14 17:31] – mischerh
+++ pages:howtos:pfsense:simple-site-to-site-vpn-with-pfsense-and-openvpn [2021/12/09 23:28] (current) – rokkitlawnchair
@@ Line 1: / Line 1: @@
-{{tag>openvpn pfsense sitetosite vpn apu1c4 pcengines}}
+{{tag>howto openvpn pfsense sitetosite vpn apu1c4 pcengines}}
 ====== simple site to site VPN with pfSense and OpenVPN ======
 I just had to set up a simple site to site VPN between a site with a fixed IP (SITE-B) and a site with a dynamic IP (SITE-A). Both routers are running the ‘Community Edition’ of [[https://www.pfsense.org/|pfSense]] and are installed on [[https://www.pcengines.ch/apu1c4.htm|PC Engines APU.1C4]]. I have followed the documentation at pfSense.org about how to [[https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site|configure a Site To Site VPN with OpenVPN]] to get the VPN up and running. Because some things aren’t documented there I will put up my own HowTo here. Please do yourself a favour and read the [[https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site|documentation at pfsense.org]] first because it explains things in more detail than I will do here.
@@ Line 23: / Line 23: @@
   * In the ‘**General Information**‘-section:
+    * **Disable this server:** ☐
+    * **Server mode:** Peer to Peer (Shared Key)
+    * **Protocol:** UDP
+    * **Device Mode:** tun
+    * **Interface:** set it to whatever external interface you want to have your OpenVPN server listening on. In my case this is ‘//WAN//‘.
+    * **Local port:** set it to the port you want the local OpenVPN server to listen on. Default is ‘//1194//‘.
+    * **Description:** Set an appropriate  description e.g. ‘//Site_To_Site-SITE-A_SITE_B//‘
+  * In the ‘**Cryptographic Settings**‘-section:
+    * **Automatically generate a shared key:** ☒
+    * **Encryption Algorithm:** AES-256-CBC (256 bit key, 128 bit block)
+    * **Auth digest algorithm:** RSA-SHA512 (512-bit)
+    * **Hardware Crypto:** No Hardware Crypto Acceleration (this is PC Engines APU specific, if your hardware has crypto support – enable it)
+  * In the ‘**Tunnel Settings**‘-Section:
+    * **IPv4 Tunnel Network:** 10.4.10.0/30 (this a very small subnet with 2 useable IP adresses since there is only one server and one client)
+    * **IPv6 Tunnel Network:** leave empty
+    * **IPv4 Remote network(s):** 10.3.2.0/24 (this is a comma separated list for all the networks you want to connect to on the client side (SITE A))
+    * **IPv6 Remote network(s):** leave empty
+    * **Concurrent connections:** 1
+    * **Compression:** Enabled with Adaptive Compression
+    * **Type-of-Service:** ☐ Set the TOS IP header value of tunnel packets to match the encapsulated packet value
+    * **Duplicate Connection:** ☐ Allow multiple concurrent connections from clients using the same Common Name
+    * **Disable IPv6:** ☒ Don’t forward IPv6 traffic
+  * In the ‘**Advanced Configuration**‘-section:
+    * **Custom options:** leave empty
+    * **Verbosity Level:** default
+  * Click on ‘**Save**‘-button
-^ Setting  ^ Value  ^
+You should now be forwarded to the list with your configured OpenVPN servers under ‘**VPN – OpenVPN**‘ on the ‘**Servers**‘-tab
-| Disable this server | ☐      |
+{{ :pages:howtos:pfsense:03_site-b-vpn_openvpn_server.php_.png?direct&600 |}}
-| Server mode | Peer to Peer (Shared Key)  |
+  * Click on the ‘**Edit**‘-button (the pencil) and leave this window open because we will need to copy the ‘**Shared Key**‘ from this form later.
-| Protocol  | UDP  |
-| Device Mode  | tun  |
-| Interface  | set it to whatever external interface you want to have your OpenVPN server listening on. In my case this is ‘**WAN**‘. |
-| Local port  | set it to the port you want the local OpenVPN server to listen on. Default is ‘1194‘.  |
-| Description  | Set an appropriate  description e.g. ‘Site_To_Site-SITE-A_SITE_B‘  |
-  * In the ‘Cryptographic Settings‘-section:
+===== Configure the OpenVPN client on SITE-A router =====
-    * Automatically generate a shared key: ????
+  * Navigate to ‘**VPN – OpenVPN**‘
-    * Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
+{{ :pages:howtos:pfsense:04_site-a-vpn_openvpn_client.php_.png?direct&600 |}}
-    * Auth digest algorithm: RSA-SHA512 (512-bit)
-    * Hardware Crypto: No Hardware Crypto Acceleration (this is PC Engines APU specific, if your hardware has crypto support – enable it)
+  * Click the ‘**Clients**‘-tab
-  * In the ‘Tunnel Settings‘-Section:
+  * On the ‘**Clients**‘-tab click the ‘**+ Add**‘-button to add a new OpenVPN client
-    * IPv4 Tunnel Network: 10.4.10.0/30 (this a very small subnet with 2 useable IP adresses since there is only one server and one client)
+{{ :pages:howtos:pfsense:06_site-a-vpn_openvpn_client.php-actnew.png?direct&600 |}}
-    * IPv6 Tunnel Network: leave empty
-    * IPv4 Remote network(s): 10.3.2.0/24 (this is a comma separated list for all the networks you want to connect to on the client side (SITE A))
-    * IPv6 Remote network(s): leave empty
+  *In the ‘**General Information**’-section:
-    * Concurrent connections: 1
+    * Disable this client: ☐
-    * Compression: Enabled with Adaptive Compression
+    * Server mode: Peer to Peer (Shared Key)
-    * Type-of-Service: ☐ Set the TOS IP header value of tunnel packets to match the encapsulated packet value
+    * Protocol: UDP
-    * Duplicate Connection: ☐ Allow multiple concurrent connections from clients using the same Common Name
+    * Device mode: tun
-    * Disable IPv6: ???? Don’t forward IPv6 traffic
+    * Interface: Set to whatever external interface you want your OpenVPN client connect to the OpenVPN server at SITE-B. In my case this is ‘WAN‘.
-  * In the ‘Advanced Configuration‘-section:
+    * Local port: leave empty
-    * Custom options: leave empty
+    * Server host or address: Set to the FQDN or IP address of the external SITE-B Interface. In this example it is ‘site-b.site-b.de‘.
-    * Verbosity Level: default
+    * Server port: Set to the same port you have set in the server setup at SITE-B. Default is ‘1194‘.
-  * Click on ‘Save‘-button
+        Proxy host or address: leave empty
+        Proxy port: leave empty
+        Proxy Auth. – Extra options: none
+        Infinitely resolve server: ????
+        Description: Set an appropriate description e.g. ‘Site_To_Site-SITE-A_SITE_B‘
+    In the ‘Cryptographic Settings‘-section:
+        Peer Certificate Authority: nothing to do here
+        Peer Certificate Revocation list: nothing to do here
+        Automatically generate a shared key: ☐ – This will display a form field in which you can paste the key from the SITE-B server configuration.
-You should now be forwarded to the list with your configured OpenVPN servers under ‘VPN – OpenVPN‘ on the ‘Servers‘-tab
+Go back to SITE-B router. If you haven’t left the window open, navigate to ‘VPN – OpenVPN‘ and select the ‘Servers‘-tab, click on the ‘Edit‘-button (the pencil) next to the server you have created earlier
+----
+~~DISCUSSION~~