{{tag>howto openvpn pfsense sitetosite vpn apu1c4 pcengines}} ====== simple site to site VPN with pfSense and OpenVPN ====== I just had to set up a simple site to site VPN between a site with a fixed IP (SITE-B) and a site with a dynamic IP (SITE-A). Both routers are running the ‘Community Edition’ of [[https://www.pfsense.org/|pfSense]] and are installed on [[https://www.pcengines.ch/apu1c4.htm|PC Engines APU.1C4]]. I have followed the documentation at pfSense.org about how to [[https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site|configure a Site To Site VPN with OpenVPN]] to get the VPN up and running. Because some things aren’t documented there I will put up my own HowTo here. Please do yourself a favour and read the [[https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site|documentation at pfsense.org]] first because it explains things in more detail than I will do here. {{ :pages:howtos:pfsense:site_to_site_vpn_schema.png?direct&600 |}} This HowTo will guide you trough the setup of: * An IPv4 ‘Site To Site VPN’ with [[https://openvpn.net/|OpenVPN]] on the pfSense platform (2.3.4 at time of writing) as seen in the schema above with the specific settings for the PC Engines APU hardware platform. * The client will autoconnect to the server and (in the event of disconnection) reconnect automatically. * The authentication between the client and the server will happen automatically via pre-shared key. ===== Sources ===== * [[https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site|pfsense.org – OpenVPN Site To Site]] * [[https://portal.pfsense.org/members/signup/html-book|The pfSense Book]] ===== Configure the OpenVPN server on SITE-B router ===== * Navigate to ‘**VPN – OpenVPN**‘ {{ :pages:howtos:pfsense:01_site-b-vpn_openvpn_server.png?direct&600 |}} * On the ‘**Servers**‘-Tab click on the ‘**+ Add**‘-button to add a new server {{ :pages:howtos:pfsense:02_site_b-vpn_openvpn_server.php-actnew.png?direct&600 |}} * In the ‘**General Information**‘-section: * **Disable this server:** ☐ * **Server mode:** Peer to Peer (Shared Key) * **Protocol:** UDP * **Device Mode:** tun * **Interface:** set it to whatever external interface you want to have your OpenVPN server listening on. In my case this is ‘//WAN//‘. * **Local port:** set it to the port you want the local OpenVPN server to listen on. Default is ‘//1194//‘. * **Description:** Set an appropriate description e.g. ‘//Site_To_Site-SITE-A_SITE_B//‘ * In the ‘**Cryptographic Settings**‘-section: * **Automatically generate a shared key:** ☒ * **Encryption Algorithm:** AES-256-CBC (256 bit key, 128 bit block) * **Auth digest algorithm:** RSA-SHA512 (512-bit) * **Hardware Crypto:** No Hardware Crypto Acceleration (this is PC Engines APU specific, if your hardware has crypto support – enable it) * In the ‘**Tunnel Settings**‘-Section: * **IPv4 Tunnel Network:** 10.4.10.0/30 (this a very small subnet with 2 useable IP adresses since there is only one server and one client) * **IPv6 Tunnel Network:** leave empty * **IPv4 Remote network(s):** 10.3.2.0/24 (this is a comma separated list for all the networks you want to connect to on the client side (SITE A)) * **IPv6 Remote network(s):** leave empty * **Concurrent connections:** 1 * **Compression:** Enabled with Adaptive Compression * **Type-of-Service:** ☐ Set the TOS IP header value of tunnel packets to match the encapsulated packet value * **Duplicate Connection:** ☐ Allow multiple concurrent connections from clients using the same Common Name * **Disable IPv6:** ☒ Don’t forward IPv6 traffic * In the ‘**Advanced Configuration**‘-section: * **Custom options:** leave empty * **Verbosity Level:** default * Click on ‘**Save**‘-button You should now be forwarded to the list with your configured OpenVPN servers under ‘**VPN – OpenVPN**‘ on the ‘**Servers**‘-tab {{ :pages:howtos:pfsense:03_site-b-vpn_openvpn_server.php_.png?direct&600 |}} * Click on the ‘**Edit**‘-button (the pencil) and leave this window open because we will need to copy the ‘**Shared Key**‘ from this form later. ===== Configure the OpenVPN client on SITE-A router ===== * Navigate to ‘**VPN – OpenVPN**‘ {{ :pages:howtos:pfsense:04_site-a-vpn_openvpn_client.php_.png?direct&600 |}} * Click the ‘**Clients**‘-tab * On the ‘**Clients**‘-tab click the ‘**+ Add**‘-button to add a new OpenVPN client {{ :pages:howtos:pfsense:06_site-a-vpn_openvpn_client.php-actnew.png?direct&600 |}} *In the ‘**General Information**’-section: * Disable this client: ☐ * Server mode: Peer to Peer (Shared Key) * Protocol: UDP * Device mode: tun * Interface: Set to whatever external interface you want your OpenVPN client connect to the OpenVPN server at SITE-B. In my case this is ‘WAN‘. * Local port: leave empty * Server host or address: Set to the FQDN or IP address of the external SITE-B Interface. In this example it is ‘site-b.site-b.de‘. * Server port: Set to the same port you have set in the server setup at SITE-B. Default is ‘1194‘. Proxy host or address: leave empty Proxy port: leave empty Proxy Auth. – Extra options: none Infinitely resolve server: ???? Description: Set an appropriate description e.g. ‘Site_To_Site-SITE-A_SITE_B‘ In the ‘Cryptographic Settings‘-section: Peer Certificate Authority: nothing to do here Peer Certificate Revocation list: nothing to do here Automatically generate a shared key: ☐ – This will display a form field in which you can paste the key from the SITE-B server configuration. Go back to SITE-B router. If you haven’t left the window open, navigate to ‘VPN – OpenVPN‘ and select the ‘Servers‘-tab, click on the ‘Edit‘-button (the pencil) next to the server you have created earlier ---- ~~DISCUSSION~~