simple site to site VPN with pfSense and OpenVPN

I just had to set up a simple site to site VPN between a site with a fixed IP (SITE-B) and a site with a dynamic IP (SITE-A). Both routers are running the ‘Community Edition’ of pfSense and are installed on PC Engines APU.1C4. I have followed the documentation at pfSense.org about how to configure a Site To Site VPN with OpenVPN to get the VPN up and running. Because some things aren’t documented there I will put up my own HowTo here. Please do yourself a favour and read the documentation at pfsense.org first because it explains things in more detail than I will do here.

This HowTo will guide you trough the setup of:

• An IPv4 ‘Site To Site VPN’ with OpenVPN on the pfSense platform (2.3.4 at time of writing) as seen in the schema above with the specific settings for the PC Engines APU hardware platform.
• The client will autoconnect to the server and (in the event of disconnection) reconnect automatically.
• The authentication between the client and the server will happen automatically via pre-shared key.

• pfsense.org – OpenVPN Site To Site
• The pfSense Book

• Navigate to ‘VPN – OpenVPN‘

• On the ‘Servers‘-Tab click on the ‘+ Add‘-button to add a new server

• In the ‘General Information‘-section:
  • Disable this server: ☐
  • Server mode: Peer to Peer (Shared Key)
  • Protocol: UDP
  • Device Mode: tun
  • Interface: set it to whatever external interface you want to have your OpenVPN server listening on. In my case this is ‘WAN‘.
  • Local port: set it to the port you want the local OpenVPN server to listen on. Default is ‘1194‘.
  • Description: Set an appropriate description e.g. ‘Site_To_Site-SITE-A_SITE_B‘
• In the ‘Cryptographic Settings‘-section:
  • Automatically generate a shared key: ☒
  • Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
  • Auth digest algorithm: RSA-SHA512 (512-bit)
  • Hardware Crypto: No Hardware Crypto Acceleration (this is PC Engines APU specific, if your hardware has crypto support – enable it)
• In the ‘Tunnel Settings‘-Section:
  • IPv4 Tunnel Network: 10.4.10.0/30 (this a very small subnet with 2 useable IP adresses since there is only one server and one client)
  • IPv6 Tunnel Network: leave empty
  • IPv4 Remote network(s): 10.3.2.0/24 (this is a comma separated list for all the networks you want to connect to on the client side (SITE A))
  • IPv6 Remote network(s): leave empty
  • Concurrent connections: 1
  • Compression: Enabled with Adaptive Compression
  • Type-of-Service: ☐ Set the TOS IP header value of tunnel packets to match the encapsulated packet value
  • Duplicate Connection: ☐ Allow multiple concurrent connections from clients using the same Common Name
  • Disable IPv6: ☒ Don’t forward IPv6 traffic
• In the ‘Advanced Configuration‘-section:
  • Custom options: leave empty
  • Verbosity Level: default
• Click on ‘Save‘-button

You should now be forwarded to the list with your configured OpenVPN servers under ‘VPN – OpenVPN‘ on the ‘Servers‘-tab

• Click on the ‘Edit‘-button (the pencil) and leave this window open because we will need to copy the ‘Shared Key‘ from this form later.

• Navigate to ‘VPN – OpenVPN‘

• Click the ‘Clients‘-tab
• On the ‘Clients‘-tab click the ‘+ Add‘-button to add a new OpenVPN client

• In the ‘General Information’-section:
  • Disable this client: ☐
  • Server mode: Peer to Peer (Shared Key)
  • Protocol: UDP
  • Device mode: tun
  • Interface: Set to whatever external interface you want your OpenVPN client connect to the OpenVPN server at SITE-B. In my case this is ‘WAN‘.
  • Local port: leave empty
  • Server host or address: Set to the FQDN or IP address of the external SITE-B Interface. In this example it is ‘site-b.site-b.de‘.
  • Server port: Set to the same port you have set in the server setup at SITE-B. Default is ‘1194‘.

Proxy host or address: leave empty

      Proxy port: leave empty
      Proxy Auth. – Extra options: none
      Infinitely resolve server: ????
      Description: Set an appropriate description e.g. ‘Site_To_Site-SITE-A_SITE_B‘
  In the ‘Cryptographic Settings‘-section:
      Peer Certificate Authority: nothing to do here
      Peer Certificate Revocation list: nothing to do here
      Automatically generate a shared key: ☐ – This will display a form field in which you can paste the key from the SITE-B server configuration.

Go back to SITE-B router. If you haven’t left the window open, navigate to ‘VPN – OpenVPN‘ and select the ‘Servers‘-tab, click on the ‘Edit‘-button (the pencil) next to the server you have created earlier

~~DISCUSSION~~