nanoscopic wiki

User Tools

Site Tools

You are here: start » pages » howtos » pfsense » simple-site-to-site-vpn-with-pfsense-and-openvpn
pages:howtos:pfsense:simple-site-to-site-vpn-with-pfsense-and-openvpn

This is an old revision of the document!

Table of Contents

, , , , ,

simple site to site VPN with pfSense and OpenVPN

I just had to set up a simple site to site VPN between a site with a fixed IP (SITE-B) and a site with a dynamic IP (SITE-A). Both routers are running the ‘Community Edition’ of pfSense and are installed on PC Engines APU.1C4. I have followed the documentation at pfSense.org about how to configure a Site To Site VPN with OpenVPN to get the VPN up and running. Because some things aren’t documented there I will put up my own HowTo here. Please do yourself a favour and read the documentation at pfsense.org first because it explains things in more detail than I will do here.

This HowTo will guide you trough the setup of:

  • An IPv4 ‘Site To Site VPN’ with OpenVPN on the pfSense platform (2.3.4 at time of writing) as seen in the schema above with the specific settings for the PC Engines APU hardware platform.
  • The client will autoconnect to the server and (in the event of disconnection) reconnect automatically.
  • The authentication between the client and the server will happen automatically via pre-shared key.

Sources

Configure the OpenVPN server on SITE-B router

  • Navigate to ‘VPN – OpenVPN

  • On the ‘Servers‘-Tab click on the ‘+ Add‘-button to add a new server

  • In the ‘General Information‘-section:
    • Disable this server:
    • Server mode: Peer to Peer (Shared Key)
    • Protocol: UDP
    • Device Mode: tun
    • Interface: set it to whatever external interface you want to have your OpenVPN server listening on. In my case this is ‘WAN‘.
    • Local port: set it to the port you want the local OpenVPN server to listen on. Default is ‘1194‘.
    • Description: Set an appropriate description e.g. ‘Site_To_Site-SITE-A_SITE_B
  • In the ‘Cryptographic Settings‘-section:
    • Automatically generate a shared key:
    • Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
    • Auth digest algorithm: RSA-SHA512 (512-bit)
    • Hardware Crypto: No Hardware Crypto Acceleration (this is PC Engines APU specific, if your hardware has crypto support – enable it)
  • In the ‘Tunnel Settings‘-Section:
    • IPv4 Tunnel Network: 10.4.10.0/30 (this a very small subnet with 2 useable IP adresses since there is only one server and one client)
    • IPv6 Tunnel Network: leave empty
    • IPv4 Remote network(s): 10.3.2.0/24 (this is a comma separated list for all the networks you want to connect to on the client side (SITE A))
    • IPv6 Remote network(s): leave empty
    • Concurrent connections: 1
    • Compression: Enabled with Adaptive Compression
    • Type-of-Service: ☐ Set the TOS IP header value of tunnel packets to match the encapsulated packet value
    • Duplicate Connection: ☐ Allow multiple concurrent connections from clients using the same Common Name
    • Disable IPv6: ☒ Don’t forward IPv6 traffic
  • In the ‘Advanced Configuration‘-section:
    • Custom options: leave empty
    • Verbosity Level: default
  • Click on ‘Save‘-button

You should now be forwarded to the list with your configured OpenVPN servers under ‘VPN – OpenVPN‘ on the ‘Servers‘-tab

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
pages/howtos/pfsense/simple-site-to-site-vpn-with-pfsense-and-openvpn.1615746121.txt.gz · Last modified: 2021/03/14 18:22 by mischerh