We will see in this article how to build a site-to-site VPN between two pfSense with OpenVPN.

Using pfSense, connecting two sites using OpenVPN is very simple. One side is configured as a client, and the other side as a server.

The recommended method is the shared key mode.

How it works

One side is configured as a client, and the other side as a server.

A pfSense can be defined as a client or as a server. There is absolutely no difference from a network or functionality point of view.

However, if you want to connect several remote sites to a main site, the most logical thing to do is of course to define the main site as “server” and the remote sites as “clients”.

In our implementation example, we will use the following infrastructure:

[pfSense] Site-to-Site OpenVPN diagram

pfSense A will be configured as an OpenVPN server.
pfSense B will be configured as an OpenVPN client.

Site A – pfSense as an OpenVPN server

We have to follow these steps:

  • configure the OpenVPN server
  • configure the appropriate firewall rules

Let’s go!

1. Configure the OpenVPN server

Go to VPN > OpenVPN:

[pfSense] menu VPN > OpenVPN

In the “Servers” tab (the default tab), click on the “+ Add” button at the bottom right of the page.

The fields to be filled in are the following:

  • Server Mode: choose Peer to Peer (Shared Key).
  • Device Mode: tun.
  • Interface: WAN, normally. More generally the interface on which the OpenVPN server should be reachable.
  • Local port: we keep the default value (1194).
  • Shared key: keep the Automatically generate a shared key checked.
  • Encryption Algorithm: keep the default or choose a stronger one.
  • Enable NCP: check that case to enable the Negotiable Cryptographic Parameters.
  • NCP Algorithms: choose at least AES-128-CBC and AES-128-GCM (or stronger) which are AES-NI compliants.
  • IPv4 Tunnel Network: the VPN network. In our case 192.168.100.0/30
  • IPv4 Remote network(s): the remote network(s). In our case 192.168.2.0/24

The other settings can keep their default configuration.

[pfSense] OpenVPN server configuration

We click on the “Save” button. The OpenVPN server is created.

2. Configure the firewall rules

Go to Firewall > Rules:

[pfSense] menu Firewall > Rules

Add a firewall rule on the WAN interface (or on the interface on which your OpenVPN is reachable) with the following settings:

  • Protocol: UDP
  • Source: any
  • Destination: this firewall
  • Destination port: 1194 (or the port you chose previously)
[pfSense] Firewall rule for OpenVPN access

Then, add a firewall rule on the LAN interface with the following settings:

  • Protocol: *
  • Source: LAN net
  • Destination: network – 192.168.2.0/24 (the local network of the site B)
  • Destination port: any

This rule allows traffic from LAN to the network of the site B.

[pfSense] Firewall rule

Finally, add a firewall rule on the OpenVPN interface with the following settings:

  • Protocol: *
  • Source: network – 192.168.2.0/24 (the local network of the site B)
  • Destination: LAN net
  • Destination port: any
[pfSense] Another firewall rule

This rule allows traffic from the network of the site B to the LAN.

Obviously, your firewall rules could be more restrictive or permissive.

Site B – pfSense as an OpenVPN client

We have to follow these steps:

  • configure the OpenVPN client
  • configure the appropriate firewall rules

1. Configure the OpenVPN client

Go to VPN > OpenVPN:

[pfSense] menu VPN > OpenVPN

The fields to be filled in are the following:

  • Server Mode: choose Peer to Peer (Shared Key).
  • Protocol: UDP
  • Device Mode: tun.
  • Interface: WAN, normally.
  • Server host or address: The public IP address of the site A.
  • Server port: The port configured on the server. In our case: 1194.
  • Cryptographic Settings: uncheck the Automatically generate a shared key case and paste the shared key which has been generated previously on the server.
  • Encryption Algorithm: keep the same value that you chose on the server side.
  • Enable NCP: keep the same value that you chose on the server side.
  • NCP Algorithms: keep the same values that you chose on the server side.
  • IPv4 Tunnel Network: the VPN network. In our case 192.168.100.0/30
  • IPv4 Remote network(s): the remote network(s). In our case 192.168.1.0/24

The other settings can keep their default configuration.

[pfSense] OpenVPN client configuration

We click on the “Save” button. The OpenVPN client is created.

2. Configure the firewall rules

Go to Firewall > Rules:

[pfSense] menu Firewall > Rules

Add a firewall rule on the LAN interface with the following settings:

  • Protocol: *
  • Source: LAN net
  • Destination: network – 192.168.1.0/24 (the local network of the site A)
  • Destination port: any
[pfSense] Firewall rule

Then, add a firewall rule on the OpenVPN interface with the following settings:

  • Protocol: *
  • Source: network – 192.168.1.0/24 (the local network of the site A)
  • Destination: LAN net
  • Destination port: any
[pfSense] Another firewall rule

Obviously, your firewall rules could be more restrictive or permissive.

It’s done! Your VPN should be up! Let’s check.

Check the VPN connectivity

Firstly we check the openVPN status. Go to Status > OpenVPN:

[pfSense] menu Status > OpenVPN

If your VPN is up it will looks like this:

[pfSense] Status page – OpenVPN instance

On this page, we can check the IP address of the remote host, the virtual IP and the traffic sent/received through the VPN.

If the VPN is not UP, try to restart the OpenVPN service and check the OpenVPN configuration on the client and server sides.

Secondly, we can try to send a PING request from a computer on the site A to a computer on the site B. And vice-versa.

If it doesn’t work you should verify your firewall rules.

That’s it, that’s all!

Did you like this article? Are you looking for professional equipment? Visit our shop.


More To Learn

[pfSense] Secure remote access for your home-office workers with OpenVPN


Discover our SSD firewalls for pfSense, assembled in France
3 years warranty

provya.com

Leave a Reply