How to setup a site to site VPN on PFSense using OpenVPN.
The organization I work for is expanding so we investigated if it would be possible to get a fiber connection to our head office. Fortunately that is not possible so we went with business level internet with a static IP on Telus Fiber 300mbps (we need a good up stream).
Which means we need a VPN (Dramatic sound effect). The last time the organization did a VPN it did not go well, the connection was slow, laggy and barely functional (I think it was mostly the internet connection - we resolved it by using RDP). However that was then and this is now. I was asked to see if we could get something going using PFSense, since I setup the OpenVPN server for our client remoting, and it has worked really well, I looked into using OpenVPN for a site to site. Lawrence Systems has a great video on how to do this as did Crosstalk solutions. I used both for reference as the network I was working with wasn't a typical setup. This post I hope will be useful for those trying to do a site to site VPN from a satelite/branch location and having to communicate with the main location. Below is a overview diagram of how this essentially works.
|
Overview Diagram |
In PFSense the server part for you main/master location is very simple to setup. You essentially have to setup 3 main things.
- The VPN connection to go back to the satelite/branch location's network
- Configure firewall rules to allow the VPN connection with proper routing
- Configure openvpn firewall rules to allow for the connection.
1.1 Configure General Settings
|
OpenVPN General Information Settings |
1.2 - Configure Cryptographic Settings
I recommend using all default settings here and adjusting after the fact. Depending on your system and adjusting them after you have the connection established if you require more security.
|
OpenVPN Cryptographic Settings |
1.3 - Tunnel Settings
The IPv4 Tunnel network need to be the same ip range on the client firewall as the server firewall. It is the virtual network that allows the traffic to go from the firewalls to transverse to the other locations networks
The IPv4 Remote network is the network you are trying to reach on the other side's firewall so since this is the server setting, we want to put the ip network of the client firewall we are trying to reach. In this case 192.168.96.0/24 which is the network at the remote site.
|
Server Tunnel Settings |
1.4 - Advanced Configuration
You can put any custom configuration here increase your logging level for troubleshooting.
|
Advanced Configuration |
Firewall Rules:
WAN: - The protocol should just by udp ip4 with the source coming from your public IP provided by your ISP and the port number you have set to use on your firewall for the openVPN server
|
WAN Firewall Rules |
|
WAN Firewall Rules |
OpenVPN: - is typically left wide open unless you want to lock it down yourself.
|
OpenVPN Firewall Rule |
|
OpenVPN Firewall Rule |
For the client on the other hand there is a bunch of setup that has to be done, especially if you want to reach other networks.
Setup an OpenVPN client in PFSense
|
OpenVPN Client to connect the 2 firewalls |
|
PFSENSE OPENVPN Client Settings |
|
PFSENSE OPENVPN Client Settings |
|
OpenVPN Cryptographic Settings (Should be the same as the server) |
Client Tunnel Settings
The IPv4 Tunnel network need to be the same ip range on the client firewall as the server firewall. It is the virtual network that allows the traffic to go from the firewalls to transverse to the other locations networks
The IPv4 Remote network is the network you are trying to reach on the other side's firewall so since this is the server setting, we want to put the ip network of the client firewall we are trying to reach. In this case as with the overview diagram 192.168.1.0/24, which is the network at the main office. If you have more then one network you want to reach add a comma to the remote networks such as 192.168.1.0/24, 172.19.4.0/24 and if you have the firewall/nat rules in place you should be able to reach both networks.
|
Client Tunnel Settings |
Pushing DNS
On my client firewall I am using DNS resolver, which allows me to specify specific domain lookup servers. My DNS resolver is setup to use DNS over TLS, so I added a domain override for domain specific lookups for my specific domain. This is especially useful in an active directory environment.
|
Domain Specific lookups |
Again you have to ensure firewall rules are setup for your client firewall much like your server firewall to allow the OpenVPN traffic though to the proper networks.
Firewall Rules:
WAN: - The protocol should just by udp ip4 with the source coming from your public IP provided by your ISP and the port number you have set to use on your firewall for the openVPN server
|
WAN Firewall Rules |
|
WAN Firewall Rules |
OpenVPN: - is typically left wide open unless you want to lock it down yourself.
|
OpenVPN Firewall Rule |
|
OpenVPN Firewall Rule |