pfSense – OpenVPN Site-to-Site Setup
Before you begin:
- This tutorial is for an OpenVPN Site-to-Site setup using two pfSense devices, one running an OpenVPN server and the other an OpenVPN client.
- This tutorial is not for setting up an OpenVPN server for Windows or smartphone clients to connect to a remote network over a VPN.
- It is assumed in this tutorial that the pfSense box running the OpenVPN server is getting a public (internet) IP address on its WAN interface. If the pfSense box is behind another routing device and using a local IP address from this device, this tutorial won’t work without port forwarding or placing the pfSense device in the upstream modem/router’s DMZ.
- For this tutorial, the Main Office device will be on a 10.0.10.0/24 subnet and the Satellite Office will be on a 10.0.5.0/24 subnet. You will need to change these values in the tutorial to match your own network’s IP addressing scheme.
- These instructions are based on pfSense version 2.6.
Step 1: Setting up the OpenVPN Server
Things to note:
- These instructions are for the configuration on the Main Office pfSense device that each Satellite pfSense client will connect to.
- The Main Office will require a static WAN IP address from their ISP to avoid the VPN going down when their public IP address is changed. If they don’t, you will have to set up a dynamic DNS service (not covered in this document).
Part 1: OpenVPN Server configuration
- Login to pfSense at your Main Office location.
- Click on VPN→OpenVPN
- Within the Servers tab Click on the green Add button
- Fill out the following information:
- General Information
- Disabled: Unchecked
- Server mode: Peer to Peer (Shared Key)
- Protocol: UDP on IPv4 only
- Device mode: tun – Layer 3 Tunnel Mode
- Interface: WAN
- Local port: 1195
note: We are using 1195 instead of 1194 as that is more commonly used for multiple client based VPNs. We’ll save port 1194 if we need it in the future or if we already have a Client Based VPN setup for Windows clients to connect into. - Description: Site_to_Site_OpenVPN
- Cryptographic Settings
- Shared Key: Checked
- Data Encryption Negotiation: Checked
- Data Encryption Algorithms:
- Available Data Encryption Algorithms (note: These are listed on in the right dialog box and are greyed out)
AES-256-GCM
AES-128-GCM
CHACHA20-POLY1305
- Available Data Encryption Algorithms (note: These are listed on in the right dialog box and are greyed out)
- Fallback Data Encryption Algorithm: AES-256-CBC (256-bit key, 128-bit block)
- Auth digest algorithm: SHA256 (256 –bit)
- Hardware Crypto: No Hardware Crypto Acceleration
- Tunnel Settings:
- IPv4 Tunnel Network: 10.0.1.0/24
- IPv6 Tunnel Network: blank
- IPv4 Remote Network(s): 10.0.5.0/24
(Please note: this is the tutorial value. To adjust this for your own scenario, enter the subnet of your Satellite (client) pfSense device. For example, if the Main Office device running OpenVPN Server is on a 10.0.10.0/24 subnet and the Satellite device running pfSense is on a 10.0.5.0/24 subnet, you would enter in 10.0.5.0/24) - IPv6 Remote network(s): blank
- Concurrent connections: 1
- Allow Compression: Refuse any non-stub compression (Most secure)
- Type-of-Service: Unchecked
- Ping settings:
- Inactive: 0
- Ping Method: keepalive – Use keepalive helper to define ping configuration
- Interval: 10
- Timeout: 60
- Advanced Configuration:
- Custom options: blank
- UDP Fast I/O: Unchecked
- Exit Notify: Disabled
- Send/Receive Buffer: Default
- Gateway creation: Both
- Verbosity level: default
- General Information
- Click on the blue Save button.
Before moving on: If you won’t be able to easily access your Main Office pfSense device running your OpenVPN server while simultaneously accessing your Satellite Office pfSense device, stop and copy the Shared Key on your Main Office pfSense OpenVPN server by following the instructions below. If you will be able to access them both at the same time, move on to Step 2.
- Login to pfSense (At the MAIN OFFICE LOCATION!)
- Click on VPN→OpenVPN.
- Click on the Pencil icon to edit the Site_to_Site_OpenVPN (tun).
- Under the Cryptographic Settings copy the whole Shared Key that is in the dialogue box. (Click in there and do a Ctrl+A and then Ctrl+C)
- Paste the contents into a text file. Then Save that file.
- Make sure to delete or secure this key once you’re finished at it could give anyone in its possession access to your network.
Part 2: Configure the Firewall Rules
- Login to pfSense
- Click on Firewall→Rules
- Within the WAN tab Click on the green Add button that is pointing UP
- Fill out the following information:
- Edit the Firewall Rule
- Action: Pass
- Disabled: unchecked
- Interface: WAN
- Address Family: IPv4
- Protocol: UDP
- Source:
- Source: Invert match: unchecked » any
- Destination:
- Destination: Invert match: unchecked » WAN address
- Destination Port Range:
From: other» Custom: 1195 To: other» Custom: 1195
- Extra Option:
- Log: Unchecked
- Description: WAN for Site-to-Site OpenVPN on 1195
- Edit the Firewall Rule
- Click the blue Save button.
- Click the green Apply changes button.
We need to add another rule - Click on the OpenVPN tab.
- Within the OpenVPN tab Click on the green Add button that is pointing UP
- Fill out the following information:
- Edit the Firewall Rule
- Action: Pass
- Disabled: unchecked
- Interface: OpenVPN
- Address Family: IPv4
- Protocol: any
- Source:
- Source: Invert match: unchecked » any
- Destination:
- Destination: Invert match: unchecked » any
- Extra Option:
- Log: Unchecked
- Description: OpenVPN for Site-to-Site OpenVPN any – any
- Edit the Firewall Rule
- Click the blue Save button.
- Click the green Apply changes button.
You are now finished with the pfSense Router on the main location. Move to the next steps of setting up the OpenVPN Client connection on the Satellite pfSense Router.
Step 2: Setup the pfSense device in your Satellite office to connect as an OpenVPN Client
These configuration changes need to be done on the Satellite Office pfSense device so it can connect back to the Main Office location.
Part 1: Setup the OpenVPN Client
- Login to pfSense (Satellite office)
- Click on VPN→OpenVPN
- Click on the Clients tab.
- Click on the green Add button.
- Fill out the following information:
- General Information:
- Disabled: Unchecked
- Server mode: Peer to Peer (Shared Key)
- Protocol: UDP on IPv4 only
- Device mode: tun-layer 3 Tunnel Mode
- Interface: WAN
- Local Port: blank
- Server host or address: This is going to be the public IP address of the Main Office location where your pfSense device is running the OpenVPN server. If the client does not have a static IP address from their ISP it would be a good idea to set up a Dynamic DNS account (not covered in this document).
- Server port: 1195
- Proxy host or address: blank
- Proxy port: blank
- Proxy Authentication: none
- Description: Site_to_Site_OpenVPN
- Cryptographic Settings:
- Peer Certificate Authority: No selection needed
- Auto-generate: unchecked
- Shared Key: You will need to log back into the pfSense device at the Main Office location and copy the Shared Key and paste it into this box. You will find the Shared key by the following steps:
- Login to pfSense (At the MAIN OFFICE LOCATION!)
- Click on VPN→OpenVPN.
- Click on the Pencil icon to edit the Site_to_Site_OpenVPN (tun).
- Under the Cryptographic Settings, you will need to copy the whole Shared Key that is in the dialogue box. (Click in there and do a Ctrl+A and then Ctrl+C)
- Paste the Shared key contents you just copied into the Satellite Office pfSense Shared key dialogue box
- Data Encryption Negotiation: Checked
- Data Encryption Algorithms:
- Available Data Encryption Algorithms (note: These are listed in the right-hand dialog box and are greyed out)
AES-256-GCM
AES-128-GCM
CHACHA20-POLY1305
- Available Data Encryption Algorithms (note: These are listed in the right-hand dialog box and are greyed out)
- Fallback Data Encryption Algorithm: AES-256-CBC (256-bit key, 128-bit block)
- Auth digest algorithm: SHA256 (256 –bit)
- Hardware Crypto: No Hardware Crypto Acceleration
- Tunnel Settings:
-
- IPv4 Tunnel Network: 10.0.1.0/24
- IPv6 Tunnel Network: blank
- IPv4 Remote network(s): 10.0.10.0/24
(Please note: this is the tutorial value. To adjust this for our own scenario, enter the subnet address for your Main Office location. For example, if the Main Office device running pfSense with your OpenVPN Server is on a 10.0.10.0/24 subnet and the Satellite Office device running pfSense with your OpenVPN Client is on a 10.0.5/24 subnet, you would enter in 10.0.10.0/24. - IPv6 Remote network(s): blank
- Limit outgoing bandwidth: blank
- Allow Compression: Refuse any non-stub compression (Most secure)
- Type-of-Service: Unchecked
- Don’t add/remove routes: Unchecked
- Ping settings:
- Inactive: 0
- Ping Method: keepalive – Use keepalive helper to define ping configuration
- Interval: 10
- Timeout: 60
- Advanced Configuration:
- Custom options: blank
- UDP Fast I/O: Unchecked
- Exit Notify: Disabled
- Send/Receive Buffer: Default
- Gateway creation: Both
- Verbosity level: default
-
- General Information:
- Click on the blue Save button
Part 2: Configure the Firewall Rules
- Login to pfSense (Satellite Office)
- Click on Firewall→Rules
- Within the WAN tab Click on the green Add button that is pointing UP
- Fill out the following information:
- Edit the Firewall Rule
- Action: Pass
- Disabled: unchecked
- Interface: WAN
- Address Family: IPv4
- Protocol: UDP
- Source:
- Source: Invert match: unchecked » any
- Destination:
- Destination: Invert match: unchecked » WAN address
- Destination Port Range:
From: other» Custom: 1195 To: other» Custom: 1195
- Extra Option:
- Log: Unchecked
- Description: WAN for Site-to-Site OpenVPN on 1195
- Edit the Firewall Rule
- Click the blue Save button.
- Click the green Apply changes button.
We need to add another rule - Click on the OpenVPN tab.
- Within the OpenVPN tab Click on the green Add button that is pointing UP
- Fill out the following information:
- Edit the Firewall Rule
- Action: Pass
- Disabled: unchecked
- Interface: OpenVPN
- Address Family: IPv4
- Protocol: any
- Source:
- Source: Invert match: unchecked » any
- Destination:
- Destination: Invert match: unchecked » any
- Extra Option:
- Log: Unchecked
- Description: OpenVPN for Site-to-Site OpenVPN any – any
- Edit the Firewall Rule
- Click the blue Save button.
- Click the green Apply changes button.
Testing the OpenVPN connection to see if it works.
- Login to pfSense on the Main office Router
- Click on the Status→OpenVPN
- If the OpenVPN connection is working you should see the IP address of the connected pfSense router at the Satellite location.
- Open up a command prompt on a Windows machine and try pinging the Local IP address of the Satellite Office device. In the example that we used for this tutorial 10.0.10.1 was the IP of the MAIN location and 10.0.5.1 was the location of the Satellite location.
- If you get a result back it means traffic is passing across the tunnel and the Main Office can see the Satellite office.
- Now you need to do the opposite. Open up a command prompt on a Windows machine that is at the Satellite office. Try pinging the Local IP address of the Main office router. In the example that we used for this tutorial 10.0.10.1 was the IP of the MAIN location and 10.0.5.1 was the location of the Satellite location. So we’ll ping 10.0.10.1.
- If you get a result back it means traffic is passing across the tunnel and the Main Office can see the Satellite office.
Keep in mind that just because you can ping the routers at both ends, this doesn’t necessarily mean you will be able to see Windows machines and ping them. If a Windows machine does not have File and Print Sharing open in its Firewall settings you won’t be able to ping it.
Step 3: Resolving / Reaching devices over VPN by Hostname (DNS Resolution)
It’s likely you won’t be able to resolve or reach devices by hostname over your new Site-to-Site VPN without some adjustments. In other words, DNS is not working across the VPN. Here are some troubleshooting Tips and Scenarios
Scenario #1: Windows Domain Environments where the DC is at the Main Office and the Satellite Office clients connect over the VPN to the Domain Controller (for resolving “local” DNS and getting their GPOs)
Note: This can also be done for Windows Workgroup environments as well but could lead to “Public/Private” Network changes on Windows 7, 8, and 10 computers. You may need to change the Windows network location type after a computer reboots so previous Windows Firewall Settings will work.
Settings to Check below:
- Login to pfSense on the Main Office Router
- Click on the System→General Setup
- Note the entries you have in the System for:
- Hostname
- Domain
- Login to pfSense on the Satellite Office Router
- Click on the System→General Setup
- Enter the following under the System form:
- Hostname: This needs to be different from your Main Office Router hostname. (ex. if your Main Office Router’s hostname is simply “pfSense” make your Satellite Office “pfSense-Sat”
- Domain: This needs to be exactly the same as your Main Office Router’s Domain.
- Once you make the needed changes click on the blue Save button at the bottom
- Release and Renew your IP address on a workstation or device at the Satellite office and try pinging something across the VPN. Try pinging the pfSense Main router via Hostname. Better yet, completely disable the Windows Firewall on a workstation at the main office and try pinging its hostname. (ex. FredK-PC).
Scenario #2: Routers at both the Main and Satellite locations are on different Domains and for some networking/configuration issues they cannot be changed. (translation: Changing them would break something in your network)
Note: This change will only resolve fully qualified hostnames. This means if the computer “FredK-PC” is on the domain “mydomain.local” you could only resolve it by the fully qualified Domain name of “FredK-PC.mydomain.local”.
Settings to Check below:
- Login to pfSense on the Main Office Router
- Click on the System→General Setup
- Note the entry you have in the System for:
- Domain
- Login to pfSense on the Satellite Office Router
- Click on the Services→DNS Resolver (assuming you are using the DNS Resolver in pfSense)
- Scroll to the bottom and click the green Add button under Domain Overrides.
- Enter the following information
- Domain: This needs to be exactly the same as your Main Office Router’s Domain you noted.
- IP Address: The IP address of the Main office router OR the Window’s Domain Controller managing DNS at the main office..
- TLS Queries: Unchecked
- TLS Hostname: blank
- Description: DNS resolution to Main Router
- Once you make the needed changes click on the blue Save button at the bottom
- Try pinging something across the VPN. You should not need to release, renew, or flush your DNS cache from the workstation. Simply try pinging the pfSense Main router via it’s Fully qualified Hostname. Better yet, completely disable the Windows Firewall on a workstation at the main office and try pinging its hostname. (ex. FredK-PC).
- To resolve DNS both from the Main office to the Satellite Office repeat the above process on the Main office router and put a Domain Override for the Satellite’s Office Domain.