Site-to-site VPN with OpenVPN on pfSense

1. abstract

This tutorial covers the setup of a site-to-site VPN connection between two pfSenses with OpenVPN.

It is described:

• The necessary requirements for the OpenVPN connection
• The creation of the OpenVPN connection.
• Testing the OpenVPN connection

2. tutorial

2.0 Specifications

The following are required to complete this tutorial:

• Two pfSenses that are connected to the Internet
• Access to the web interface of the pfSenses
• Access to a PC for saving pfSense files
• Basic knowledge of how to use a pfSense

2.1 Create certificate structure on server

First you need to create some certificates on the OpenVPN server. This is required to create the connection.

First create a „Certificate Authority“. To do this, go to „System → Certificates → Authorities“. Now click on „+ Add“

You will now be taken to the following settings.

Enter the following values:

Descriptive name: (Any name here)

Method: Create an Internal Certificate Authority

Randomise Serial: Tick the box

Lifetime (days): 3650

Common Name: (Any name here)

The values „Country Code, State or Province etc.“ can be filled in, but are not mandatory.

After you have filled in the values, click on „Save“.

Now you need to create a server certificate. To do this, go to „Certificates“and then click on „+ Add/Sign“.

You will now be taken to the following settings.

Enter the following values:

Descriptive name: (Any name here)

Certificate authority: The CA you just created.

Lifetime (days): 3650

Common Name: (Any name here)

The values „Country Code, State or Province etc.“ can be filled in, but are not mandatory.

Certificate Type: Select „Server Certificate“

After you have filled in the values, click on „Save“.

Now you need to create a user certificate. To do this, go to „Certificates“and then click on „+ Add/Sign“.

You will now be taken to the following settings.

Enter the following values:

Descriptive name: (Any name here)

Certificate authority: The CA you just created.

Lifetime (days): 3650

Common Name: (Any name here)

The values „Country Code, State or Province etc.“ can be filled in, but are not mandatory.

Certificate Type: Select „User Certificate“

After you have filled in the values, click on „Save“.

All the necessary certificates have now been created. They now need to be exported so that they can be uploaded to the client firewall.

Go to „CAs“ and click on next to the previously created CA to export the CA.

Go back to „Certificates“. Click on next to the client certificate you created earlier to export the client certificate.

Click on next to the previously created client certificate to export the key of the client certificate

Once everything has been exported, it should look like this:

Keep them, because you will need them afterwards.

2.2 Create OpenVPN server

Now that the certificates have been created, the server can be set up.

To do this, go to „ VPN → OpenVPN → Servers“. Then click on „+ Add“.

You will now be taken to the following settings,

Enter the following values:

Description: (common name)

Sever mode: Peer to Peer ( SSL/TLS )

Device mode: tun - Layer 3 Tunnel Mode

Protocol: UDP on IPv4 only

Interface: WAN

Local port: 1195 (If more servers need to be created, simply use more ports from 1195)

TLS Configuration: Tick the boxes next to „Use a TLS Key“ and „Automatically generate a TLS Key.“

Peer Certificate Authority: Select the CA that you created earlier.

Server Certificate: Select the server certificate that you created earlier.

IPv4 Tunnel Network: Enter an IP address with subnet /30

IPv4 Local network(s):

Enter the network address of the networks from which the client is authorised to access here. (e.g. VLAN 10 IP: 172.16.10.1 = Network address: 172.16.10.0) If there are several networks, separate the network address with a comma.

This then looks something like this:

IPv4 Remote network(s): Same as for „Local network(s)“ Instead, these are the networks from which the server can access

Then click on „Save“

Following this, click on to edit the OpenVPN server. Scroll down to the box „TLS Key“. It looks like this:

Now copy the entire contents of the box and paste it into a text file. What you have just copied is the TLS key. This is required for the client instance. It is therefore best to save the text file with the certificates you downloaded earlier.

2.3 Configuring firewall rules on the server

Almost everything necessary has now been set up on the server. You still need to configure the necessary firewall rules.

Firstly, configure the WAN rule. This is required so that the client firewall can connect to the server.

Go to „Firewall → Rules → WAN“. Click on „^Add“.

You will now be taken to the rule creation interface.

Enter the following values:

„Protocol:„ Select „UDP“ from the list.

„Source:„ Select „any“ from.

„Destination:„ Select „WAN address“ from the list.

„Destination Port Range:„ Enter the port specified in the OpenVPN server.

„Description:„ Enter a description of your choice.

Then click on „Save“

Now you need to configure the OpenVPN rule.

To do this, go to „Firewall → Rules → OpenVPN“. Then click on „^Add“.

You will land in the rule creation interface again.

Enter the following values here:

„Protocol:„ Select „any“ from the list.

„Source:„ Select „any“ from.

„Destination:„ Select „any from.

„Description:„ Enter a description of your choice.

Click on „Save“

Do not forget to click on „Apply Changes“ afterwards!

Note: The above rule allows all VLANs and clients that can run via OpenVPN to access OpenVPN from anywhere to anywhere. This is not a problem when setting up a VPN tunnel for the first time. For productive use, however, it is recommended to delete this rule and instead regulate it with rules similar to those on the usual interfaces.

All the necessary parameters are now configured on the server.

2.4 Set up certificates on the client firewall

You have now configured everything you need for the server. Now it's time for the client firewall.

Important: Remember that the certificates that were created earlier must be uploaded to the client firewall. Therefore, try to ensure that you can use the certificates on the device via which you access the client firewall.

Log in to the client firewall.

Navigate to „System → Cert. Manager → CAs“.

Click on “+Add“

You will land back in CA creation mode.

Enter the following values.

„Descriptive name:„ Enter a name of your choice.

„Method:„ Select „Import an existing Certificate Authority“ from the list.

„Certificate data:„ Open the CA you have exported in a text editor. It will look like this.

Copy the entire content into the box „Certificate data“ box.

Then click on „Save“ ..

Now navigate to „System → Cert. Manager → Certificates“. Click on “+Add“.

You will land on the following screen.

Enter the following values.

„Method:„ Select „Import an existing certificate“.

„Descriptive Name:„ Enter a name of your choice here.

„Certificate data:„ Open the client certificate that you have exported in a text editor here.

Copy the entire content into the box, „Certificate data“.

„Private key data:„ Open the client certificate private key that you have exported in a text editor.

Copy the entire content into the box, „Private key data“.

Then click on „Save“.

2.5 Creating an OpenVPN client instance and configuring firewall rules

Now that the necessary certificates have been imported, the client VPN instance can be opened.

Navigate to: „VPN → OpenVPN → Clients“. Click on “+Add“

You will land in the following configuration.

Enter the following values:

„Server mode:„ Select „Peer to Peer ( SSL/TLS )„

„Device mode:„ Select „tun - Layer 3 Tunnel Mode“

„Interface:„ Select „WAN“ from the list.

„Server host or address:„ Enter the WAN IP address of the server.

„Server port“ The port you entered in the server instance.

„Description:„ Enter a description of your choice here.

„TLS Configuration:„ Select „Automatically generate a TLS key“ from.

„TLS Key:„ Open the text document with the TLS key and copy the entire content into the text box.

„Peer Certificate Authority:„ Select the previously imported CA.

„Client Certificate:„ Select the previously imported client certificate.

„IPv4 Tunnel Network:„ Enter the same address here as in the server.

„IPv4 Remote network(s):„ As with the server, enter the network addresses of the networks that the client can access here

Click on „Save“

Finally, you must configure the firewall rules on the client.

To do this, go to „Firewall → Rules → OpenVPN“. Then click on „^Add“.

You will land in the rule creation interface.

Enter the following values here:

„Protocol:„ Select „any“ from the list.

„Source:„ Select „any“ from.

„Destination:„ Select „any from.

„Description:„ Enter a description of your choice.

Click on „Save“

Don't forget to click on „Apply Changes“ afterwards!

Note: Follow the same instructions as for the OpenVPN rule on the server.

All necessary parameters are now also configured on the client

2.6 Testing the OpenVPN connection

Everything is now set up. Now test whether the connection works.

To do this, go to one of the two pfSenses on „Stauts → OpenVPN“.

When the connection is running, the following message should appear:

If this is the case, test the connection in a further step.

Try pinging between a network on the two pfSenses, e.g. VLAN 1 (pfSense1) → VLAN 1 (pfSense2).

If the ping was successful, the OpenVPN tunnel is working properly and you have successfully completed this tutorial!

3. source directory

Here you can find the necessary sources that were used to create this documentation.

Official documentation from Netgate: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

Flurin Pudill