Setting Up Openvpn Between Two Sites

In this guide we will be setting up an openvpn network between two sites (assuming they both have static IPs). We will be creating a tunnel network between the two sites that allows traffic to pass.

This guide is for bridging two separate subnets with no overlap across two public IP interfaces.

We will be using Netgate PfSense devices on both sides of the tunnel.

Notes:

The main office will be on 192.168.100.0/24
- The main office is getting its public IP address on the WAN interface
The remote site will be on 192.168.200.0/24
- The remote office is getting its public IP address on the WAN interface

Setting Up the Server

This is for the Main Office location

Go to OpenVPN -> Servers -> Add

General Information

Disabled: Uncheck
Server mode: Peer to Peer (Shared Key)
Protocol: UDP on IPv4 only
Device mode: tun - Layer 3 Tunnel Mode
Interface: WAN
Local port: 1195
Description: OpenVPN Server for Remote Site

Cryptographic Settings

Shared Key: # 2048 bit OpenVPN static key (You may need to generate one)
Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
Enable NCP: Uncheck
NCP Algorithms: AES-128-GCM, AES-256-GCM
Auth digest algorithm: SHA256 (256-bit)
Hardware Crypto: No Hardware Crypto Acceleration

Tunnel Settings

IPv4 Tunnel Network: 10.13.37.0/30
IPv6 Tunnel Network: Blank
IPv4 Remote Network(s): 192.168.200.0/24
IPv6 Remote Network(s): Blank
Concurrent connections: 2
Compression: Omit Preference (Use OpenVPN Default)
Type-of-Service: Uncheck

Advanced Configuration

Custom options: Blank
UDP Fast I/O: Uncheck
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity Level: 5

Setting Up the Client

This is for the Remote Office

Go to OpenVPN -> Clients -> Add

General Information

Disabled: Uncheck
Server mode: Peer to Peer (Shared Key)
Protocol: UDP on IPv4 only
Device mode: tun - Layer 3 Tunnel Mode
Interface: WAN
Local port: Blank
Server host or address: Public IP of Main Site
Server port: 1195
Proxy host or address: Blank
Proxy port: Blank
Proxy Authentication: none
Description: OpenVPN Client for Main Site

Cryptographic Settings

Peer Certificate Authority: No Certificate Authorities defined
Auto generate: Uncheck
Shared Key: # 2048 bit OpenVPN static key (Copy and paste generated key from server)
Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
Enable NCP: Uncheck
NCP Algorithms: AES-128-GCM, AES-256-GCM
Auth digest algorithm: SHA256 (256-bit)
Hardware Crypto: No Hardware Crypto Acceleration

Tunnel Settings

IPv4 Tunnel Network: 10.13.37.0/30
IPv6 Tunnel Network: Blank
IPv4 Remote Network(s): 192.168.100.0/24
IPv6 Remote Network(s): Blank
Limit outgoing bandwidth: Blank
Compression: Omit Preference (Use OpenVPN Default)
Type-of-Service: Uncheck
Don’t add/remove routes: Uncheck

Advanced Configuration

Custom options: Blank
UDP Fast I/O: Uncheck
Send/Receive Buffer: Default
Gateway creation: IPv4 only
Verbosity Level: 5

Enabling the New Interface on the Server

This is for the Main Site

Go to Interfaces -> Assignments

OPT5

We will assume the next available interface is OPT5.

Click add to add the interface to the available network port (ovpns1)
Click the interface

General Configuration

Enable: Check
Description: OPT5OPENVPN
IPv4 Configuration Type: None
IPv6 Configuration Type: None
MAC Address: Blank
MTU: Blank
MSS: Blank

Reserved Networks

Block private networks and loopback addresses: Uncheck
Block bogon networks: Uncheck

Enabling the New Interface on the Client

This is for the Remote Site

Go to Interfaces -> Assignments

OPT5

We will assume the next available interface is OPT5.

Click add to add the interface to the available network port (ovpnc1)
Click the interface

General Configuration

Enable: Check
Description: OPT5OPENVPN
IPv4 Configuration Type: None
IPv6 Configuration Type: None
MAC Address: Blank
MTU: Blank
MSS: Blank

Reserved Networks

Block private networks and loopback addresses: Uncheck
Block bogon networks: Uncheck

Configuring Firewall Rules on the Server

This is for the Main Office

Go to Firewall -> Rules

WAN Firewall Rules

Go to WAN

Block WAN SSH Traffic

Click Add (to bottom)
1. Action: Block
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Destination Port Range: From: SSH(22) To: SSH(22)
9. Log: Uncheck
10. Description: Block SSH WAN
11. No Advanced Options

Block WAN HTTPS Traffic

Click Add (to bottom)
1. Action: Block
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Destination Port Range: From: HTTPS(443) To: HTTPS(443)
9. Log: Uncheck
10. Description: Block HTTPS WAN
11. No Advanced Options

Block WAN HTTP Traffic

Click Add (to bottom)
1. Action: Block
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Destination Port Range: From: HTTP(80) To: HTTP(80)
9. Log: Uncheck
10. Description: Block HTTP WAN
11. No Advanced Options

Allow ANY Traffic

Click Add (to bottom)
1. Action: Pass
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Log: Uncheck
9. Description: Allow any and all IPv4
10. No Advanced Options

NOTE: Firewall Rules are evaluated from top -> bottom, so ensure the allow rule is on the bottom in order for the first three rules we made to actually do anything

LAN Firewall Rules

Allow ANY Traffic

Click Add (to bottom)
1. Action: Pass
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Log: Uncheck
9. Description: Allow any and all IPv4
10. No Advanced Options

OPT5OPENVPN Firewall Rules

Allow ANY Traffic

Click Add (to bottom)
1. Action: Pass
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Log: Uncheck
9. Description: Allow any and all IPv4
10. No Advanced Options

OpenVPN Firewall Rules

Block DHCP Traffic

Click Add (to bottom)
1. Action: Block
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: UDP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Destination Port Range: From: (other) Custom: 67, To: (other) Custom: 68
9. Log: Uncheck
10. Description: Block UDP 67 68 DHCP
11. No Advanced Options

Allow ANY Traffic

Click Add (to bottom)
1. Action: Pass
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Log: Uncheck
9. Description: Allow any and all IPv4
10. No Advanced Options

Configuring Firewall Rules on the Client

This is for the Remote Office

Go to Firewall -> Rules

WAN Firewall Rules

Go to WAN

Block WAN SSH Traffic

Click Add (to bottom)
1. Action: Block
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Destination Port Range: From: SSH(22) To: SSH(22)
9. Log: Uncheck
10. Description: Block SSH WAN
11. No Advanced Options

Block WAN HTTPS Traffic

Click Add (to bottom)
1. Action: Block
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Destination Port Range: From: HTTPS(443) To: HTTPS(443)
9. Log: Uncheck
10. Description: Block HTTPS WAN
11. No Advanced Options

Block WAN HTTP Traffic

Click Add (to bottom)
1. Action: Block
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Destination Port Range: From: HTTP(80) To: HTTP(80)
9. Log: Uncheck
10. Description: Block HTTP WAN
11. No Advanced Options

Allow ANY Traffic

Click Add (to bottom)
1. Action: Pass
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Log: Uncheck
9. Description: Allow any and all IPv4
10. No Advanced Options

NOTE: Firewall Rules are evaluated from top -> bottom, so ensure the allow rule is on the bottom in order for the first three rules we made to actually do anything

LAN Firewall Rules

Allow ANY Traffic

Click Add (to bottom)
1. Action: Pass
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Log: Uncheck
9. Description: Allow any and all IPv4
10. No Advanced Options

OPT5OPENVPN Firewall Rules

Allow ANY Traffic

Click Add (to bottom)
1. Action: Pass
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Log: Uncheck
9. Description: Allow any and all IPv4
10. No Advanced Options

OpenVPN Firewall Rules

Block DHCP Traffic

Click Add (to bottom)
1. Action: Block
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: UDP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Destination Port Range: From: (other) Custom: 67, To: (other) Custom: 68
9. Log: Uncheck
10. Description: Block UDP 67 68 DHCP
11. No Advanced Options

Allow ANY Traffic

Click Add (to bottom)
1. Action: Pass
2. Disabled: Uncheck
3. Interface: WAN
4. Address Family: IPv4
5. Protocol: TCP
6. Source: Uncheck, any
7. Destination: Uncheck, any
8. Log: Uncheck
9. Description: Allow any and all IPv4
10. No Advanced Options

Restart the OpenVPN Service

Go to Status -> OpenVPN
Restart the Service