Setting Up Openvpn Between Two Sites
In this guide we will be setting up an openvpn network between two sites (assuming they both have static IPs). We will be creating a tunnel network between the two sites that allows traffic to pass.
This guide is for bridging two separate subnets with no overlap across two public IP interfaces.
We will be using Netgate PfSense devices on both sides of the tunnel.
Notes:
- The main office will be on 192.168.100.0/24
- The main office is getting its public IP address on the WAN interface
- The remote site will be on 192.168.200.0/24
- The remote office is getting its public IP address on the WAN interface
Setting Up the Server
This is for the Main Office location
- Go to OpenVPN -> Servers -> Add
General Information
- Disabled: Uncheck
- Server mode: Peer to Peer (Shared Key)
- Protocol: UDP on IPv4 only
- Device mode: tun - Layer 3 Tunnel Mode
- Interface: WAN
- Local port: 1195
- Description: OpenVPN Server for Remote Site
Cryptographic Settings
- Shared Key: # 2048 bit OpenVPN static key (You may need to generate one)
- Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
- Enable NCP: Uncheck
- NCP Algorithms: AES-128-GCM, AES-256-GCM
- Auth digest algorithm: SHA256 (256-bit)
- Hardware Crypto: No Hardware Crypto Acceleration
Tunnel Settings
- IPv4 Tunnel Network: 10.13.37.0/30
- IPv6 Tunnel Network: Blank
- IPv4 Remote Network(s): 192.168.200.0/24
- IPv6 Remote Network(s): Blank
- Concurrent connections: 2
- Compression: Omit Preference (Use OpenVPN Default)
- Type-of-Service: Uncheck
Advanced Configuration
- Custom options: Blank
- UDP Fast I/O: Uncheck
- Send/Receive Buffer: Default
- Gateway creation: IPv4 only
- Verbosity Level: 5
Setting Up the Client
This is for the Remote Office
- Go to OpenVPN -> Clients -> Add
General Information
- Disabled: Uncheck
- Server mode: Peer to Peer (Shared Key)
- Protocol: UDP on IPv4 only
- Device mode: tun - Layer 3 Tunnel Mode
- Interface: WAN
- Local port: Blank
- Server host or address: Public IP of Main Site
- Server port: 1195
- Proxy host or address: Blank
- Proxy port: Blank
- Proxy Authentication: none
- Description: OpenVPN Client for Main Site
Cryptographic Settings
- Peer Certificate Authority: No Certificate Authorities defined
- Auto generate: Uncheck
- Shared Key: # 2048 bit OpenVPN static key (Copy and paste generated key from server)
- Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block)
- Enable NCP: Uncheck
- NCP Algorithms: AES-128-GCM, AES-256-GCM
- Auth digest algorithm: SHA256 (256-bit)
- Hardware Crypto: No Hardware Crypto Acceleration
Tunnel Settings
- IPv4 Tunnel Network: 10.13.37.0/30
- IPv6 Tunnel Network: Blank
- IPv4 Remote Network(s): 192.168.100.0/24
- IPv6 Remote Network(s): Blank
- Limit outgoing bandwidth: Blank
- Compression: Omit Preference (Use OpenVPN Default)
- Type-of-Service: Uncheck
- Don’t add/remove routes: Uncheck
Advanced Configuration
- Custom options: Blank
- UDP Fast I/O: Uncheck
- Send/Receive Buffer: Default
- Gateway creation: IPv4 only
- Verbosity Level: 5
Enabling the New Interface on the Server
This is for the Main Site
- Go to Interfaces -> Assignments
OPT5
We will assume the next available interface is OPT5.
- Click add to add the interface to the available network port (ovpns1)
- Click the interface
General Configuration
- Enable: Check
- Description: OPT5OPENVPN
- IPv4 Configuration Type: None
- IPv6 Configuration Type: None
- MAC Address: Blank
- MTU: Blank
- MSS: Blank
Reserved Networks
- Block private networks and loopback addresses: Uncheck
- Block bogon networks: Uncheck
Enabling the New Interface on the Client
This is for the Remote Site
- Go to Interfaces -> Assignments
OPT5
We will assume the next available interface is OPT5.
- Click add to add the interface to the available network port (ovpnc1)
- Click the interface
General Configuration
- Enable: Check
- Description: OPT5OPENVPN
- IPv4 Configuration Type: None
- IPv6 Configuration Type: None
- MAC Address: Blank
- MTU: Blank
- MSS: Blank
Reserved Networks
- Block private networks and loopback addresses: Uncheck
- Block bogon networks: Uncheck
Configuring Firewall Rules on the Server
This is for the Main Office
- Go to Firewall -> Rules
WAN Firewall Rules
- Go to WAN
Block WAN SSH Traffic
- Click Add (to bottom)
- Action: Block
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Destination Port Range: From: SSH(22) To: SSH(22)
- Log: Uncheck
- Description: Block SSH WAN
- No Advanced Options
Block WAN HTTPS Traffic
- Click Add (to bottom)
- Action: Block
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Destination Port Range: From: HTTPS(443) To: HTTPS(443)
- Log: Uncheck
- Description: Block HTTPS WAN
- No Advanced Options
Block WAN HTTP Traffic
- Click Add (to bottom)
- Action: Block
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Destination Port Range: From: HTTP(80) To: HTTP(80)
- Log: Uncheck
- Description: Block HTTP WAN
- No Advanced Options
Allow ANY Traffic
- Click Add (to bottom)
- Action: Pass
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Log: Uncheck
- Description: Allow any and all IPv4
- No Advanced Options
NOTE: Firewall Rules are evaluated from top -> bottom, so ensure the allow rule is on the bottom in order for the first three rules we made to actually do anything
LAN Firewall Rules
Allow ANY Traffic
- Click Add (to bottom)
- Action: Pass
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Log: Uncheck
- Description: Allow any and all IPv4
- No Advanced Options
OPT5OPENVPN Firewall Rules
Allow ANY Traffic
- Click Add (to bottom)
- Action: Pass
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Log: Uncheck
- Description: Allow any and all IPv4
- No Advanced Options
OpenVPN Firewall Rules
Block DHCP Traffic
- Click Add (to bottom)
- Action: Block
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: UDP
- Source: Uncheck, any
- Destination: Uncheck, any
- Destination Port Range: From: (other) Custom: 67, To: (other) Custom: 68
- Log: Uncheck
- Description: Block UDP 67 68 DHCP
- No Advanced Options
Allow ANY Traffic
- Click Add (to bottom)
- Action: Pass
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Log: Uncheck
- Description: Allow any and all IPv4
- No Advanced Options
Configuring Firewall Rules on the Client
This is for the Remote Office
- Go to Firewall -> Rules
WAN Firewall Rules
- Go to WAN
Block WAN SSH Traffic
- Click Add (to bottom)
- Action: Block
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Destination Port Range: From: SSH(22) To: SSH(22)
- Log: Uncheck
- Description: Block SSH WAN
- No Advanced Options
Block WAN HTTPS Traffic
- Click Add (to bottom)
- Action: Block
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Destination Port Range: From: HTTPS(443) To: HTTPS(443)
- Log: Uncheck
- Description: Block HTTPS WAN
- No Advanced Options
Block WAN HTTP Traffic
- Click Add (to bottom)
- Action: Block
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Destination Port Range: From: HTTP(80) To: HTTP(80)
- Log: Uncheck
- Description: Block HTTP WAN
- No Advanced Options
Allow ANY Traffic
- Click Add (to bottom)
- Action: Pass
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Log: Uncheck
- Description: Allow any and all IPv4
- No Advanced Options
NOTE: Firewall Rules are evaluated from top -> bottom, so ensure the allow rule is on the bottom in order for the first three rules we made to actually do anything
LAN Firewall Rules
Allow ANY Traffic
- Click Add (to bottom)
- Action: Pass
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Log: Uncheck
- Description: Allow any and all IPv4
- No Advanced Options
OPT5OPENVPN Firewall Rules
Allow ANY Traffic
- Click Add (to bottom)
- Action: Pass
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Log: Uncheck
- Description: Allow any and all IPv4
- No Advanced Options
OpenVPN Firewall Rules
Block DHCP Traffic
- Click Add (to bottom)
- Action: Block
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: UDP
- Source: Uncheck, any
- Destination: Uncheck, any
- Destination Port Range: From: (other) Custom: 67, To: (other) Custom: 68
- Log: Uncheck
- Description: Block UDP 67 68 DHCP
- No Advanced Options
Allow ANY Traffic
- Click Add (to bottom)
- Action: Pass
- Disabled: Uncheck
- Interface: WAN
- Address Family: IPv4
- Protocol: TCP
- Source: Uncheck, any
- Destination: Uncheck, any
- Log: Uncheck
- Description: Allow any and all IPv4
- No Advanced Options
Restart the OpenVPN Service
- Go to Status -> OpenVPN
- Restart the Service