Routing Internet traffic through a site-to-site OpenVPN-connection in PfSense software version 2.1

This article shows how to create a site-to-site connection using OpenVPN and how to route the Internet connection of site A through site B using pfSense® software.

../../_images/ipsec-s2s-vork-00.png

This is effectively the same as using an IPsec site-to-site connection except that we’ll be using OpenVPN instead of IPsec. Using OpenVPN as the ‘back-end’ means we need to set up one side as a server and the other as the client. It doesn’t matter which one is which but if more than two sites are connected in a star topology it seems natural to use the center of the star as the server. The server also needs to have a dedicated port mapped to it if it’s behind another router, or is must reside in its DMZ.

For the purpose of this article:

  • Site A is a branch office, LAN subnet 192.168.10.0/24

  • Site B is the main office through which all Internet traffic is routed, 192.168.20.0/24

Set up OpenVPN at Site B

From the VPN menu choose OpenVPN. On the page under the Server tab, click the + button to create a new OpenVPN server.

../../_images/openvpn-s2s-vork-01.png

Enter these values:

Server Mode

Peer to Peer (Shared Key)

Protocol

UDP

Device Mode

tun

Interface

WAN

Local port

9876

1194 is the default OpenVPN port. It doesn’t hurt to change it to another number to add some security through obscurity. Any unused port number may be used but we’ll stick to 9876 in this article.

Description

Site-to-site

Shared Key

Checked

Encryption algorithm

AES-256-CBC (256-bit)

Hardware Crypto

No Hardware Crypto Acceleration unless it is needed for this hardware.

If in doubt, select ‘No Hardware Crypto Acceleration’.

IPv4 Tunnel Network

192.168.204.0/30

Choose a subnet that’s not in use in any of the current LANs. This will be used internally by OpenVPN. We’re using 192.168.204.0/30 here but any private range will do. The /30 mask is because OpenVPN will only use one IP address per site. We’re connecting two sites so two addresses will suffice. /24 will work but is overkill.

IPv6 Tunnel Network

leave empty

IPv4 Local Network/s

192.168.20.0/24

Site B’s subnet

IPv6 Local Network/s

leave empty

IPv4 Remote Network/s

192.168.10.0

Site A’s subnet

IPv6 Remote Network/s

leave empty

Concurrent connections

leave empty

Compression

Check if the bulk of the data transferred will be uncompressed data, like Office documents. Leave unchecked if the bulk is already compressed, like divx films. Routers on faster hardware can compress faster.

Type-of-Service

unchecked

Duplicate Connections

unchecked

Advanced

leave empty

../../_images/openvpn-s2s-vork-02.png

Click Save.

Note that our Site-to-site OpenVPN server is now shown in the Server overview. Click the edit button to the right of the server.

../../_images/openvpn-s2s-vork-03.png

Note that in the Cryptographic Settings section, a Shared Key is now shown. Copy all text in the Shared Key text field, including the first lines beginning with # and the last line ending in —–.

../../_images/openvpn-s2s-vork-04.png

Configure firewall rules at Site B

From the Firewall menu, choose Rules. Open the WAN tab, unless using a different interface for the VPN connection. Click on the + button to add a new rule.

../../_images/openvpn-s2s-vork-05.png

Enter these values:

Action

Pass

Disabled

not checked

Interface

WAN

TCP/IP Version

IPv4

Protocol

UDP

Source

any

Destination

Type: WAN address

Destination port range

from: (other) 9876 to: (other)

Log

not checked

Description

Site-to-site VPN

../../_images/openvpn-s2s-vork-06.png

Click Save and on the next page click Apply changes.

../../_images/openvpn-s2s-vork-07.png

Click on the OpenVPN tab. We’ll now add a rule to allow traffic through the OpenVPN connection. Click on the + button add a rule.

../../_images/openvpn-s2s-vork-08.png

Enter these values:

Action

Pass

Disabled

not checked

Interface

OpenVPN

TCP/IP Version

IPv4

Protocol

any

Source

any

Destination

any

Log

not checked

Description

Allow everything through OpenVPN

../../_images/openvpn-s2s-vork-09.png

Click Save and on the next page Apply Changes.

../../_images/openvpn-s2s-vork-16.png

Set up outbound NAT at Site B

From the Firewall menu, choose NAT and click on the Outbound tab. Select Manual Outbound NAT rule generation (AON – Advanced Outbound NAT) and click Save. On the next page, click Apply Changes.

../../_images/openvpn-s2s-vork-10.png

A couple of rules are generated automatically but we need to add a NAT entry for Site A’s subnet. Click on the + button.

../../_images/openvpn-s2s-vork-11.png

Enter these values:

Do not NAT

not checked

Interface

WAN

Unless using a different interface for the VPN

Protocol

any

Source

Type: Network Address: 192.168.10.0/24 Source port: leave empty

Site A’s subnet

Destination

Type: any Destination port: leave empty

Translation

Address: Interface address Port: leave empty Static port: not checked

No XMLRPC Sync

Leave unchecked

Description

Site A

../../_images/openvpn-s2s-vork-12.png

Click Save and on the next page click Apply Changes.

../../_images/openvpn-s2s-vork-17.png

Set up the client at site A

From the VPN menu choose OpenVPN and go to the Client tab. Click the + button to configure a client.

../../_images/openvpn-s2s-vork-13.png

Enter these values:

Disabled

not checked

Server Mode

Peer to Peer (Shared Key)

Protocol

UDP

same as Site B

Device mode

tun

Interface

WAN

Local port

leave empty

Server host or address

Site B’s public IP address or FQDN

Server port

9876

the port Site B is running the OpenVPN server on

Proxy host or address

leave empty if not using a proxy

Proxy port

leave empty if not using a proxy

Proxy authentication extra options

leave empty if not using a proxy

Server host name resolution

check if Site B sometimes has connectivity problems

Shared Key

do not check ‘Automatically generate a shared key’ but paste the Shared Key from site B

Encryption algorithem

AES-256-CBC (256-bit)

same as Site B

Hardware Crypto

Choose ‘No Hardware Crypto Acceleration’ unless the hardware has an accelerator

IPv4 Tunnel Network

192.168.204.0/30

same as Site B

IPv6 Tunnel Network

leave empty

IPv4 Remote Network/s

192.168.10.0/24

site A’s subnet

IPv6 Remote Network/s

leave empty

Limit outgoing bandwidth

leave empty unless required

Compression

same as Site B

Type-of-Service

not checked

Advanced

redirect-gateway def1;

This makes all traffic, including Internet traffic, go through the tunnel.

../../_images/openvpn-s2s-vork-14.png

Click Save.

The tunnel should now work and internet traffic should be routed from Site A through the tunnel out site B.

../../_images/openvpn-s2s-vork-15.png

By Vorkbaard, 2013-07-29 - gmail{a}vorkbaard[.]nl