OpenVPN Site-to-Site Configuration Example with Shared Key¶

OpenVPN Example Site-to-Site Network¶
This section describes the process of configuring a site-to-site connection using a shared key style OpenVPN tunnel.
When configuring a shared key site-to-site OpenVPN connection one firewall will be the server and the other will be the client. Usually the main location will be the server side and the remote offices will act as clients, though the opposite is functionally equivalent. Similar to a remote access OpenVPN configuration there will be a dedicated subnet in use for the OpenVPN interconnection between networks in addition to the subnets on both ends. The example configuration described here is depicted in Figure OpenVPN Example Site-to-Site Network.
10.3.100.0/30
is used as the Tunnel Network. The OpenVPN tunnel between
the two firewalls gets an IP address on each end out of that subnet, as
illustrated in the diagram. The following sections describe how to configure the
server and client sides of the connection.
Configuring Server Side¶
Navigate to VPN > OpenVPN, Server tab
Click
Add to create a new server entry
Fill in the fields as follows, with everything else left at defaults:
- Server Mode
Select Peer to Peer (Shared Key).
- Description
Enter text here to describe the connection (e.g.
ExampleCo Site B VPN
)- Shared key
Check Automatically generate a shared key, or paste in a pre- existing shared key for this connection.
- Tunnel Network
Enter the previously chosen network,
10.3.100.0/30
- Remote network
Enter the LAN on the Site B side,
10.5.0.0/24
Click Save
Click
to edit the server that was created a moment ago
Find the Shared Key box
Select all text inside the Shared Key box
Copy the text to the clipboard
Save the contents to a file, or paste into a text editor such as Notepad temporarily
Next, add a firewall rule on WAN allowing access to the OpenVPN server.
Navigate to Firewall > Rules, WAN tab
Click
Add to create a new rule at the top of the list
Set Protocol to UDP
Set the Source address to match the client. If it has a dynamic IP address, leave it set to Any, otherwise set the rule to only allow from the WAN IP address of the client:
Select Single Host or Alias in Source
Enter the WAN address of the client as the Source address (e.g.
203.0.113.5
)
Set the Destination to WAN Address
Set the Destination port to
1194
in this instanceEnter a Description, such as
OpenVPN from Site B
Click Save and the rule will look like Figure OpenVPN Example Site-to-Site WAN Firewall Rule.

OpenVPN Example Site-to-Site WAN Firewall Rule¶
Click Apply Changes
A rule must also be added to the OpenVPN interface to pass traffic over the VPN from the Client-side LAN to the Server-side LAN. An “Allow all” style rule may be used, or a set of stricter rules. In this example allowing all traffic is OK so the following rule is made:
Navigate to Firewall > Rules, OpenVPN tab
Click
Add to create a new rule at the top of the list
Set Protocol to any
Enter a Description such as
Allow all on OpenVPN
Click Save
Click Apply Changes
The server configuration is finished.
Configuring Client Side¶
Navigate to VPN > OpenVPN, Client tab on the client system
Click
Add to create a new OpenVPN client instance
Fill in the fields as follows, with everything else left at defaults:
- Server Mode
Select Peer to Peer (Shared Key).
- Server host or address
Enter the public IP address or hostname of the OpenVPN server here (e.g.
198.51.100.3
).- Description
Enter text to describe the connection (e.g.
ExampleCo Site A VPN
)- Shared key
Uncheck Automatically generate a shared key, then paste in the shared key for the connection using the key copied from the server instance created previously.
- Tunnel Network
Must match the server side exactly (e.g.
10.3.100.0/30
)- Remote network
Enter the LAN network on the Site A side,
10.3.0.0/24
Click Save
A rule must also be added to the OpenVPN interface to pass traffic over the VPN from the Server-side LAN to the Client-side LAN. An “Allow all” style rule may be used, or a set of stricter rules. In this example allowing all traffic is OK so the following rule is made:
Navigate to Firewall > Rules, OpenVPN tab
Click
Add to create a new rule at the top of the list
Set Protocol to any
Enter a Description such as
Allow all on OpenVPN
Click Save
Click Apply changes
The configuration of the client is complete. No firewall rules are required on the client side WAN interface because the client only initiates outbound connections. The server never initiates connections to the client.
Note
With remote access PKI configurations, typically routes and other configuration options are not defined on the client configuration, but rather they are pushed from the server to the client. With shared key deployments, routes and other parameters must be defined on both ends as needed (as described previously, and later in Custom configuration options), options cannot be pushed from the server to clients when using shared keys.
Testing the connection¶
The connection will immediately be active upon saving on the client side. Try to ping across to the remote end to verify connectivity. If problems arise, refer to Troubleshooting OpenVPN.