Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

OpenVPN Site-to-Site Configuration Example with Shared Key

../_images/diagrams-openvpn-site-to-site.png

OpenVPN Example Site-to-Site Network

This section describes the process of configuring a site-to-site connection using a shared key style OpenVPN tunnel.

When configuring a shared key site-to-site OpenVPN connection one firewall will be the server and the other will be the client. Usually the main location will be the server side and the remote offices will act as clients, though the opposite is functionally equivalent. Similar to a remote access OpenVPN configuration there will be a dedicated subnet in use for the OpenVPN interconnection between networks in addition to the subnets on both ends. The example configuration described here is depicted in Figure OpenVPN Example Site-to-Site Network.

10.3.100.0/30 is used as the Tunnel Network. The OpenVPN tunnel between the two firewalls gets an IP address on each end out of that subnet, as illustrated in the diagram. The following sections describe how to configure the server and client sides of the connection.

Configuring Server Side

  • Navigate to VPN > OpenVPN, Server tab

  • Click fa-plus Add to create a new server entry

  • Fill in the fields as follows, with everything else left at defaults:

Server Mode

Select Peer to Peer (Shared Key).

Description

Enter text here to describe the connection (e.g. ExampleCo Site B VPN)

Shared key

Check Automatically generate a shared key, or paste in a pre- existing shared key for this connection.

Tunnel Network

Enter the previously chosen network, 10.3.100.0/30

Remote network

Enter the LAN on the Site B side, 10.5.0.0/24

  • Click Save

  • Click fa-pencil to edit the server that was created a moment ago

  • Find the Shared Key box

  • Select all text inside the Shared Key box

  • Copy the text to the clipboard

  • Save the contents to a file, or paste into a text editor such as Notepad temporarily

Next, add a firewall rule on WAN allowing access to the OpenVPN server.

  • Navigate to Firewall > Rules, WAN tab

  • Click fa-level-up Add to create a new rule at the top of the list

  • Set Protocol to UDP

  • Set the Source address to match the client. If it has a dynamic IP address, leave it set to Any, otherwise set the rule to only allow from the WAN IP address of the client:

    • Select Single Host or Alias in Source

    • Enter the WAN address of the client as the Source address (e.g. 203.0.113.5)

  • Set the Destination to WAN Address

  • Set the Destination port to 1194 in this instance

  • Enter a Description, such as OpenVPN from Site B

  • Click Save and the rule will look like Figure OpenVPN Example Site-to-Site WAN Firewall Rule.

../_images/openvpn-site-to-site-wan-rule.png

OpenVPN Example Site-to-Site WAN Firewall Rule

  • Click Apply Changes

A rule must also be added to the OpenVPN interface to pass traffic over the VPN from the Client-side LAN to the Server-side LAN. An “Allow all” style rule may be used, or a set of stricter rules. In this example allowing all traffic is OK so the following rule is made:

  • Navigate to Firewall > Rules, OpenVPN tab

  • Click fa-level-up Add to create a new rule at the top of the list

  • Set Protocol to any

  • Enter a Description such as Allow all on OpenVPN

  • Click Save

  • Click Apply Changes

The server configuration is finished.

Configuring Client Side

  • Navigate to VPN > OpenVPN, Client tab on the client system

  • Click fa-plus Add to create a new OpenVPN client instance

  • Fill in the fields as follows, with everything else left at defaults:

Server Mode

Select Peer to Peer (Shared Key).

Server host or address

Enter the public IP address or hostname of the OpenVPN server here (e.g. 198.51.100.3).

Description

Enter text to describe the connection (e.g. ExampleCo Site A VPN)

Shared key

Uncheck Automatically generate a shared key, then paste in the shared key for the connection using the key copied from the server instance created previously.

Tunnel Network

Must match the server side exactly (e.g. 10.3.100.0/30)

Remote network

Enter the LAN network on the Site A side, 10.3.0.0/24

  • Click Save

A rule must also be added to the OpenVPN interface to pass traffic over the VPN from the Server-side LAN to the Client-side LAN. An “Allow all” style rule may be used, or a set of stricter rules. In this example allowing all traffic is OK so the following rule is made:

  • Navigate to Firewall > Rules, OpenVPN tab

  • Click fa-level-up Add to create a new rule at the top of the list

  • Set Protocol to any

  • Enter a Description such as Allow all on OpenVPN

  • Click Save

  • Click Apply changes

The configuration of the client is complete. No firewall rules are required on the client side WAN interface because the client only initiates outbound connections. The server never initiates connections to the client.

Note

With remote access PKI configurations, typically routes and other configuration options are not defined on the client configuration, but rather they are pushed from the server to the client. With shared key deployments, routes and other parameters must be defined on both ends as needed (as described previously, and later in Custom configuration options), options cannot be pushed from the server to clients when using shared keys.

Testing the connection

The connection will immediately be active upon saving on the client side. Try to ping across to the remote end to verify connectivity. If problems arise, refer to Troubleshooting OpenVPN.