OpenVPN Site-to-Site Configuration Example with Shared Key¶
This section describes the configuration process for a site-to-site connection using a shared key style point-to-point mode OpenVPN tunnel. Other names for this style of configuration are static key or pre-shared key (PSK).
Danger
Shared key mode has been deprecated by OpenVPN as it is no longer considered sufficiently secure for modern requirements.
Shared key mode will be removed from future versions of OpenVPN. Users should not create any new shared key tunnels and should immediately convert any existing shared key tunnels to SSL/TLS mode.
When an SSL/TLS instance is configured with a /30
tunnel network it
behaves in a similar manner to shared key mode. The primary difference is the
need to create and distribute the certificate structure to peers. See
OpenVPN Site-to-Site Configuration Example with SSL/TLS for information on configuring OpenVPN in
SSL/TLS mode.
In this mode each server instance can only accommodate a single client. Additionally, the server cannot push settings to the client, so routes must be added on both peers and other settings must match identically.
Example Configuration Overview¶
One firewall will act as the server and the other will act as a client.
Tip
Typically the main location will be the server side and the remote office will act as a client, though the opposite is functionally equivalent.
In addition to the subnets on both ends this setup requires a dedicated subnet
for the OpenVPN interconnection between networks. Figure
OpenVPN Example Site-to-Site Network shows a depiction of this layout,
using 10.3.100.0/24
as the IPv4 VPN Tunnel Network. This can be any subnet
so long as it does not overlap another subnet currently in use on the network.
Example Configuration Settings¶
Site A - Server |
|
---|---|
Name |
Austin Office |
WAN Address |
198.51.100.3 |
LAN Subnet |
10.3.0.0/24 |
LAN Address |
10.3.0.1 |
Tunnel Net |
10.3.100.0/30 |
Site B - Client |
||
---|---|---|
Name |
London Office |
|
WAN Address |
203.0.113.5 |
|
LAN Subnet |
10.5.0.0/24 |
|
LAN Address |
10.5.0.1 |
|
Tunnel Net | 10.3.100.0/30 |
Configuring PSK Server Side¶
Configure the OpenVPN Server Instance¶
Navigate to VPN > OpenVPN, Server tab
Click Add to create a new server entry
Fill in the fields as follows, with everything else left at defaults:
See also
See Server Configuration Options for details on each of these options.
- Description:
Text to describe the connection (e.g.
ExampleCo Site B VPN
)- Server Mode:
Peer to Peer (Shared Key)
- Device Mode:
tun
- Protocol:
UDP on IPv4 only
- Interface:
WAN
- Local Port:
1194
- Shared key:
Check Automatically generate a shared key
- Tunnel Network:
10.3.100.0/30
- Remote network:
The LAN on the Site B side,
10.5.0.0/24
Note
If there are more networks at Site B, such as networks reachable via static routes, other VPNs, and so on, add them as additional entries separated by a comma (
,
).
Click Save
Click to edit this server instance again
Find the Shared Key box
Select all text inside the Shared Key box
Copy the text to the clipboard
Save the contents to a file or paste into a text editor such as Notepad temporarily
Firewall Rules¶
External Traffic (WAN)¶
Next, add a firewall rule on WAN allowing access to the OpenVPN server.
Navigate to Firewall > Rules, WAN tab
Click Add to create a new rule at the top of the list
Set the options as follows:
- Protocol:
UDP
- Source:
Address or Alias,
203.0.113.5
Set the source address to match the client WAN IP address. If the client has a dynamic IP address, set the source to Any.
- Destination:
WAN Address
- Destination port:
1194
- Description:
OpenVPN from Site B
Click Save
Click Apply Changes
When finished, the rule will look like Figure OpenVPN Example Site-to-Site WAN Firewall Rule.
Tunneled Traffic¶
Now add a rule to the OpenVPN tab to pass traffic over the VPN from the Client-side LAN to the Server-side LAN. This can be an “Allow all” style rule or a set of stricter rules. This example allows all traffic using this rule:
Navigate to Firewall > Rules, OpenVPN tab
Click Add to create a new rule at the top of the list
Set the options as follows:
- Protocol:
any
- Source:
any
Tip
For extra security, create an alias containing only the remote hosts or subnets which must initiate contact with hosts on the sever LAN, then use that alias as the source on this rule.
- Destination:
any
Tip
For extra security, create an alias containing only the local hosts or subnets on the server LAN which must accept connections from remote hosts across the VPN, then use that alias as the destination on this rule.
- Description:
Allow all on OpenVPN
Click Save
Click Apply Changes
That completes the server setup, next, now move on to configure the client.
Configuring PSK Client Side¶
Configure the OpenVPN Client Instance¶
Navigate to VPN > OpenVPN, Client tab on the client system
Click Add to create a new OpenVPN client instance
Fill in the fields as follows, with everything else left at defaults:
See also
See Client Configuration Options for details on each of these options.
- Description:
Text to describe the connection (e.g.
ExampleCo Site A VPN
)- Server Mode:
Peer to Peer (Shared Key)
- Device Mode:
tun
- Protocol:
UDP on IPv4 only
- Interface:
WAN
- Server host or address:
The public IP address or hostname of the OpenVPN server (
198.51.100.3
in this example)- Server Port:
1194
- Shared key:
Uncheck Automatically generate a shared key, then paste in the shared key for the connection using the key copied from the server instance created previously.
- Tunnel Network:
10.3.100.0/30
Warning
This must match the server side exactly. The firewall will use the correct address for each end of the tunnel.
- Remote network:
The LAN on the Site A side,
10.3.0.0/24
Note
If there are more networks at Site A, such as networks reachable via static routes, other VPNs, and so on, add them as additional entries separated by a comma (
,
).
Click Save
Firewall Rules¶
This setup does not require firewall rules on the client side WAN interface because the client only initiates outbound connections. The server never initiates connections to the client.
This next step is optional depending on whether or not hosts on the server network need to initiate contact with hosts on the client network. If server network hosts do not need to initiate contact with this client, then no action is necessary.
If hosts on the server side need to initiate contact, then this traffic requires a firewall rule on the OpenVPN tab on the client firewall to allow traffic from the Server-side LAN to reach the Client-side LAN. An “Allow all” style rule is OK in some cases, but a set of stricter rules is the best practice.
This example allows all traffic:
Navigate to Firewall > Rules, OpenVPN tab
Click Add to create a new rule at the top of the list
Set the options as follows:
- Protocol:
any
- Source:
any
Tip
For extra security, create an alias containing only the remote hosts or subnets which must initiate contact with hosts on the client LAN, then use that alias as the source on this rule.
- Destination:
any
Tip
For extra security, create an alias containing only the local hosts or subnets on the client LAN which must accept connections from remote hosts across the VPN, then use that alias as the destination on this rule.
- Description:
Allow all on OpenVPN
Click Save
Click Apply Changes
The configuration of the client is complete.
Testing the connection¶
The configuration is now complete. The OpenVPN client instance automatically starts when created, so it should already be attempting to connect at this point and if the configuration is correct, it will be connected.
Try to ping across to the remote end LAN to verify connectivity.
See also