OpenVPN Site-to-Site Configuration Example with Shared Key

This section describes the configuration process for a site-to-site connection using a shared key style point-to-point mode OpenVPN tunnel. Other names for this style of configuration are static key or pre-shared key (PSK).

Danger

Shared key mode has been deprecated by OpenVPN as it is no longer considered sufficiently secure for modern requirements.

Shared key mode will be removed from future versions of OpenVPN. Users should not create any new shared key tunnels and should immediately convert any existing shared key tunnels to SSL/TLS mode.

When an SSL/TLS instance is configured with a /30 tunnel network it behaves in a similar manner to shared key mode. The primary difference is the need to create and distribute the certificate structure to peers. See OpenVPN Site-to-Site Configuration Example with SSL/TLS for information on configuring OpenVPN in SSL/TLS mode.

In this mode each server instance can only accommodate a single client. Additionally, the server cannot push settings to the client, so routes must be added on both peers and other settings must match identically.

Example Configuration Overview

../_images/diagrams-openvpn-site-to-site.png

OpenVPN Example Site-to-Site Network

One firewall will act as the server and the other will act as a client.

Tip

Typically the main location will be the server side and the remote office will act as a client, though the opposite is functionally equivalent.

In addition to the subnets on both ends this setup requires a dedicated subnet for the OpenVPN interconnection between networks. Figure OpenVPN Example Site-to-Site Network shows a depiction of this layout, using 10.3.100.0/24 as the IPv4 VPN Tunnel Network. This can be any subnet so long as it does not overlap another subnet currently in use on the network.

Example Configuration Settings

OpenVPN Endpoint Settings - Site A - Server

Site A - Server

Name

Austin Office

WAN Address

198.51.100.3

LAN Subnet

10.3.0.0/24

LAN Address

10.3.0.1

Tunnel Net

10.3.100.0/30

OpenVPN Endpoint Settings - Site B - Client

Site B - Client

Name

London Office

WAN Address

203.0.113.5

LAN Subnet

10.5.0.0/24

LAN Address

10.5.0.1

Tunnel Net | 10.3.100.0/30

Configuring PSK Server Side

Configure the OpenVPN Server Instance

  • Navigate to VPN > OpenVPN, Server tab

  • Click fa-plus Add to create a new server entry

  • Fill in the fields as follows, with everything else left at defaults:

    See also

    See Server Configuration Options for details on each of these options.

    Description

    Text to describe the connection (e.g. ExampleCo Site B VPN)

    Server Mode

    Peer to Peer (Shared Key)

    Device Mode

    tun

    Protocol

    UDP on IPv4 only

    Interface

    WAN

    Local Port

    1194

    Shared key

    Check Automatically generate a shared key

    Tunnel Network

    10.3.100.0/30

    Remote network

    The LAN on the Site B side, 10.5.0.0/24

    Note

    If there are more networks at Site B, such as networks reachable via static routes, other VPNs, and so on, add them as additional entries separated by a comma (,).

  • Click Save

  • Click fa-pencil to edit this server instance again

  • Find the Shared Key box

  • Select all text inside the Shared Key box

  • Copy the text to the clipboard

  • Save the contents to a file or paste into a text editor such as Notepad temporarily

Firewall Rules

External Traffic (WAN)

Next, add a firewall rule on WAN allowing access to the OpenVPN server.

  • Navigate to Firewall > Rules, WAN tab

  • Click fa-level-up Add to create a new rule at the top of the list

  • Set the options as follows:

    Protocol

    UDP

    Source

    Address or Alias, 203.0.113.5

    Set the source address to match the client WAN IP address. If the client has a dynamic IP address, set the source to Any.

    Destination

    WAN Address

    Destination port

    1194

    Description

    OpenVPN from Site B

  • Click Save

  • Click Apply Changes

When finished, the rule will look like Figure OpenVPN Example Site-to-Site WAN Firewall Rule.

../_images/openvpn-site-to-site-wan-rule.png

OpenVPN Example Site-to-Site WAN Firewall Rule

Tunneled Traffic

Now add a rule to the OpenVPN tab to pass traffic over the VPN from the Client-side LAN to the Server-side LAN. This can be an “Allow all” style rule or a set of stricter rules. This example allows all traffic using this rule:

  • Navigate to Firewall > Rules, OpenVPN tab

  • Click fa-level-up Add to create a new rule at the top of the list

  • Set the options as follows:

    Protocol

    any

    Source

    any

    Tip

    For extra security, create an alias containing only the remote hosts or subnets which must initiate contact with hosts on the sever LAN, then use that alias as the source on this rule.

    Destination

    any

    Tip

    For extra security, create an alias containing only the local hosts or subnets on the server LAN which must accept connections from remote hosts across the VPN, then use that alias as the destination on this rule.

    Description

    Allow all on OpenVPN

  • Click Save

  • Click Apply Changes

That completes the server setup, next, now move on to configure the client.

Configuring PSK Client Side

Configure the OpenVPN Client Instance

  • Navigate to VPN > OpenVPN, Client tab on the client system

  • Click fa-plus Add to create a new OpenVPN client instance

  • Fill in the fields as follows, with everything else left at defaults:

    See also

    See Client Configuration Options for details on each of these options.

    Description

    Text to describe the connection (e.g. ExampleCo Site A VPN)

    Server Mode

    Peer to Peer (Shared Key)

    Device Mode

    tun

    Protocol

    UDP on IPv4 only

    Interface

    WAN

    Server host or address

    The public IP address or hostname of the OpenVPN server (198.51.100.3 in this example)

    Server Port

    1194

    Shared key

    Uncheck Automatically generate a shared key, then paste in the shared key for the connection using the key copied from the server instance created previously.

    Tunnel Network

    10.3.100.0/30

    Warning

    This must match the server side exactly. The firewall will use the correct address for each end of the tunnel.

    Remote network

    The LAN on the Site A side, 10.3.0.0/24

    Note

    If there are more networks at Site A, such as networks reachable via static routes, other VPNs, and so on, add them as additional entries separated by a comma (,).

  • Click Save

Firewall Rules

This setup does not require firewall rules on the client side WAN interface because the client only initiates outbound connections. The server never initiates connections to the client.

This next step is optional depending on whether or not hosts on the server network need to initiate contact with hosts on the client network. If server network hosts do not need to initiate contact with this client, then no action is necessary.

If hosts on the server side need to initiate contact, then this traffic requires a firewall rule on the OpenVPN tab on the client firewall to allow traffic from the Server-side LAN to reach the Client-side LAN. An “Allow all” style rule is OK in some cases, but a set of stricter rules is the best practice.

This example allows all traffic:

  • Navigate to Firewall > Rules, OpenVPN tab

  • Click fa-level-up Add to create a new rule at the top of the list

  • Set the options as follows:

    Protocol

    any

    Source

    any

    Tip

    For extra security, create an alias containing only the remote hosts or subnets which must initiate contact with hosts on the client LAN, then use that alias as the source on this rule.

    Destination

    any

    Tip

    For extra security, create an alias containing only the local hosts or subnets on the client LAN which must accept connections from remote hosts across the VPN, then use that alias as the destination on this rule.

    Description

    Allow all on OpenVPN

  • Click Save

  • Click Apply Changes

The configuration of the client is complete.

Testing the connection

The configuration is now complete. The OpenVPN client instance automatically starts when created, so it should already be attempting to connect at this point and if the configuration is correct, it will be connected.

Try to ping across to the remote end LAN to verify connectivity.