Routing internet traffic through a site-to-site OpenVPN-connection in PfSense 2.1

This article shows how to create a site-to-site connection using OpenVPN and how to route the Internet connection of site A through site B with pfSense.

../../_images/ipsec-s2s-vork-00.png

This is effectively the same as using an IPsec site-to-site connection except that we’ll be using OpenVPN instead of IPsec. Using OpenVPN as the ‘back-end’ means we need to set up one side as a server and the other as the client. It doesn’t matter which one is which but if more than two sites are connected in a star topology it seems natural to use the center of the star as the server. The server also needs to have a dedicated port mapped to it if it’s behind another router, or is must reside in its DMZ.

For the purpose of this article:

  • Site A is a branch office, LAN subnet 192.168.10.0/24
  • Site B is the main office through which all Internet traffic is routed, 192.168.20.0/24

Set up OpenVPN at Site B

From the VPN menu choose OpenVPN. On the page under the Server tab, click the + button to create a new OpenVPN server.

../../_images/openvpn-s2s-vork-01.png

Enter these values:

Server Mode Peer to Peer (Shared Key)  
Protocol UDP  
Device Mode tun  
Interface WAN  
Local port 9876 1194 is the default OpenVPN port. It doesn’t hurt to change it to another number to add some security through obscurity. Any unused port number may be used but we’ll stick to 9876 in this article.
Description Site-to-site  
Shared Key Checked  
Encryption algorithm AES-256-CBC (256-bit)  
Hardware Crypto No Hardware Crypto Acceleration unless it is needed for this hardware. If in doubt, select ‘No Hardware Crypto Acceleration’.
IPv4 Tunnel Network 192.168.204.0/30 Choose a subnet that’s not in use in any of the current LANs. This will be used internally by OpenVPN. We’re using 192.168.204.0/30 here but any private range will do. The /30 mask is because OpenVPN will only use one IP address per site. We’re connecting two sites so two addresses will suffice. /24 will work but is overkill.
IPv6 Tunnel Network leave empty  
IPv4 Local Network/s 192.168.20.0/24 Site B’s subnet
IPv6 Local Network/s leave empty  
IPv4 Remote Network/s 192.168.10.0 Site A’s subnet
IPv6 Remote Network/s leave empty  
Concurrent connections leave empty  
Compression Check if the bulk of the data transferred will be uncompressed data, like Office documents. Leave unchecked if the bulk is already compressed, like divx films. Routers on faster hardware can compress faster.  
Type-of-Service unchecked  
Duplicate Connections unchecked  
Advanced leave empty  
../../_images/openvpn-s2s-vork-02.png

Click Save.

Note that our Site-to-site OpenVPN server is now shown in the Server overview. Click the edit button to the right of the server.

../../_images/openvpn-s2s-vork-03.png

Note that in the Cryptographic Settings section, a Shared Key is now shown. Copy all text in the Shared Key text field, including the first lines beginning with # and the last line ending in —–.

../../_images/openvpn-s2s-vork-04.png

Configure firewall rules at Site B

From the Firewall menu, choose Rules. Open the WAN tab, unless using a different interface for the VPN connection. Click on the + button to add a new rule.

../../_images/openvpn-s2s-vork-05.png

Enter these values:

Action Pass
Disabled not checked
Interface WAN
TCP/IP Version IPv4
Protocol UDP
Source any
Destination Type: WAN address
Destination port range from: (other) 9876 to: (other)
Log not checked
Description Site-to-site VPN
../../_images/openvpn-s2s-vork-06.png

Click Save and on the next page click Apply changes.

../../_images/openvpn-s2s-vork-07.png

Click on the OpenVPN tab. We’ll now add a rule to allow traffic through the OpenVPN connection. Click on the + button add a rule.

../../_images/openvpn-s2s-vork-08.png

Enter these values:

Action Pass  
Disabled not checked  
Interface OpenVPN  
TCP/IP Version IPv4  
Protocol any  
Source any  
Destination any  
Log not checked  
Description Allow everything through OpenVPN  
../../_images/openvpn-s2s-vork-09.png

Click Save and on the next page Apply Changes.

../../_images/openvpn-s2s-vork-16.png

Set up outbound NAT at Site B

From the Firewall menu, choose NAT and click on the Outbound tab. Select Manual Outbound NAT rule generation (AON – Advanced Outbound NAT) and click Save. On the next page, click Apply Changes.

../../_images/openvpn-s2s-vork-10.png

A couple of rules are generated automatically but we need to add a NAT entry for Site A’s subnet. Click on the + button.

../../_images/openvpn-s2s-vork-11.png

Enter these values:

Do not NAT not checked  
Interface WAN Unless using a different interface for the VPN
Protocol any  
Source Type: Network Address: 192.168.10.0/24 Source port: leave empty Site A’s subnet
Destination Type: any Destination port: leave empty  
Translation Address: Interface address Port: leave empty Static port: not checked  
No XMLRPC Sync Leave unchecked  
Description Site A  
../../_images/openvpn-s2s-vork-12.png

Click Save and on the next page click Apply Changes.

../../_images/openvpn-s2s-vork-17.png

Set up the client at site A

From the VPN menu choose OpenVPN and go to the Client tab. Click the + button to configure a client.

../../_images/openvpn-s2s-vork-13.png

Enter these values:

Disabled not checked  
Server Mode Peer to Peer (Shared Key)  
Protocol UDP same as Site B
Device mode tun  
Interface WAN  
Local port leave empty  
Server host or address Site B’s public IP address or FQDN  
Server port 9876 the port Site B is running the OpenVPN server on
Proxy host or address leave empty if not using a proxy  
Proxy port leave empty if not using a proxy  
Proxy authentication extra options leave empty if not using a proxy  
Server host name resolution check if Site B sometimes has connectivity problems  
Shared Key do not check ‘Automatically generate a shared key’ but paste the Shared Key from site B  
Encryption algorithem AES-256-CBC (256-bit) same as Site B
Hardware Crypto Choose ‘No Hardware Crypto Acceleration’ unless the hardware has an accelerator  
IPv4 Tunnel Network 192.168.204.0/30 same as Site B
IPv6 Tunnel Network leave empty  
IPv4 Remote Network/s 192.168.10.0/24 site A’s subnet
IPv6 Remote Network/s leave empty  
Limit outgoing bandwidth leave empty unless required  
Compression same as Site B  
Type-of-Service not checked  
Advanced redirect-gateway def1; This makes all traffic, including Internet traffic, go through the tunnel.
../../_images/openvpn-s2s-vork-14.png

Click Save.

The tunnel should now work and internet traffic should be routed from Site A through the tunnel out site B.

../../_images/openvpn-s2s-vork-15.png

By Vorkbaard, 2013-07-29 - gmail{a}vorkbaard[.]nl