In this article we'll look at setting up a permanent VPN tunnel between two remote sites each with a pfSense router installed and configured.
Site to site VPN tunnel
Principle of the VPN tunnel is simple: a router will act as a server while the other becomes the client. The main advantage of the VPN tunnel from a road warrior configuration is that the client will not need to connect individually to the remote site VPN. This configuration will give the impression to customers on both sides to be on a single network, allowing you to easily share data.
Here we will consider that the site is a site that will host the main part of the tunnel server and the LAN is 192.168.1.x Site 2 may be a foreign subsidiary for example, and will be configured in client mode with a LAN 192.168.193.x.
Server configuration (site 1)
Interface in pfSense (pfSense 1), go to VPN> OpenVPN and then click on the "+" icon at the bottom right to create a new VPN configuration. Here are the parameters to enter:
- Protocol: UDP
- ) Local port: 1193 (I choose a simple nomenclature: remote network by 192,168. 193. X, port 1193)
- .x pour le virtuel) Address pool: 192.168.93.0/24 (ditto, I choose a virtual network recalling the remote network: 192.168.1 93. x for the physical -> 192 168. 93. x to the virtual)
- Cryptography: BF-CBC (128 bit)
- Authentication method: Shared Key
- execute the following command at a facility of OpenVPN GUI :
C: \ Program Files \ OpenVPN \ easy-rsa \ openvpn-genkey-secret SharedKey.key
- Copy the file contents in the box SharedKey.key Shared Key Interface pfSense
- DHCP-Opt.: DNS-Domainname: here you can enter the local domain name that you use
- DHCP-Opt.: DNS-Server: Enter the IPs of the DNS servers of your domain separated by semicolons
- check LZO compression
- Enter a description of the tunnel in the Description box
- click Save
Then you have to add a firewall rule to accept communications on UDP port 1193. To do this, click the Firewall menu> Rules, select the tab for the line you will use (eg WAN) and click on the "+" icon at the bottom right. Here are the parameters to enter:
- Action: Pass
- Protocol: UDP
- Destination port range: from: (other) 1193
- Destination port range: to: (other) 1193
- Gateway: default
- Description: VPN Tunnel
Client Configuration (site 2)
Interface in pfSense (pfSense 2), go to VPN> OpenVPN and then click on the "+" icon at the bottom right to create a new VPN configuration. Here are the parameters to enter:
- Protocol: UDP
- Server address: insert the external IP address of the line you will use server-side
- Server port: 1193
- Interface IP: 192.168.93.0/24
- Remote network: 192.168.1.0/24
- Cryptography: BF-CBC (128 bit)
- Authentication method: Shared key
- Shared key: copy the file contents here SharedKey.key previously generated
- check the LZO compression
- Custom options: enter the following command to enable clients to ping a site and customers to access the site 2 (obviously replacing the external IP address of the line used on a router:
192.168.193.0 255.255.255.0 route IP.EXTERNE.LIGNE.ROUTEUR1
- Enter a description of the Tunnel in the Description box
- click Save
At this point the VPN tunnel is active, make sure you can ping clients from Site 2 Site 1 and vice versa.
You can create other VPN tunnels by changing the port and the virtual network and of course having a remote site using an internal network different from those already used. For example a remote network 192.168.200.x can use port 1200 and the virtual network 192.168.20.x. However, keep in mind that the encryption processor consumes resources on both routers and depending on traffic can be more or less rapidly reach saturation.
Tags: OpenVPN , pfSense , VPN
