Thursday, May 15, 2008

OpenVPN on PFSense: Site to Site

Assume this scenario:

Office1 LAN: 192.168.0.0/24
Office2 LAN: 192.168.1.0/24

We have to configure the PFSense server to connect this two networks.
One office will be the VPN server, the other will be the VPN client

NB: if you also have a VPN access for road warriors configured, don't change the existing configuration but add a new tunnel.

Office1 configuration
Let's configure Office1 as server.
From “VPN à OpenVPN” menu, select “Server” tab and click on “+”.

Use TCP protocole and, if you have other VPN tunnels, set a diffrent port (in this example i use the port 1193). Obviously we have to creat a firewall rule to permit WAN connection on this port.

“Address pool” must be an independent subnetwork, diffrent from both subnetwork in Office1 and Office2.

In “Remote network” area set the subnet of Office2.

Now we have to generate the “Shared key”. Log into the PfSense server of Office1 via SSH, type “8” (shell) and then use this command:

# openvpn --genkey --secret shared.key

This command creates a new shared key for this OpenVPN server. Then copy the content of shared.key file into the Shared Key WebInterface box and press “Save”.

We have to copy this shared key to use it later on the Office2 server.


Office2 configuration

Let's configure Office2 as client.

From “VPN à OpenVPN” menu, select the “Client” tab and click on “+”.

Use the “TCP” protocol.

“Server address” must be the public IP of Office1.

“Server port” is the connection port for the VPN set on the Office1 PfSense (in this example 1193.)

“Interface IP” must be the IP address of local LAN.

“Remote network” must be the IP address of the Office1 LAN dell’Ufficio1.

Paste the previous generated shared key into the shared key box and then click on “Save”.

Now the VPN tunnel between this two offices should be “up and running”.

4 comments:

Anonymous said...

Thanks for posting the simple step-by-step instructions.
I was hunting for info on this topic as I will have to build on VPN like that and I think this will help me.
Maybe just will use UDP instead of TCP.
Take care.

tj
igrp@comcast.net

Anonymous said...

Thanks ! It worked fine here.

Unknown said...

yeah,,i like pfsense too..here about my pfsense http://gchangetok.blogspot.com,
nice too meet you sir,

Cake Pop Products said...

Good jjob