pfSense English Support > OpenVPN

Site-To-Site OpenVPN using PKI (something of a howto)


This is a guide for VPN-ing a dozen or more sites using PKI.  If you only wish to VPN 2 or 3 sites together, the OVPN shared key method will certainly be simpler.  The stalwart board moderator GruensFroeschli has suggested the following, and I wholeheartedly concur: "Up to 5 sites i wouldnt bother setting up a PKI."

Earlier this year, I wanted to set up a VPN connection between about 12 offices.  Several threads on this forum, particularly,9624.0.html, helped get me started.

Basically, I needed each branch to be able to route to the home office network, and the home office network to be able to route to each of the branch office networks (but the branches did not need to route each other).

(Just to be clear on this approach: all machines from the home network can reach all machines in the client networks.  Similarly, all machine in the client networks can reach all machines in the home network.  However, machines in a given client network cannot typically reach machines in a different client network.  I believe it is possible to extend this approach to allow client networks to intercommunicate, but I have not done so.)

It is a sort of hub and spoke model.  For us, this allowed everyone to share/print documents through a file/print server located in the home office.  And for me, this allowed for fairly easy addition of new satellites.  

If you have similar needs, then the following information might help you.  It is scaled down to 4 networks.

The home network should have a fixed IP address, but the satellites need not.  A funky dyndns name for the home network might be sufficient, but I haven't run it with anything like that.

For simplicity's sake, the home network is the 10.9 class B, and each of the satellite offices is a Class C located in the 10.10 block.  Each site is located behind a pfsense box.  An additional network, required by OpenVPN to mediate communication, I located in the 10.8 block (somewhat arbitrarily).


Sat0 (10.10.0/24)
Home (10.9/16) ---- Sat1 (10.10.1/24)
Sat2 (10.10.2/24)

Before getting started in earnest, configure the (home network) firewall to allow for incoming 1194 UDP connections.  The rule should look something like this:
UDP**WAN address1194(OpenVpn)**OVPN
Unless you have unusually restrictive firewall rules at your satellite offices, that should be the only firewall rule you'll need.

So, first we need to do some PKI.  Specifically, we need a server key for the home network and a regular key for each satellite network.  For the purposes of this thread, I'm naming the home key home, and the satellite keys sat0, sat1, and sat2.

There are several good tutorials for generating these here in the forums.  The only thing that I'll add here is that the file/common names of the satellite office keys are very important to keep straight, as they are relevant later in the configuration.

You will need to have ca.crt, dh1024.pem, home.key, home.crt, sat0.key, sat0.crt, sat1.key, sat1.crt, sat2.key, and sat2.crt handy to continue.  And be sure not to lose ca.key.

Now, lets get to work on the home office router.  Under VPN -> OpenVPN -> Server, click on the plus sign to add a new server, and we'll get to work.

First, scroll down a bit and change Authentication Method from Shared Key to PKI (Public Key Infrastructure).  Doing this changes which fields are enabled and disabled on the form.

Disable this tunneluncheckProtocolUDPDynamic IPcheckLocal port1194Address pool10.8.1.0/24Use static IPsuncheckLocal networkleave blankRemote networkleave blankClient-to-client VPNcheckCryptographyBF-CBC (128-bit)Authentication MethodPKI (Public Key Infrastructure)Shared keyleave blankCA certificatecopy your ca.crtServer certificatecopy your home.crtServer keycopy your home.keyDH parameterscopy your dh1024.pema whole bunch of DHCP optionsleave em aloneLZO compressioncheckCustom optionsroute;push "route"Descriptionsite-to-site
Go ahead and click save.  We should now have an entry under server tab looking something like this:
If you're playing close attention, the custom options probably jumped out at you.  They are the first bit of OpenVPN black magic necessary to get this to work and essentially translate to
attn: homeplease route all 10.10/16 traffic into the VPNattn: all satsplease route all 10.9/16 traffic into the VPN
But they aren't quite enough on their own.  Sadly, we'll need an entry under the Client-specific configuration for each of the Satellite offices.

So, under VPN -> OpenVPN -> Client-specific configuration, click on the plus sign to add a new satellite entry.  Note: still on the home router.

DisableduncheckCommon namesat0this MUST match your sat0 key common name!!!BlockeduncheckPush resetuncheckInterface IPleave blankCustom optionsiroute MUST match the sat0 networkDescription10.10.0.0/24using the network here make the display look nice
Click save.

This is the second (and last) bit of OpenVPN black magic.  This whole entry essentially translates to:
attn: homeplease internally route all 10.10.0/24 traffic to sat0
So we've created an entry for sat0.  We also need to create entries (still under Client-specific configuration) for sat1 and sat2.  Here's an abbreviated table showing those values:

-values for sat1values for sat2Common namesat1sat2Custom optionsiroute
Once you're finished, the Client-specific configuration tab should look something like:

Just a warning, I have at times messed up one of these entries and broken VPN functionality for other entries.  So try to get these right the first time.

Now, we configure the (much simpler) clients.  Bring up the sat0 router (10.10.0/24) and we'll begin at VPN -> OpenVPN -> Client tab.  Click on the plus to add a new client.

Disable this tunneluncheckProtocolUDPServer addressthe public IP of the home networkServer port1194Interface IPleave blankRemote networkleave blankProxy Hostleave blankProxy port3128CryptographyBF-CBC(128-bit)Authentication methodPKI (Public Key Infrastructure)Shared keyleave blankCA certificatecopy your ca.crtClient certificatecopy your sat0.crtClient keycopy your sat0.keyLZO compressionenablejust make sure you're consistent with the server hereLimit outgoing bandwidthleave blankDynamic sourceportuncheckCustom optionsleave blankDescriptionsat0
Click save.

You should note that there is no real black magic here.  We already baked most of the voodoo into the client-specific configs.

Rather than finishing up the configs for your other 2 satellites, stop to do some testing here.  You should be able to ping an arbitrary machine on the satellite network from the home office network.  The converse should work as well.  (I'll warn you that Windows firewall blocking pings has often made this process more infuriating than it should be for me.)

The OpenVPN logs, acessible under the Status->System logs->OpenVPN tab, are your main tool for tracking down any configuration errors.

Assuming that everything works, then great.  Lets go ahead create OpenVPN clients for your other two satellites.  The only differences among the 3 satellite configurations is the key and cert you paste into the form (and possibly the description).



In order to add a new Satellite office, say sat3 using the 10.10.3/24 block:

* create a new key/crt with common name sat3
* create a new OpenVPN Client-specific configuration entry on the home office server binding sat3 to the custom option iroute
* create an OpenVPN Client entry on the sat3 router, using the new keys
* enjoy the simplicity you reap now after fighting through the complexity earlier

Thanks for this excellent How-To. I think this should be made sticky and also be put on the Documentation-Wiki.

Stickied and i fixed your tables :)

Sorry about the tables (thanks for all your hard work here on the forums, GruensFroeschli).

Anyway, I'll try to touch up this little howto when pfsense 2.0 gets released.

Added caveat about when how many networks should be involved before using this this technique.


[0] Message Index

Go to full version