- »
- Virtual Private Networking »
- Setup SSL VPN site to site tunnel
Site to site VPNs connect two locations with static public IP addresses and allowtraffic to be routed between the two networks. This is most commonly used toconnect an organization’s branch offices back to its main office, so branch userscan access network resources in the main office.
Index
Setup SSL VPN site to site tunnel
Before you start
Network topology
Preparations
Trust
Static keys
Prepare Site A
Create a server instance (Site B)
Create a client instance (Site A)
Test connectivity
Before you start¶
Before starting with the configuration of an OpenVPN SSL tunnel you need to have aworking OPNsense installation with a unique LAN IP subnet for each side of yourconnection (your local network needs to be different than that of the remotenetwork).
Note
For the sample we will use a private IP for our WAN connection.This requires us to disable the default block rule on WAN to allow private traffic.To do so, go to Interfaces ‣ [WAN] and uncheck “Block private networks”.(Don’t forget to save and apply)
Network topology¶
The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.8.0/24)to peer both firewalls. We will create a tunnel network 10.1.8.0/24
between both sites.
Preparations¶
Trust¶
In order to setup a tunnel on both ends, we need to configure certificates to warrant trust between both machines.We have chosen to setup the server on “Site B”, so we start with Trust configuration there.
First we need an Authority which we are going to create in System ‣ Trust ‣ Authorities
Select Create an internal Certificate Authority
Choose cryptographic settings and a lifetime (you may want to increase the default as after this time you do need to redistribute certificates to both server and client).
Add descriptive information for this CA (Descriptive name, City, Email, ..`)
Set the Common Name to something descriptive for this certificate, like “Office-ovpn”
Next generate a Certficate for the server using System ‣ Trust ‣ Certificates
Select Create an internal Certificate
Choose the just created authority in Certificate authority
Add descriptive information for this CA (Descriptive name, whereabouts are copied from the CA)
Set Type to Server
Choose cryptographic settings, lifetime determines the validaty of the server certificate (you do need to track this yourself), it’s allowed to choose a longer period here
Set the Common Name to the fqdn of this machine.
As the client (Site A) will also need a Certificate, we need to create a certificate, also using System ‣ Trust ‣ Certificates
Select Create an internal Certificate
Choose the just created authority in Certificate authority
Add descriptive information for this CA (Descriptive name, whereabouts are copied from the CA)
Set Type to Client
Choose cryptographic settings, lifetime determines the validaty of the server certificate (you do need to track this yourself), it’s allow to choose a longer period here
Set the Common Name to username the other end will use for identification. For this example we use
test-client
Note
It’s a best practice to offer each user it’s own certificate using the same common name as the username, althoughit is also possible to clients to share a certificate. When adding a certificate from the user manager the CN is automaticallyset to its name. In this example we will only authenticate using the certificate, no additional user or password will be required.
Static keys¶
We create a static key and define it’s use in VPN ‣ OpenVPN ‣ Instances ‣ Static Keys, for this exampleselect auth as mode and click the gear button to generate one. Provide a description for this key.
Prepare Site A¶
Copy the public part of the certificate authority to the firewall at Site A (use the download button and copy the contents into a new CA on this host)
Copy the public and private part of the client certificate into a new one on Site A
Copy the contents of the static key to a new entry and select the same type
Create a server instance (Site B)¶
Now the generic setup is done, we can configure a new server type instance via VPN ‣ OpenVPN ‣ Instances
Property | site B |
---|---|
Role | Server |
Description | MyServer |
Protocol | UDP (IPv4) |
Port number | 1194 |
Bind address | 10.10.8.2 1 |
Server (IPv4) | 10.1.8.0/24 (the tunnel network used) |
Certificate | choose the prepared server certificate |
TLS static key | choose the prepared static key |
Local Network | 192.168.8.0/24 |
Remote Network | 10.0.8.0/24 2 |
Note 1
Leave empty to bind to all addresses assigned to this machine or use a loopback address combined with a port forward whenthe external address is not static.
Note 2
The network(s) served by this openvpn instance, after startup routes will be created. In order to bindthe network to the correct client a Client Specific Overwrite is also needed.
Hit the apply button when the instance is configured and add a client specific overwrite in VPN ‣ OpenVPN ‣ Client Specific Overrides
Property | site B |
---|---|
Servers | leave empty or select our server |
Common name | test-client |
Remote Network | 10.0.8.0/24 1 |
Note 1
The remote network bound to this common name, without this entry the traffic will not be routed between hosts.
Next go to Firewall ‣ Rules ‣ WAN and add a rule to allow traffic on port 1194/UDP
from the otherhost. At minimum we should add a rule similar to this one:
Property | site B |
---|---|
Interface | WAN |
Protocol | UDP |
Destination port range | 1194 |
Finally we are going to allow traffic on the tunnel itself by adding a rule to Firewall ‣ Rules ‣ OpenVPN,for this example we keep it simple and add one to allow all, in which case we can save the defaults when adding a rule.
Create a client instance (Site A)¶
With the server in place it’s time to setup the client on OPNsense, for this we go to VPN ‣ OpenVPN ‣ Instancesand add a new instance using the following settings.
Property | site A |
---|---|
Role | Client |
Description | MyClient |
Protocol | UDP (IPv4) |
Remote | 10.10.8.2 |
Certificate | choose the prepared client certificate |
TLS static key | choose the prepared static key |
Remote Network | 192.168.8.0/24 |
Test connectivity¶
Use the VPN: OpenVPN: Connection Status page to watch the status of both server and client, whenpassing traffic over the link on both ends the counters should increase.
Now try to ping from Site A (10.0.8.20
) to Site B (192.168.8.20
).