Installation of OPNsense OpenVPN instances site-to-site

From Thomas-Krenn-Wiki
Jump to navigation Jump to search


The Open Source firewall OPNsense supports several technologies for the installation of VPN (Virtual Private Network) connections. In this example, we show you how to install a site-to-site VPN connection with two OPNsense firewalls with the VPN technology OpenVPN. These instructions show the configuration with the instances menu newly introduced with OPNsense 23.7 that was created under the version OPNsense 25.1.7_4-amd64.

To our OPNSense Firewalls in the online shop of Thomas-Krenn

Explanation of topology

This paragraph shows a compact summary of the configured topology and the most important settings of the OpenVPN tunnels.

HA cluster and OpenVPN

If you use OPNsense high availability cluster as OpenVPN server, the virtual WAN IP address must be set as the server address. [1]

Site A

  • OPNsense OpenVPN server
  • local network: 192.168.1.0/24
  • WAN-IP: 100.64.2.1

Site B

  • OPNsense OpenVPN "client"
  • local network: 192.168.2.0/24
  • WAN-IP: 100.64.2.2

OpenVPN settings

  • port: 1194
  • protocol: UDP
  • topology: subnet
  • transfer network: 100.64.100.0/24
  • TLS static key with mode crypt

Installation of OpenVPN site-to-site

For the installation of OpenVPN Instances connections, the following steps are necessary:

Configuration of OpenVPN instance site A (server)

  1. create Certificate Authority
  2. create server certificate for site A (server)
  3. create client certificate for site B (client)
  4. create firewall rules for WAN and OpenVPN
  5. create OpenVPN server
  6. create client specific overrides
  7. export Certificate Authority
  8. export client certificate

Configuration of OpenVPN instance site B (client)

  1. import Certificate Authority
  2. import client certificate
  3. create firewall rules for WAN and OpenVPN
  4. configure OpenVPN instances client

Configuration steps OpenVPN instance site A (server)

The following screenshots show the steps that are necessary on the OpenVPN instance server page.

Menu 'Trust'

In the beginning, the Certificate Authority is created. Both certificates for server and client are created with the help of this CA.

  • In the OPNsense webinterface, switch to the menu system → trust → authorities. Click on the orange plus and choose Create an internal Certificate Authority at Method. Fill out the data for the certificate and click on Save.
    In the OPNsense webinterface, switch to the menu system → trust → authorities. Click on the orange plus and choose Create an internal Certificate Authority at Method. Fill out the data for the certificate and click on Save.
  • Switch to the menu certificates and click on the orange plus to create a new internal certificate for the server. Choose server certificate in the dropdown menu type.
    Switch to the menu certificates and click on the orange plus to create a new internal certificate for the server. Choose server certificate in the dropdown menu type.
  • For Issuer, use the previously created new internal CA. Check the automatically set settings and click on “save”.
    For Issuer, use the previously created new internal CA. Check the automatically set settings and click on “save”.
  • Click once again on the orange plus and create a second certificate for the VPN client. Choose client certificate in the dropdown menu.
    Click once again on the orange plus and create a second certificate for the VPN client. Choose client certificate in the dropdown menu.
  • For Issuer, you then also use the new internal CA that was created previously. Verify the settings and click on save.
    For Issuer, you then also use the new internal CA that was created previously. Verify the settings and click on save.
  • Now, a certificate for the OpenVPN server and client was created.
    Now, a certificate for the OpenVPN server and client was created.


Firewall rules

In order for the OpenVPN service to accept connection requests from outside, the port, which is set in the OpenVPN server configuration, must be opened in the firewall.

  • Navigate to firewall → rules → WAN (or to the appropriate interface designation of your WAN connection) and create a new rule with the + button. This rule should allow the incoming traffic to the destination OpenVPN.
    Navigate to firewall → rules → WAN (or to the appropriate interface designation of your WAN connection) and create a new rule with the + button. This rule should allow the incoming traffic to the destination OpenVPN.
  • Verify the settings and click on save.
    Verify the settings and click on save.
  • Activate the rule via apply changes.
    Activate the rule via apply changes.

OpenVPN instances site A (server)

The OpenVPN instance site A (server) can be created with the Instances configuration method after preparatory activities.

  • First, a static key is created in the static keys tab. This one is used for the encryption and authentication. State a description and set crypt (encrypt and authenticate) for mode and click on the button to create a new static key. Click on save after the 2048 bit key was created.
    First, a static key is created in the static keys tab. This one is used for the encryption and authentication. State a description and set crypt (encrypt and authenticate) for mode and click on the button to create a new static key. Click on save after the 2048 bit key was created.
  • Switch to the Instances tab and click on the orange plus to create a new OpenVPN server. State the corresponding data. In this case, bind address is the IP address of the WAN interface. Server (IPv4) is the OpenVPN network. The TLS static key can be selected in the corresponding configuration line.
    Switch to the Instances tab and click on the orange plus to create a new OpenVPN server. State the corresponding data. In this case, bind address is the IP address of the WAN interface. Server (IPv4) is the OpenVPN network. The TLS static key can be selected in the corresponding configuration line.
  • Specify the further settings of the VPN tunnel and click on save.
    Specify the further settings of the VPN tunnel and click on save.
  • Now, the OpenVPN server is created. Click on apply.
    Now, the OpenVPN server is created. Click on apply.

OpenVPN interface firewall rule

There is only one new interface, which is the OpenVPN interface. Here, you can control the data traffic in the OpenVPN tunnel. In this example, any traffic is allowed. You can also set this even more granularly and restrictively.

  • Navigate to firewall → rules → OpenVPN and create a new rule with the + button.
    Navigate to firewall → rules → OpenVPN and create a new rule with the + button.
  • Click on save.
    Click on save.
  • Activate the rule via click on Apply changes.
    Activate the rule via click on Apply changes.

Client specific overrides

An OpenVPN server with a site-to-site connection is created here. The client specific override is responsible for ensuring that the server knows to which endpoint it should send the data. Multiple remote locations can be connected to a central OpenVPN server.

  • Switch from the menu instances to client specific overrides and click on the orange plus to create a new entry. It is important here that you set the common name as it is entered in the client's certificate at CN. For IPv4 tunnel network, state an IP address from the OpenVPN tunnel network. 100.64.100.1 is reserved for the server and 100.64.100.2 is only valid for the first client.
    Switch from the menu instances to client specific overrides and click on the orange plus to create a new entry. It is important here that you set the common name as it is entered in the client's certificate at CN. For IPv4 tunnel network, state an IP address from the OpenVPN tunnel network. 100.64.100.1 is reserved for the server and 100.64.100.2 is only valid for the first client.
  • Local network is the network behind the OpenVPN server and remote network is the network of the client. After this, click on save.
    Local network is the network behind the OpenVPN server and remote network is the network of the client. After this, click on save.

Configuration steps OpenVPN instance client(s)

Here the steps that are necessary for OpenVPN instance site B (client), are shown. Several clients can be connected to an OpenVPN server using the star principle. The communication is controlled via individual client specific overrides.

Menu 'Trust'

For this client, the CA and the client certificate, that was created on the OpenVPN server before, must be imported in the menu trust.

  • Switch to the menu in the OPNsense web interface client system → trust → authorities. Click on the orange plus and choose at method "import an internal Certificate Authority". Enter the exported CA data and click on save.
    Switch to the menu in the OPNsense web interface client system → trust → authorities. Click on the orange plus and choose at method "import an internal Certificate Authority". Enter the exported CA data and click on save.
  • Switch to the menu in the OPNsense web interface client system → trust → certificates. Click on the orange plus and choose at method "import an existing certificate". Enter the exported certificate data and click on save.
    Switch to the menu in the OPNsense web interface client system → trust → certificates. Click on the orange plus and choose at method "import an existing certificate". Enter the exported certificate data and click on save.

Firewall rules

The firewall rules for the WAN interface must be set analogously for the OpenVPN server configuration.

Configuration of OpenVPN instances site B (client)

The OpenVPN client with the instances configuration method can now be created after preparatory activites.

  • First, the static key is created in the static keys tab. Copy the TLS key of the OpenVPN server and add it in the field static key. After this, click on save.
    First, the static key is created in the static keys tab. Copy the TLS key of the OpenVPN server and add it in the field static key. After this, click on save.
  • Switch to the instances tab and click on the orange +. Select client for the role and set the values to match the server instance. The Remote line contains the publicly accessible WAN IP of the OpenVPN server and port.
    Switch to the instances tab and click on the orange +. Select client for the role and set the values to match the server instance. The Remote line contains the publicly accessible WAN IP of the OpenVPN server and port.
  • After this, click on save.
    After this, click on save.

OpenVPN interface firewall rules

There is also a new interface for the client, which is the OpenVPN interface. This interface must be configured analogously to the server side. Now, the configuration is completed and a connection setup should be possible.

Testing the connection

Please verify, if the client connects to the server. This can be found at client and server in the webinterface in the menu VPN → OpenVPN → connection status.

  • Successful connection setup on the OpenVPN server side.
    Successful connection setup on the OpenVPN server side.
  • Routes to the target network behind the client firewall were successfully set.
    Routes to the target network behind the client firewall were successfully set.
  • Successful connection setup of the client.
    Successful connection setup of the client.
  • Ping from the local network of the OpenVPN server firewall to the target network behind the client firewall was successful.
    Ping from the local network of the OpenVPN server firewall to the target network behind the client firewall was successful.
  • Ping from the local network of the OpenVPN client firewall to the target network behind the server firewall was successful.
    Ping from the local network of the OpenVPN client firewall to the target network behind the server firewall was successful.

Troubleshooting

This section shows different troubleshooting opportunities to discover mistakes in the configuration.

  • Ping
    • Send a ping command to an IP address in the target network.
    • Packet capture on the firewall interfaces.
  • Tcpdump
    • server page: tcpdump -n -i ovpns1
    • client page: tcpdump -n -i ovpnc1

References

  1. high availability (docs.opnsense.org)


Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Related articles

OPNsense LTE connection
Show article
OPNsense OpenVPN performance tests and results
Show article
Usage of Intel E610 network cards under OPNsense 25.7 with Free BSD 14.3
Show article