How To Setup A Peer to Peer / Site to Site VPN Using OpenVPN On pfSense

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right this video is for setting up a VPN between two pfsense boxes and a peer-to-peer setting this is going to be using Open VPN I have pfSense latest version as of November 2017 which is a 2.4 loaded on these the lab network as I call it is my one 92168 3.0 network and that's what each of these boxes is connected to is that number so that's our pseudo internet I guess you could say excessive side where these can talk then they have the landside which has a debian box here debian oh sorry oh you say that wrong debian box here 40 . 50 is the IP address and 20.50 is the IP address sending octet s-- for this one over here so currently these can't see each other and the goal when we're done is that they cannot just see each other but they can communicate back and forth fully across the network some of the other VPN configurations for example like the road warrior BPM which I'm going to do a separate video for with PF sense where you're gonna connect like your laptop while you're out and about and get back into your network those networks can be done with two pfsense boxes but they're harder to get the routing to be bi-directional routing only works in one direction which is normally what you want you don't want everything on the network when you're connecting your laptop coming in to yours everything going back across bidirectionally you just want to be able to get into your own network so that'll be a separate video this one is specifically for peer-to-peer server and client and how to set to pfsense routers at for example a company that has a branch office you want our all them computers across both the networks be able to touch other and that's what we're gonna be able to do here in this video let me close this and kind of get you started on this so here's our client side debian and i know it's a little small to read but this is the one that has the 192 168 20.50 here's the other one 192 168 49 50 so if I go ping 20.50 we have nothing hundred percent packet loss and we do the same here 100% of packet loss so either one of these can see each other these are the virtual machines that they're connected to I've done another video on networking with Zen Center in how you can create private lands essentially there's just a private network commit connecting those two together but bridging it off so we can't see the other machines until we do the VPN so all the traffic once we're done will be routed across here and here's the box that's gonna be our server and you know I have it in the top here it's kind of small to read but it says the VPN server version right here VPN client just names I gave them not real relevant you just have to pick one to be the server and one to be the client so the server will set up first which is actually really easy to do it's only a few steps go here open VPN server add and choose peer-to-peer shared key there's other options where you can add SSL TLS and create more certificates that's more advanced we're just going to get the basic setup here if you have something that advanced maybe you're more advanced in IT you probably also know how to create the other certificates you have to share certificates between them doing it this way we just have to create a shared key between them that we do and it makes it a lot simpler so this can all say a default description is what are you gonna call it and most call it our test VPN this is just the name of the VPN because you can specify port leave it at default unless you have a custom use case but this is also how you add multiple VPN servers to one pfsense box with only one way an address now when you're choosing the interface you can choose way and LAN or wherever you want or if you have multiple and addresses you can choose which one to bind it to or ports so you can set up different VPNs on different ports pretty easily you can have many machines connecting to this one when you specify the narrower one get down to the network settings so plenty of different options here to go on and if you need multiple VPN servers for multiple purposes by default Open VPN runs on 1194 you can change that to whichever port you want to do so here's the next part is the encryption algorithm AES 128 cbc is the default if you say well I need something a little more secure bump it up to a es 256 cbc the important thing to remember when you change the encryption algorithm here the clients have to be using the same encryption algorithm or it won't work if your machine supports hardware crypto you can enable it here ipv4 tunnel network you do have to have with Open VPN a tunnel network what a tunnel network is is a network where the two VPN servers have to agree on that tunnels the traffic it's not the same as the actual network tunnel networks are a little bit different so you can pick something that as long as it's not in one of the routable ranges you can use this tunnel network and I'm going to choose 192 168 it has to be a non-routable IP as well or you'll run to other issues 70.000 slash 24 essentially kind of like a DHCP server in Open VPN for assigning IPS to understand each client that's connecting so you have their public IP coming in it's a sign of tunnel network and all the traffic routes through the tunnel network and back to your standard remote network now here is the remote network where's skip ipv6 and jump right to this this is where we're gonna put 192.168.1.0 slash 24 this is the remote network on the other side that's connecting this is what we need to get the routes back and forth so it's a bi-directional connection now if your as the server you need to know the remote network of each peer that's connecting simple enough I mean if you're setting this up you're generally going to know the where this gets a problematic just so you know if you have and we have a client like this way to redo their network and we put the VPNs and they have one server of course with five different networks well they were not connected previously they all had the same IP ranges that just won't work it won't know which way to route so we had to go each site and redo the IP ranges and when you have more than one you can just specify the next one so whatever the next network is and you just space them all out here with a comma a space the other network slash 24 so if there's two networks would be this you know that will change the range again let's say you have a 25 Network you just put a comment of space to another network and you list all the remote networks that will be connecting to this VPN for demonstration purposes we only have one network and I think we're going to leave this at one concurrent connections maximum number of clients allowed to concurrently connect to this server you may have a limitation on this that you only want so many people at a time there's not licensing with pfSense in terms of this so you can specify this if you want a maximum in there you can say I only need a maximum of clients to be concurrently characters her to be you know 10 15 whatever doesn't really matter this is just preference and understanding if you need to limit this compression leave it default leave the rest of this at default unless you have some special use case this is all you need to do to get the server side set up as far as the Open VPN part so we're gonna click Save firewall rules I already threw this rule in here but yes you have to open up the 1194 port sometimes I forgot to mention that in previous times and it's something that should be obvious but this is definitely important if you don't open it up it does not open it up by default just FYI on there also once you create this you're gonna end up with an Open VPN tab in your firewall for now we're just gonna add another rule here to pass traffic and then we're just going to throw this to the word any save and this is where you could apply more rules what I did here was Open VPN also gets its own tab under the firewall rules maybe you have restrictions maybe you just want the VPN to flow freely to all the other net but if you put nothing in here for the rules well you got a problem you won't route any traffic over to here so it's important you put some just an all rule in here basically wide open rule like you have here to just allow everything over but filter rules as as you feel or see fit so by default ohms can leave it all open for demonstration purposes we don't goal is really get these talking to each other so now we can go back over to the open VPN and the reason we're going back to it is we had checked a box that said generate the key there's our shared key so we're gonna need that and we're just going to do a control a and a copy and this is where we copy the shared key we're gonna paste it into the client side so we're logged in we're gonna go ahead sup a VPN client now go to the Open VPN but a client this is our client side and for here we need the IP address of the server so I'm gonna get that real quick that's the 192 168 3 dot 98 we need to change the type peer-to-peer shared key local port all that leave that all same unless you've done something custom then we put in this whoops 3 dot 98 all this can be blank no do not automatically generate the shared key and we just paste this in so peer to peer default default default IP address kind of goes somewhere and now the IP address can be a fully qualified domain name or IP address in this case it's just an IP address proxy port proxy authentication description this is our test VPN just so it has a name now the encryption algorithm because we changed it on this side to AES 256 cbc we just have to match it I mean you could just left it at default 128 but like I said the client and server have to match or you'll have problems ipv4 tunnel network we have to know the tunnel network of the server that was set up here so we set this hallo mark to be this 192 168 70 24 there's our green account uh no no we also need a remote network and a remote network on the other side was 40 slash zero size 24 and this is the remote network from this one so you government we're going from this side here is 20/20 for and because everyone from this way here to get a gateway back of course they got a criss cross each other this is how you get back over there so everything else here can stay the same save and away we go let's go here to the home screen of this and there we go we've got the VPN working but this will not allow it to ping back and forth because there's a couple more steps and some people this is often where they feel as though they had successes where you get stuck with this because there's one more step you need to do and what you need to do because now you don't have a gateway yet from this side of the network the client side of network back over so the devices and maybe you can log into PF sense and I think the PF sense is able to ping over there because of the way the network is yeah this is showing up with the VPN we've got a tunnel network assigned to us but we don't have a gateway and it's real easy to do this is the this is a real easy step you go here interface assignments right here available network ports and it adds it as a nother network port save then now it's added then we're going to go over here to interfaces it called it opt one we're going to call it open bpn and we're gonna enable the interface hit save apply now what this does this adds a gateway so devices on this side the clients have the network have a gateway to get out so now when we go over here to routing it's in here as a gateway interface but it still isn't working and one minor detail once you've done this you know it's right here we've got no IP address assigned to this we set the restart the open VPN service here also reboot the whole router but you know that sometimes is disruptive to people so we restart the service all right now it has a gateway now that it has a gateway attached to it the two devices should ping to each other as soon as we also add a firewall rule so now we gotta go over here to our rules openvpn now there's two of them here and one was the apt one that we renamed openvpn and then this is the Open VPN when I probably shouldn't call them the same thing but I protect all caps with the other one right here this is the one we have to actually add the rule to and once again we have to add a rule to get traffic to pass so I'm just gonna say any for now so we have a wide-open rule here this means all the data can bogel back and forth through the VPN well you said this is where you can create all kinds of fun firewall rules if you had a lot of details but a lot of times the goal with for example with the client when we just did there's not any rules needed we need the networks to completely talk to each other because they have a bunch of services that are moving a bucket force so now let's go over to our debian boxes and if I did this right they should work and we're pinging on this side it's responding and pinging on this side and that's really it for the VPN setup it's really not that hard to do it's pretty straightforward you just have to remember those couple steps and adding the gateway one is kind of weird you know it's not as awesome ated and let's do something real quick here let's take and rename it just to show you whoops call it back to opt one apply so here's where the rules are and you can see that there's some packets going back and forth because I have them pinyin but we have no rules here I do find it a little bit odd at least conceptually that you you think you'd want to put rules against this gateway but you actually put them apart on the OpenVPN that's auto-created once you created the client-side now one other thing on the client-side let's say you have a more in-depth network and for example we do at our office and we've got multiple LANs same thing that you do on the server side you do on this so if we're connecting to a server that has a whole bunch of remote networks we just put insider notation a common a space each of the networks on there and that's how we get a gateway to that network so as you if you have a really complicated network with just many lands you need it you need a VPN this site to connect to all the different LANs on that side you just put a common space so you know all of these because this is what's putting the routing information in there now another side note too you can also add static routing if you have some need for that as well you can push static routes across the Open VPN ports as well if that's something needed so you can say take this this is a destination gateway so if this rule pushes over here and that works that's also the other reason you added the Open VPN interface as an interface gateway so you can add static routes later so you have some real custom routing that's where that's gonna go so hopefully this guide was helpful it's pretty straightforward for setting up the VPN if you're wondering what I did here if you add this this is just editing the Open VPN option out of here so you can view that the VPNs up or down pretty straightforward that's all that was as far as customization but that's it that's VPN done pretty straightforward not too difficult once you have those couple little steps in there and make sure you add those couple firewall rules all right hopefully this was helpful I'll do a separate video on how to do like the road warrior VPN on these where you're gonna take your windows box and do that that was a separate video so alright if you like to count in here like subscribe if you have questions about this or if I wasn't clear something and I need to read you this video let me know thanks
Info
Channel: Lawrence Systems
Views: 76,371
Rating: undefined out of 5
Keywords: pfsense, openvpn, peer to peer, vpn, tutorial, server, how to, router, firewall, guide, pfsense (software), network, pfsense setup, networking, pfsense firewall, pfsense tutorial, pfsense router
Id: -8xt7LUtYH4
Channel Id: undefined
Length: 17min 40sec (1060 seconds)
Published: Sun Nov 05 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.