[How-to] PFSense OpenVPN Site-to-Site with (DHCP) Dynamic Internet Address

On January 7, 2014, in How-to, by Cubert aka (Cube Dweller)

Setting up an OpenVPN site to site connection when one side is using DHCP to acquire an Internet IP Address in 5 minutes or less.

 

Here is the 5 minutes How-to on setting up 2 PFSense devices with a site to site VPN. For this example I will be using 2 Netgate m1n1wall systems that utilizes PC Engines ALIX 2D13 network boards with 3 LANs. Both are connected directly to the Internet via the WAN port and have assigned Internet IP addressing, they also have a private LAN segment that will be routed over the VPN so that site A and site B can see each other.

 

OpenVPN is a Client/Server type of process where 1 device acts as the server and the other acts as a client.  Servers provide a service and clients connect to that service. If a server is using DHCP to get a Internet IP address then it must have a host name that is always resolvable or you risk dropping the tunnel between clients and this server. For this example we are assuming that the server device has a static IP address and that the client is using DHCP to obtain it’s Internet address.

First we build the server (Device A)

1. Go to the VPN tab and select OpenVPN, Select the server tab and then click the [+] symbol to start the process to create a new server instance.

server-start

2.  Next we will fill out the information as it fits our network. The highlighted areas are required to create a successful VPN server.

server-first-save

  • Server Mode = Peer to Peer(Shared Key)
  • Protocol = UDP
  • Interface = WAN
  • Local Port = 1194
  • Description = Friendly Name (Anything)
  • Tunnel Network = 10.10.0.0/24 (Must be a new private network not currently in use)
  • Local Network = Server’s LAN subnet (You may have multiple LAN Networks so select the Network this VPN applies to)
  • Remote Network = Client’s LAN Subnet

3. Once saved you should have a new server listed under you OpenVPN server tab.

server-after-first-save

4. Select the [e] to edit this VPN, we will be copying the newly created “Shared Key” from the configurations to use when we create the client. In the middle of the configuration will be the shared key. Copy this key.

server-GetSharedKey

5. Next we need to create a WAN firewall rule on the server to allow UDP port 1194 to pass.

openvpn-firewall-rule

6. We will now have a new firewall rules tab called [OpenVPN], we will need to add an allow rule to pass traffic across the VPN tunnels. For the purpose of this how-to we will use a full allow rule to get all traffic to pass. You can firewall this tab as needed once we have verified traffic flows.

allow-tunnel-firewall-rule

 

 

Now let’s build the client (Device B)

1. On the client device (DHCP Enabled) from the VPN menu select OpenVPN, find the client tab and select the [+] to create a new client configuration.

client-start

2.  Next we will fill out the information as it fits our network. The highlighted areas are required to create a successful VPN client.

client-first-save

  • Server Mode = Peer to Peer (Shared Key)
  • Protocol = UDP
  • Device Mode = tun
  • Interface = WAN
  • Server Host = Internet IP of OpenVPN Server
  • Server Port = 1194
  • Description = Friendly Name (Anything)
  • Tunnel Network = 10.10.0.0/24 (Same as the server side)
    *note both side should have same network with no host
    IP provided, The server and client will auto-negotiate
    the actual ending address (example 10.10.0.1 & 10.10.0.2).
  • Remote Network = Servers LAN subnet

 

3. Save configuration, return to the client tab under OpenVPN and select the [e] under the new client VPN configuration.

client-edit

4. Copy the Shared Key from the server to this box, overwrite any key that may currently exist in box.

client-edit-share-key

5. Add a firewall rule under WAN of client (Not really required) to allow UDP port 1194.

openvpn-firewall-rule

6. We will now have a new firewall rules tab called [OpenVPN], we will need to add an allow rule to pass traffic across the VPN tunnels. For the purpose of this how-to we will use a full allow rule to get all traffic to pass. You can firewall this tab as needed once we have verified traffic flows.

allow-tunnel-firewall-rule

VPN is now ready to use

Once the configurations are complete the tunnel should automatically start up and you should no be able to see the status of the VPN. Under the [Status] main menu select OpenVPN to see all active VPNs.

Tunnel-is-up

As you can see from the image the tunnel is up, the Virtual Addr did auto negotiate an IP address of 10.10.0.1 and bytes are being sent across tunnel. If you have issues passing traffic (ping) from one network to another and you show an active VPN running under status then most likely a simple reboot of each firewall will clear any routing issues and the tunnels will start working fine afterwards.

Good luck and Happy VPNing!!

Cubert 😎

Tagged with:
 

Leave a Reply