7/31/2019 Pki Pf Openvpn
1/24
Building Site to Site Connection with OpenVPN on pfSense 2.0 RC1 with
PKIMay 11, 2011 /Stefanposted inTechnical/No CommentsIn the last post weve setup a Site To Site with Shared Key, now instead we will use internal
Certificate Authority. Honestly speaking if I did not follow this guide, there was no routing between thetwo sites.OpenVPN Site-to-Site PKI (SSL)For reference here is the network diagram:
pfsense01 will be out OpenVPN server, and pfsense02 will be our OpenVPN client. Client and Server
are just host on the two LANs behind routers.On pfsense01 go to System > Cert Manager, On CAs leaf create new Certificate Authority.Enter Descriptive Name, choose as a method Create an internal Certificate Authority, leave Key length
and Lifetime to defaults.
http://blog.stefcho.eu/?p=611http://blog.stefcho.eu/?p=611http://blog.stefcho.eu/?author=1http://blog.stefcho.eu/?author=1http://blog.stefcho.eu/?author=1http://blog.stefcho.eu/?category_name=technicalhttp://blog.stefcho.eu/?category_name=technicalhttp://blog.stefcho.eu/?category_name=technicalhttp://blog.stefcho.eu/?p=611#respondhttp://blog.stefcho.eu/?p=611#respondhttp://blog.stefcho.eu/?p=611#respondhttp://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29http://blog.stefcho.eu/?p=611#respondhttp://blog.stefcho.eu/?category_name=technicalhttp://blog.stefcho.eu/?author=1http://blog.stefcho.eu/?p=611http://blog.stefcho.eu/?p=6117/31/2019 Pki Pf Openvpn
2/24
Fill in the rest of the fields.
Then go to Certificates leaf, add new and create the server certificate.
7/31/2019 Pki Pf Openvpn
3/24
Enter descriptive name, Ive used the router host name, as a method choose Create an internal
Certificate.Verify that for Certificate authority the CA that we have created in the previous step is selected. Leave
the rest of the fields to default, with exception of Common Name, here enter the host name of the
server, in my case it was pfsense01.
7/31/2019 Pki Pf Openvpn
4/24
Now go to System > User manager, create new user. For the sake of simplicity for username Ive used
the host name of the second router, pfsense02. Enter Password, for Full name Ive used again the
router name. Then tick the Click to create a user certificate.
7/31/2019 Pki Pf Openvpn
5/24
For descriptive name use the host name of the router, this is the Common Name of the certificate and
it is important to match.
7/31/2019 Pki Pf Openvpn
6/24
Instead of creating new user, you can create new Certificate directly.Go to Cert Manager, on the Certificate leaf add new. Again as Descriptive name and Common Name
use the host name of the second router, in my case pfsense02.
7/31/2019 Pki Pf Openvpn
7/24
Go to VPN > OpenVPN on the Server leaf, add new.
7/31/2019 Pki Pf Openvpn
8/24
As Server Mode select Peer to Peer (SSL/TLS). As protocol UDP, Device Mode is TUN, Interface is
WAN, leave the port to default 1194. Enter Description, Tick Enable authentication of TLS packets and
Automatic generation a shared TLS authentication key.As Peer Certificate Authority select the CA that we have created in the beginning. I did not have a
Peer Certification Revocation List so leave it to None. Select the Server Certificate that we have
created. For DH Parameters Length you can leave it to the default 1024 bits. Choose Encryption
algorithm in my case BF-CBC (128-bit), take note of the algorithm we have to use the same on the
7/31/2019 Pki Pf Openvpn
9/24
client too.
7/31/2019 Pki Pf Openvpn
10/24
As Tunnel Network choose one different from your LANs, in my case the default 10.0.8.0/24. Enter the
Local Network, in my case 10.10.9.0/24. Enter the Remote Network in my case 10.10.10.0/24. Leave
the rest to defaults.
7/31/2019 Pki Pf Openvpn
11/24
Go to VPN > OpenVPN in Client Specific Overrides, and add new entry for the client.
For Common name enter the host name of the second router that we have used as common name in
the certificate, in my case pfsense02. Enter some description, and the Tunnel Network, in my case
7/31/2019 Pki Pf Openvpn
12/24
10.0.8.0/24. Leave the rest to default.
In the Advanced form, enteriroute 10.10.10.0 255.255.255.0
7/31/2019 Pki Pf Openvpn
13/24
Without this step there will be no routing between the two LANs.
7/31/2019 Pki Pf Openvpn
14/24
Got to Firewall >Rules and on the OpenVPN leaf, add new rule.
7/31/2019 Pki Pf Openvpn
15/24
Here for testing purposes Ive made allow all rule. Select any as Protocol, leave the rest to default and
enter description.
For the client to be able to connect, lets open the OpenVPN Server port.
7/31/2019 Pki Pf Openvpn
16/24
In Firewall > Rules on the WAN leaf, add new rule. Select UDP as Protocol.
7/31/2019 Pki Pf Openvpn
17/24
As Destination port Range in our case select OpenVPN.
Now it is time to export certificate for use on the second router.
7/31/2019 Pki Pf Openvpn
18/24
Go back to System > Cert manager export public and private CA certs, click on the first downward
pointing triangle. As a guide, when you hoover over it the text label is Export CA.
Then go to User Manager, enter the configuration of our user pfsense02, in the User Certificates
section click on both downward pointing triangles to download both cert and key.
7/31/2019 Pki Pf Openvpn
19/24
Now on pfSense02, go to System > Cert Manager on CAs leaf, add new one.And as Method select Import an existing Certificate Authority. Enter as Descriptive name the name of
the certificate from the first server, in my case pfsense01.You have to have opened the certificate with notepad, or another text editor. Then simply copy / paste
the content of the file.
7/31/2019 Pki Pf Openvpn
20/24
7/31/2019 Pki Pf Openvpn
21/24
Go to VPN > OpenVPN in Client leaf and add newAs Server Mode select Peer to Peer (SSL/TLS), Protocol is UDP, Device mode is TUN, and Interface is
WAN. For Server host or address enter the WAN IP of pfsense01, in my case 10.10.2.2 and enter the
7/31/2019 Pki Pf Openvpn
22/24
port. Put some Description.
7/31/2019 Pki Pf Openvpn
23/24
Open the Server configuration (VPN > OpenVPN > Server leaf) on pfsense01, copy the TLS
Authentication.
7/31/2019 Pki Pf Openvpn
24/24
Paste it in the TLS Authentication form on our client configuration on pfsense02. Unpick Automatically
generate a shared TLS authentication key and leave Enable authentication of TLS packets.