[SOLVED] Site-to-site OpenVPN between pfSense and MikroTik
-
I need some help with site-to-site OpenVPN configuration.
I use only pfSense for my site-to-site connections, but now I want to use on some remote sites MikroTik. I need to run OpenVPN (IPsec will be too hard to manage with different NAT issues on remote locations).
My network diagram:
192.168.151.0/24 -> 192.168.14.254 (pfSense 1.1.1.1) -> Internet <- (2.2.2.2 MikroTik) 192.168.14.254 <- 192.168.14.0/24
pfSense is OpenVPN server, Peer to Peer - (SSL/TLS), IPv4 Tunnel Network 10.30.30.0/29, IPv4 Local Network: 192.168.151.0/24, IPv4 Remote Network: 192.168.14.0/24.
From MikroTik side: PPP - OVPN Client, Mode: ip.
The tunnel is up, MikroTik is connected and from the terminal ping to 192.168.151.7 works. But ping from workstations behind the MikroTik does not work at all.
If I add to MikroTik NAT rule (srcnat, vpn-tunnel, masquerade) it works, but I want to use site-to-site connection.
I know that I miss something big, but I'm new to MikroTik and can't find any useful information about this.
-
It works now, here my mini howto:
My task: site-to-site between pfSense and MikroTik:
192.168.151.0/24 -> (pfSense 1.1.1.1) -> Internet <- (2.2.2.2 MikroTik) <- 192.168.14.0/24
pfSense:
1. System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).2. System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).3. VPN -> OpenVPN -> Server
Create new VPN server:Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: ITD
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: BF-CBC (128-bit)
Auth Digest Algorithm: SHA1 (160-bit)
IPv4 Tunnel Network: 10.30.30.0/29
IPv4 Local Network/s: 192.168.151.0/24
IPv4 Remote Network/s: 192.168.14.0/24
Compression: No Preference
Advanced: client-to-client4. VPN -> OpenVPN -> Client Specific Overrides
Create new override:Common name: mik-vpn
Advanced: iroute 192.168.14.0 255.255.255.0MikroTik:
1. Copy two certificate files and the key file to Files. Import all of them from System/Certificates.
2. PPP -> Interface - create new OVPN Client:
Name: ovpn-office
Connect To: 1.1.1.1
Port: 24100
Mode: ip
User: any
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: blowfish 128
Add Default Route: (do not check this)It works as expected - I can ping workstations from both sides of the tunnel.
-
great mini how-to… thanks...
do you know how to make this work for mikrotik with dial-out network?UPDATE:
my ovpn setting is working fine. -
great mini how-to… thanks...
do you know how to make this work for mikrotik with dial-out network?UPDATE:
my ovpn setting is working fine.It works just fine with PPPoE for example, after PPPoE connection OVPN Client connects as usual. What problem do you have and what dial-out protocol you are using in MikroTik?
-
Advanced: client-to-client
4. VPN -> OpenVPN -> Client Specific Overrides
Create new override:Common name: mik-vpn
Advanced: iroute 192.168.14.0 255.255.255.0MikroTik:
Same setup, server and client are connected, but:
mikrotik clients can reach pfsense LAN clients, only if I enable NAT on Ovpn interface on mikrotik,
but with this the Pfsense LAN clients get traffic from tunnel IP 10.30.30.2 not from Remote LAN.Please explain what you mean with the advanced client-to-client, I can't see any option, also in specific override I've added "push route 192.168.14.0 255.255.255.0".
Please,help. Thanks, BR
-
It works now, here my mini howto:
My task: site-to-site between pfSense and MikroTik:
192.168.151.0/24 -> (pfSense 1.1.1.1) -> Internet <- (2.2.2.2 MikroTik) <- 192.168.14.0/24
pfSense:
1. System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).2. System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).3. VPN -> OpenVPN -> Server
Create new VPN server:Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: ITD
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: BF-CBC (128-bit)
Auth Digest Algorithm: SHA1 (160-bit)
IPv4 Tunnel Network: 10.30.30.0/29
IPv4 Local Network/s: 192.168.151.0/24
IPv4 Remote Network/s: 192.168.14.0/24
Compression: No Preference
Advanced: client-to-client4. VPN -> OpenVPN -> Client Specific Overrides
Create new override:Common name: mik-vpn
Advanced: iroute 192.168.14.0 255.255.255.0MikroTik:
1. Copy two certificate files and the key file to Files. Import all of them from System/Certificates.
2. PPP -> Interface - create new OVPN Client:
Name: ovpn-office
Connect To: 1.1.1.1
Port: 24100
Mode: ip
User: any
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: blowfish 128
Add Default Route: (do not check this)It works as expected - I can ping workstations from both sides of the tunnel.
hi.. i have this error..
the PFsense site cannot connect to mikrotik site. but from mikrotik site can connect..orry for the images…
just want to make al things clear..
need your help..
thank you very much sir..
sorry for the images…
just want to make al things clear..
need your help..
thank you very much sir.. -
hi all..
excuse me… it's been solved..
the service of OpenVPN have to be restarted..
then the flow goes well..thank you very much anyway sir...
*Salute -
Hi guys
I have read your potst, followed the instructions but still have trouble with set up openvpn in this configuration like 'kahardreams described'.
LAN computers behind openvpn server on pfsense can't ping mikrotik LAN computers (and mikrotik LAN interface address) , but in other way its working great (mikrotik LAN computer have access to LAN behind pfsense).
Situation is the same like on diagram provided by 'kahardreams '.Maybe i forgot something on firewall/nat on mikrotik ?
When ping from pfsene to mikrotik lan ip, tcpdump on pfsense on ovpns1 interface shows echo request packages
but nothing shows on mikrotik ovpn-out1 interface.Could you help me ?
Regards
-
I had the same problem @kahardreams, the LAN behind pfsense could not communicate with the LAN behind the Mikrotik.
After some modifications, I was successful and it worked perfectly.
I was based on howto from @unguzov .
Follow the modifications:PFSENSE:
-
System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt). -
System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key). -
VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Aceleration
Certificate Depth: One (Client + Server)
IPv4 Tunnel Network: 10.0.9.0/30
IPv4 Local Network/s: 192.168.1.0/24
IPv4 Remote Network/s: 192.168.2.0/24
Compression: No Preference
Topology: Subnet -- One IP address per client
MikroTik:
Copy two certificate files and the key file to Files. Import all of them from System/Certificates.-
PPP -> Profiles - create new:
Name: ovpn-profile
Local address: 10.0.9.2
Remote address: 10.0.9.1 -
PPP -> Interface
create new OVPN Client:
Name: ovpn-office
Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
Port: 24100
Mode: ip
User: any
Profile: ovpn-profile
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: aes 256
Add Default Route: (do not check this)
In this way, worked perfectly, the two sites are communicating perfectly.
Thanks to @unguzov.
Hope this helps.
-
-
I can connect by VPN both sides, but I not have traffic between MT and pfSense, the tunnel is UP, but pfSense cant have ping to MTK IP and viceversa.
-
Same problem, i can ping from mikrotik to lan behind pfense, but from lan behind pfsense i cant ping on lan in mikrotik (I can ping in both tunnels, but not in LAN in mikrotik). Tried the marcelo.comtix suggestion, but didn´t worked.
-
Same problem.
Main router is PFSense based.
I have 4 PFSense To PFSense Site 2 Site tunnels running fine (shared key based).
Then I am in the need to add next one, but this one has to be mikrotik based and it cannot be shared key based as I realized.And when I added Mikrotik tunnel following this tutorial I randomly can ping network on the mikrotik lan side.
When I look into mikrotik torch I can see that source address is random and changes between reconnects.
I can ping network on the PFSense Side, though.Also tried the marcelo.comtix suggestion, but didn´t worked.
I have no idea how to fix that. -
After several tests, I was able to tweak the SITE-TO-SITE VPN again. It has stopped working after updating mikrotik.
I will post here the settings that worked again. -
Here are my settings that worked:
PFSense 2.4.4-RELEASE-p3
Mikrotik 6.45.3Follow the modifications:
PFSENSE:
System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Aceleration
Certificate Depth: One (Client + Server)
IPv4 Tunnel Network: 10.200.0.0/29
IPv4 Local Network/s: 192.168.1.0/24
IPv4 Remote Network/s: 192.168.2.0/24
Compression: Omit Preference (Use OpenVPN Default)
Topology: net30 - Isolated /30 network per client*Very important, fix the route of the remote network in PFSense
Client Specific Overrides:
+Add
Server List: *select your server
Common Name: "common name of certificate client"
Advanced: iroute 192.168.2.0 255.255.255.0;MikroTik:
Copy two certificate files and the key file to Files. Import all of them from System/Certificates.PPP -> Profiles - create new:
Name: ovpn-profile
Local address: 10.200.0.6
Remote address: 10.200.0.5
Change TCP MSS: yes
*Protocols:
Use Compression: no
Use Encryption: yesPPP -> Interface
create new OVPN Client:
Name: ovpn-office
Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
Port: 24100
Mode: ip
User: any
Profile: ovpn-profile
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: aes 256
Add Default Route: (do not check this)It is working perfectly with these settings.
Remember that in PFSense the rules for the OpenVPN interface must be created.
In Mikrotik, in firewall, check the lists of interface "LAN". -
@fabianoheringer , I posted the update of instructions.
The version of mikrotik firmware is the problem. For the newest version, the update instructions worked fine. -
@marcelo-comtix
Boa noite marcelo!
Estou usando dois PfSense ambos com a versão 2.4.4-RELEASE-p3, configurados exatamente iguais (192.168.1.0/24 e 192.168.2.0/24) como OVPN server para um Mikrotik como client de ambos (192.168.0.0/24). A conexão entre o PfSense server (192.168.1.0/24) está perfeita com o MK, fiz conforme o processo mensionado acima. Porém a outra conexão eu consigo "pingar" o tunel nas duas pontas (10.10.10.6 e 10.10.10.5), e do Mikrotik consigo "pingar" o PfSense e as maquinas da rede (192.168.2.0/24), mas ao contrário não funciona e de nenhuma máquina consigo "pingar" de ambos os lados.
Consegue me ajudar?Obrigado!
Mod Edit: If your going to post in an english section, you need to post in english.. I have done a google translate for you - I have no idea if correct... But please refrain from posting non english in the english boards. Thank you.
translated:
Good night Marcelo!
I am using two PfSense both with version 2.4.4-RELEASE-p3, configured exactly the same (192.168.1.0/24 and 192.168.2.0/24) as OVPN server for a Mikrotik as client of both (192.168.0.0/24). The connection between PfSense server (192.168.1.0/24) is perfect with MK, I made according to the process mentioned above. But the other connection I can "ping" the tunnel at both ends (10.10.10.6 and 10.10.10.5), and from Mikrotik I can "ping" PfSense and network machines (192.168.2.0/24), but on the contrary not works and no machine can "drip" on both sides.
Can you help me?Thank you!
-
Thanks for the tutorial
I followed this and the VPN works. On the other hand, the tunnel does not route any traffic between the equipments. if I force a srcnat on an ip it works but temporally and not stable. Does one have a fire rule to add?
PFSense 2.4.4-RELEASE-p3
Mikrotik 6.45.6Can you help me?
Thank you!
-
@DavidBell , I have 2 mikrotik router working with the mentioned setup. It may be that in your case there is some other configuration in pfsense or mikrotik. It would be interesting to better understand its structure.
On the Mikrotik side it worked even not informing the IPS in openvpn profile.
I will post again with this setting.
If you can post how is your configuration, I help you.
Tks
-
Let me get this straight.
You have 2 PFSense - OVPN Server.PFSense1 - 192.168.1.0/24
PFSense2 - 192.168.2.0/24Mikrotik is a client of PFSense1 and PFSense2.
That is:
PFSense1 - 192.168.1.0/24 - OVPN Server
PFSense2 - 192.168.2.0/24 - OVPN Server
Mikrotik - 192.168.0.0/24
OVPN Client1 -> PFSense1
OVPN Client2 -> PFSense2That's right?
If so, are you using different networks for your Tunnel Network?
Example:
PFSense1- 10.10.10.0/24
PFSense2 -10.20.20.0/24In this case, the tunnel network must be different. Understanding is easier.
tks.
-
Hi guys...
I have the same problem as the @marcelo.comtix
You resolved this?Att;
Rafael Mendes
rafael@rmitsolucoes.com.br
