• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] Site-to-site OpenVPN between pfSense and MikroTik

Scheduled Pinned Locked Moved OpenVPN
29 Posts 18 Posters 49.3k Views 14 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    marcelo.comtix
    last edited by Sep 26, 2018, 2:47 AM

    I had the same problem @kahardreams, the LAN behind pfsense could not communicate with the LAN behind the Mikrotik.

    After some modifications, I was successful and it worked perfectly.
    I was based on howto from @unguzov .
    Follow the modifications:

    PFSENSE:

    1. System -> Cert Manager -> CAs
      Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

    2. System -> Cert Manager -> Certificates
      Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

    3. VPN -> OpenVPN -> Server
      Create new VPN server:
      Server Mode: Peer to Peer (SSL/TLS)
      Protocol: TCP
      Device Mode: tun
      Interface: WAN
      Local port: 24100
      TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
      Peer Certificate Authority: vpn-tunnel-ca
      Server Certificate: vpn-tunnel
      Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
      Auth Digest Algorithm: SHA1 (160-bit)
      Hardware Crypto: No Hardware Crypto Aceleration
      Certificate Depth: One (Client + Server)
      IPv4 Tunnel Network: 10.0.9.0/30
      IPv4 Local Network/s: 192.168.1.0/24
      IPv4 Remote Network/s: 192.168.2.0/24
      Compression: No Preference
      Topology: Subnet -- One IP address per client

    MikroTik:
    Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

    1. PPP -> Profiles - create new:
      Name: ovpn-profile
      Local address: 10.0.9.2
      Remote address: 10.0.9.1

    2. PPP -> Interface
      create new OVPN Client:
      Name: ovpn-office
      Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
      Port: 24100
      Mode: ip
      User: any
      Profile: ovpn-profile
      Certificate: mik-vpn.crt_0
      Auth: sha 1
      Cipher: aes 256
      Add Default Route: (do not check this)

    In this way, worked perfectly, the two sites are communicating perfectly.

    Thanks to @unguzov.

    Hope this helps.

    1 Reply Last reply Reply Quote 0
    • B Offline
      bootable
      last edited by Dec 11, 2018, 10:54 PM

      I can connect by VPN both sides, but I not have traffic between MT and pfSense, the tunnel is UP, but pfSense cant have ping to MTK IP and viceversa.


      It is me Ruben
      Bootable Computación - Argentina.
      pfSense/Netgate Certificate Partner
      Pardon for my English - I am not an English speaker.
      Thanks a lot for yours invaluable time.

      1 Reply Last reply Reply Quote 0
      • F Offline
        fabianoheringer
        last edited by Dec 12, 2018, 11:49 AM

        Same problem, i can ping from mikrotik to lan behind pfense, but from lan behind pfsense i cant ping on lan in mikrotik (I can ping in both tunnels, but not in LAN in mikrotik). Tried the marcelo.comtix suggestion, but didn´t worked.

        N M 2 Replies Last reply Apr 28, 2019, 4:12 PM Reply Quote 0
        • N Offline
          norbi771 @fabianoheringer
          last edited by Apr 28, 2019, 4:12 PM

          Same problem.
          Main router is PFSense based.
          I have 4 PFSense To PFSense Site 2 Site tunnels running fine (shared key based).
          Then I am in the need to add next one, but this one has to be mikrotik based and it cannot be shared key based as I realized.

          And when I added Mikrotik tunnel following this tutorial I randomly can ping network on the mikrotik lan side.
          When I look into mikrotik torch I can see that source address is random and changes between reconnects.
          I can ping network on the PFSense Side, though.

          Also tried the marcelo.comtix suggestion, but didn´t worked.
          I have no idea how to fix that.

          1 Reply Last reply Reply Quote 0
          • M Offline
            marcelo.comtix
            last edited by Aug 9, 2019, 11:31 PM

            After several tests, I was able to tweak the SITE-TO-SITE VPN again. It has stopped working after updating mikrotik.
            I will post here the settings that worked again.

            1 Reply Last reply Reply Quote 0
            • M Offline
              marcelo.comtix
              last edited by Aug 9, 2019, 11:49 PM

              Here are my settings that worked:
              PFSense 2.4.4-RELEASE-p3
              Mikrotik 6.45.3

              Follow the modifications:

              PFSENSE:

              System -> Cert Manager -> CAs
              Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

              System -> Cert Manager -> Certificates
              Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

              VPN -> OpenVPN -> Server
              Create new VPN server:
              Server Mode: Peer to Peer (SSL/TLS)
              Protocol: TCP
              Device Mode: tun
              Interface: WAN
              Local port: 24100
              TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
              Peer Certificate Authority: vpn-tunnel-ca
              Server Certificate: vpn-tunnel
              Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
              Auth Digest Algorithm: SHA1 (160-bit)
              Hardware Crypto: No Hardware Crypto Aceleration
              Certificate Depth: One (Client + Server)
              IPv4 Tunnel Network: 10.200.0.0/29
              IPv4 Local Network/s: 192.168.1.0/24
              IPv4 Remote Network/s: 192.168.2.0/24
              Compression: Omit Preference (Use OpenVPN Default)
              Topology: net30 - Isolated /30 network per client

              *Very important, fix the route of the remote network in PFSense
              Client Specific Overrides:
              +Add
              Server List: *select your server
              Common Name: "common name of certificate client"
              Advanced: iroute 192.168.2.0 255.255.255.0;

              MikroTik:
              Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

              PPP -> Profiles - create new:
              Name: ovpn-profile
              Local address: 10.200.0.6
              Remote address: 10.200.0.5
              Change TCP MSS: yes
              *Protocols:
              Use Compression: no
              Use Encryption: yes

              PPP -> Interface
              create new OVPN Client:
              Name: ovpn-office
              Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
              Port: 24100
              Mode: ip
              User: any
              Profile: ovpn-profile
              Certificate: mik-vpn.crt_0
              Auth: sha 1
              Cipher: aes 256
              Add Default Route: (do not check this)

              It is working perfectly with these settings.
              Remember that in PFSense the rules for the OpenVPN interface must be created.
              In Mikrotik, in firewall, check the lists of interface "LAN".

              R S 2 Replies Last reply Oct 1, 2019, 3:26 AM Reply Quote 1
              • M Offline
                marcelo.comtix @fabianoheringer
                last edited by Aug 9, 2019, 11:51 PM

                @fabianoheringer , I posted the update of instructions.
                The version of mikrotik firmware is the problem. For the newest version, the update instructions worked fine.

                R 1 Reply Last reply Aug 21, 2019, 11:27 PM Reply Quote 1
                • R Offline
                  Rodrigo Lucio @marcelo.comtix
                  last edited by johnpoz Aug 22, 2019, 1:10 PM Aug 21, 2019, 11:27 PM

                  @marcelo-comtix
                  Boa noite marcelo!
                  Estou usando dois PfSense ambos com a versão 2.4.4-RELEASE-p3, configurados exatamente iguais (192.168.1.0/24 e 192.168.2.0/24) como OVPN server para um Mikrotik como client de ambos (192.168.0.0/24). A conexão entre o PfSense server (192.168.1.0/24) está perfeita com o MK, fiz conforme o processo mensionado acima. Porém a outra conexão eu consigo "pingar" o tunel nas duas pontas (10.10.10.6 e 10.10.10.5), e do Mikrotik consigo "pingar" o PfSense e as maquinas da rede (192.168.2.0/24), mas ao contrário não funciona e de nenhuma máquina consigo "pingar" de ambos os lados.
                  Consegue me ajudar?

                  Obrigado!

                  Mod Edit: If your going to post in an english section, you need to post in english.. I have done a google translate for you - I have no idea if correct... But please refrain from posting non english in the english boards. Thank you.

                  translated:
                  Good night Marcelo!
                  I am using two PfSense both with version 2.4.4-RELEASE-p3, configured exactly the same (192.168.1.0/24 and 192.168.2.0/24) as OVPN server for a Mikrotik as client of both (192.168.0.0/24). The connection between PfSense server (192.168.1.0/24) is perfect with MK, I made according to the process mentioned above. But the other connection I can "ping" the tunnel at both ends (10.10.10.6 and 10.10.10.5), and from Mikrotik I can "ping" PfSense and network machines (192.168.2.0/24), but on the contrary not works and no machine can "drip" on both sides.
                  Can you help me?

                  Thank you!

                  M 1 Reply Last reply Sep 20, 2019, 6:11 PM Reply Quote 0
                  • D Offline
                    DavidBell
                    last edited by Sep 20, 2019, 1:47 PM

                    Thanks for the tutorial
                    I followed this and the VPN works. On the other hand, the tunnel does not route any traffic between the equipments. if I force a srcnat on an ip it works but temporally and not stable. Does one have a fire rule to add?
                    PFSense 2.4.4-RELEASE-p3
                    Mikrotik 6.45.6

                    Can you help me?

                    Thank you!

                    M 1 Reply Last reply Sep 20, 2019, 6:03 PM Reply Quote 0
                    • M Offline
                      marcelo.comtix @DavidBell
                      last edited by Sep 20, 2019, 6:03 PM

                      @DavidBell , I have 2 mikrotik router working with the mentioned setup. It may be that in your case there is some other configuration in pfsense or mikrotik. It would be interesting to better understand its structure.

                      On the Mikrotik side it worked even not informing the IPS in openvpn profile.

                      I will post again with this setting.

                      If you can post how is your configuration, I help you.

                      Tks

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        marcelo.comtix @Rodrigo Lucio
                        last edited by Sep 20, 2019, 6:11 PM

                        @Rodrigo-Lucio

                        Let me get this straight.
                        You have 2 PFSense - OVPN Server.

                        PFSense1 - 192.168.1.0/24
                        PFSense2 - 192.168.2.0/24

                        Mikrotik is a client of PFSense1 and PFSense2.

                        That is:
                        PFSense1 - 192.168.1.0/24 - OVPN Server
                        PFSense2 - 192.168.2.0/24 - OVPN Server
                        Mikrotik - 192.168.0.0/24
                        OVPN Client1 -> PFSense1
                        OVPN Client2 -> PFSense2

                        That's right?

                        If so, are you using different networks for your Tunnel Network?
                        Example:
                        PFSense1- 10.10.10.0/24
                        PFSense2 -10.20.20.0/24

                        In this case, the tunnel network must be different. Understanding is easier.

                        tks.

                        1 Reply Last reply Reply Quote 0
                        • R Offline
                          rfmendes
                          last edited by Sep 30, 2019, 2:28 PM

                          Hi guys...
                          I have the same problem as the @marcelo.comtix
                          You resolved this?

                          Att;
                          Rafael Mendes
                          rafael@rmitsolucoes.com.br

                          –
                          Att;
                          Rafael
                          rafael.mendes@msn.com

                          1 Reply Last reply Reply Quote 0
                          • R Offline
                            rubic @marcelo.comtix
                            last edited by Oct 1, 2019, 3:26 AM

                            @marcelo-comtix said in [SOLVED] Site-to-site OpenVPN between pfSense and MikroTik:

                            Here are my settings that worked:

                            Thank you for some tips! My settings are almost the same. The only difference is that I use topology subnet on pfSense and default PPP profile on Mikrotik. As Mikrotik WIKI states that both 'use-compression' and 'use-encryption' do not work on OVPN tunnels and default PPP profile changes TCP MSS, you do not need separate profile for OVPN.

                            1 Reply Last reply Reply Quote 0
                            • S Offline
                              Sidaum @marcelo.comtix
                              last edited by Feb 22, 2020, 11:03 PM

                              @marcelo-comtix said in [SOLVED] Site-to-site OpenVPN between pfSense and MikroTik:

                              Here are my settings that worked:
                              PFSense 2.4.4-RELEASE-p3
                              Mikrotik 6.45.3

                              Follow the modifications:

                              PFSENSE:

                              System -> Cert Manager -> CAs
                              Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

                              System -> Cert Manager -> Certificates
                              Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

                              VPN -> OpenVPN -> Server
                              Create new VPN server:
                              Server Mode: Peer to Peer (SSL/TLS)
                              Protocol: TCP
                              Device Mode: tun
                              Interface: WAN
                              Local port: 24100
                              TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
                              Peer Certificate Authority: vpn-tunnel-ca
                              Server Certificate: vpn-tunnel
                              Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
                              Auth Digest Algorithm: SHA1 (160-bit)
                              Hardware Crypto: No Hardware Crypto Aceleration
                              Certificate Depth: One (Client + Server)
                              IPv4 Tunnel Network: 10.200.0.0/29
                              IPv4 Local Network/s: 192.168.1.0/24
                              IPv4 Remote Network/s: 192.168.2.0/24
                              Compression: Omit Preference (Use OpenVPN Default)
                              Topology: net30 - Isolated /30 network per client

                              *Very important, fix the route of the remote network in PFSense
                              Client Specific Overrides:
                              +Add
                              Server List: *select your server
                              Common Name: "common name of certificate client"
                              Advanced: iroute 192.168.2.0 255.255.255.0;

                              MikroTik:
                              Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

                              PPP -> Profiles - create new:
                              Name: ovpn-profile
                              Local address: 10.200.0.6
                              Remote address: 10.200.0.5
                              Change TCP MSS: yes
                              *Protocols:
                              Use Compression: no
                              Use Encryption: yes

                              PPP -> Interface
                              create new OVPN Client:
                              Name: ovpn-office
                              Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
                              Port: 24100
                              Mode: ip
                              User: any
                              Profile: ovpn-profile
                              Certificate: mik-vpn.crt_0
                              Auth: sha 1
                              Cipher: aes 256
                              Add Default Route: (do not check this)

                              It is working perfectly with these settings.
                              Remember that in PFSense the rules for the OpenVPN interface must be created.
                              In Mikrotik, in firewall, check the lists of interface "LAN".

                              Hy, so many time after this post, I had this porblem on my work, following @marcelo-comtix updated instruction I was able to put the tunnel up, but only on PFsense Open VPN Status and MK Interface Traffic page. I cant ping any side to any side, Can u help me with this old post? R u Brazilian?

                              M 1 Reply Last reply Mar 6, 2020, 10:07 PM Reply Quote 0
                              • M Offline
                                marcelo.comtix
                                last edited by Mar 7, 2020, 3:30 PM

                                UPDATE

                                My setup:
                                PFSense 2.4.4-RELEASE-p3
                                Mikrotik 6.44.x, 6.45.x, 6.46.x
                                PFSense LAN (Office): 192.168.1.0/24
                                Mikrotik LAN (Client): 192.168.2.0/24

                                PFSENSE

                                • CERTIFICATES

                                  1. System > Cert Manager > CAs
                                    Create new CA (OVPN-CA)
                                    Export "CA cert" file (OVPN-CA.crt)

                                  2. System -> Cert Manager -> Certificates
                                    Create two certificates (use CA created above):
                                    One for the VPN Server (OVPN-SERVER), set the option "Certificate type: Server Certificate"
                                    One for the VPN Client (OVPN-MK), set option "Certificate type: User Certificate"
                                    ATENTION! In the VPN Client creation (OVPN-MK), set "Common name: site1.example.com" and save for later use.
                                    Export cert and key files for client certificate (OVPN-MK.crt and OVPN-MK.key).

                                • OPENVPN

                                  1. VPN -> OpenVPN -> Server
                                    +Add
                                    Create new VPN server:
                                    Server Mode: Peer to Peer (SSL/TLS)
                                    Protocol: TCP
                                    Device Mode: tun
                                    Interface: WAN
                                    Local port: 24100
                                    Description: OVPN-MK
                                    TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
                                    Peer Certificate Authority: OVPN-CA
                                    Server Certificate: OVPN-SERVER
                                    Encryption algorithm: BF-CBC (128-bit)
                                    Auth Digest Algorithm: SHA1 (160-bit)
                                    Hardware Crypto: No Hardware Crypto Aceleration
                                    Certificate Depth: One (Client + Server)
                                    IPv4 Tunnel Network: 10.100.0.0/29
                                    IPv4 Local Network/s: 192.168.1.0/24
                                    IPv4 Remote Network/s: 192.168.2.0/24
                                    Compression: Omit Preference (Use OpenVPN Default)
                                    (Mikrotik have limitations, one is about LZO compression, this explaned in Mikrotik Profile section)
                                    Topology: net30 and Subnet works

                                  2. VPN -> OpenVPN -> Client Specific Overrides
                                    ATENTION 1!
                                    Fix the route of the remote network in PFSense, this is mandatory to work.
                                    +Add
                                    Server List: OVPN-MK (select your vpn server configuration)
                                    Common Name: site1.example.com
                                    Advanced: iroute 192.168.2.0 255.255.255.0;
                                    ATENTION 2! After adding or changing the "Client Specific Overrides" restart de OVPN Server to activate the configurations. To do this, Status -> OpenVPN and click "restart icon" in your OPVN server.

                                • FIREWALL
                                  Firewall -> Rules -> OpenVPN
                                  Create a rule to allow interface OpenVPN traffic. This is a sample rule to allow any traffic in the OpenVPN interface.
                                  +Add
                                  Action: Pass
                                  Interface: OpenVPN
                                  Address Family: IPV4
                                  Protocol: Any
                                  Source: Any
                                  Destination: Any
                                  Description: OpenVPN interface traffic

                                MIKROTIK

                                • Certificates
                                  Copy two certificate files and the key file to Files.
                                  Import all of them from System -> Certificates.

                                • PROFILE
                                  Mikrotik OpenVPN have limitations, as @rubic commented see below on MK Wiki: (UDP and LZO Compression)
                                  https://wiki.mikrotik.com/wiki/OpenVPN#Unsupported
                                  For most simplified scenarios, the default profile works without any modifications.
                                  I have tested profiles with and without Encryption option set.
                                  I recommend creating a separate profile, if you are going to use dual WAN in PFSense and up,down scripts in mikrotik profile.

                                • PPP Interface
                                  PPP -> Interface
                                  create new OVPN Client:
                                  Name: ovpn-office
                                  Connect To: 9.9.9.9 (Your IP PFSense VPN Server)
                                  Port: 24100
                                  Mode: ip
                                  User: any
                                  Profile: default (or custom ovpn-profile)
                                  Certificate: OVPN-MK.crt_0
                                  Auth: sha 1
                                  Cipher: blowfish 128
                                  Add Default Route: (do not check this)

                                R M 2 Replies Last reply May 8, 2020, 5:52 PM Reply Quote 0
                                • R Offline
                                  rezance @marcelo.comtix
                                  last edited by rezance May 8, 2020, 6:02 PM May 8, 2020, 5:52 PM

                                  @marcelo-comtix
                                  I follow your steps precisely, but i still having problem. It looks that connections is established, but mikrotik and pfsense can not ping each other, connections is reset every 60 seconds.

                                  In pfsense dashboard I see that connection is up, but after 60 seconds it is reseted due in activity.
                                  In mikrotik I see only rx packets. I see that routes are in place.

                                  Also I was not able to made connection until I did not create own openvpn profile in mikrotik, where I assigned ip to local interface, otherwise connection was mikrotik with error "no ip address provided"
                                  Any idea?

                                  M 1 Reply Last reply Aug 12, 2020, 1:24 PM Reply Quote 0
                                  • A Offline
                                    andersonkiyoshi
                                    last edited by andersonkiyoshi May 29, 2020, 4:52 PM May 29, 2020, 4:50 PM

                                    @rezance
                                    A solução para o Mikrotik se comunicar ao Pfsense é fazer um masquerade. É a única coisa que falta da última configuração acima do @marcelo-comtix
                                    Chain: src-nat
                                    Out-Interface: ovpn-office
                                    Action: masquerade

                                    The solution for Mikrotik to communicate with Pfsense is to make a masquerade. It's the only thing missing from the last configuration above @ marcelo-comtix
                                    Chain: src-nat
                                    Out-Interface: ovpn-office
                                    Action: masquerade

                                    H 1 Reply Last reply Aug 12, 2020, 10:43 AM Reply Quote 0
                                    • H Offline
                                      huutai1996 @andersonkiyoshi
                                      last edited by huutai1996 Aug 12, 2020, 10:44 AM Aug 12, 2020, 10:43 AM

                                      @andersonkiyoshi i followed the your solution. i ping from mikrotik to pfsense ok but ping from pfsense to mik not ok

                                      A 1 Reply Last reply Aug 21, 2020, 11:39 AM Reply Quote 0
                                      • M Offline
                                        marcelo.comtix @rezance
                                        last edited by Aug 12, 2020, 1:24 PM

                                        @rezance what's your mikrotik version ?

                                        Please, send your networks the both sides of tunnel.

                                        1 Reply Last reply Reply Quote 0
                                        • A Offline
                                          andersonkiyoshi @huutai1996
                                          last edited by Aug 21, 2020, 11:39 AM

                                          @huutai1996

                                          VPN -> OpenVPN -> Client Specific Overrides
                                          ATENTION 1!
                                          Fix the route of the remote network in PFSense, this is mandatory to work.
                                          +Add
                                          Server List: OVPN-MK (select your vpn server configuration)
                                          Common Name: site1.example.com
                                          Advanced: iroute 192.168.2.0 255.255.255.0;
                                          ATENTION 2! After adding or changing the "Client Specific Overrides" restart de OVPN Server to activate the configurations. To do this, Status -> OpenVPN and click "restart icon" in your OPVN server.

                                          This route has to be done correctly, you need to take the path to reach the destination.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received