[SOLVED] Site-to-site OpenVPN between pfSense and MikroTik

marcelo.comtix · Sep 26, 2018, 2:47 AM

I had the same problem @kahardreams, the LAN behind pfsense could not communicate with the LAN behind the Mikrotik.

After some modifications, I was successful and it worked perfectly.
I was based on howto from @unguzov .
Follow the modifications:

PFSENSE:

System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).
System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).
VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Aceleration
Certificate Depth: One (Client + Server)
IPv4 Tunnel Network: 10.0.9.0/30
IPv4 Local Network/s: 192.168.1.0/24
IPv4 Remote Network/s: 192.168.2.0/24
Compression: No Preference
Topology: Subnet -- One IP address per client

MikroTik:
Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

PPP -> Profiles - create new:
Name: ovpn-profile
Local address: 10.0.9.2
Remote address: 10.0.9.1
PPP -> Interface
create new OVPN Client:
Name: ovpn-office
Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
Port: 24100
Mode: ip
User: any
Profile: ovpn-profile
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: aes 256
Add Default Route: (do not check this)

In this way, worked perfectly, the two sites are communicating perfectly.

Thanks to @unguzov.

Hope this helps.

bootable · Dec 11, 2018, 10:54 PM

I can connect by VPN both sides, but I not have traffic between MT and pfSense, the tunnel is UP, but pfSense cant have ping to MTK IP and viceversa.

fabianoheringer · Apr 28, 2019, 4:12 PM

Same problem, i can ping from mikrotik to lan behind pfense, but from lan behind pfsense i cant ping on lan in mikrotik (I can ping in both tunnels, but not in LAN in mikrotik). Tried the marcelo.comtix suggestion, but didn´t worked.

norbi771 · Apr 28, 2019, 4:12 PM

Same problem.
Main router is PFSense based.
I have 4 PFSense To PFSense Site 2 Site tunnels running fine (shared key based).
Then I am in the need to add next one, but this one has to be mikrotik based and it cannot be shared key based as I realized.

And when I added Mikrotik tunnel following this tutorial I randomly can ping network on the mikrotik lan side.
When I look into mikrotik torch I can see that source address is random and changes between reconnects.
I can ping network on the PFSense Side, though.

Also tried the marcelo.comtix suggestion, but didn´t worked.
I have no idea how to fix that.

marcelo.comtix · Aug 9, 2019, 11:31 PM

After several tests, I was able to tweak the SITE-TO-SITE VPN again. It has stopped working after updating mikrotik.
I will post here the settings that worked again.

marcelo.comtix · Oct 1, 2019, 3:26 AM

Here are my settings that worked:
PFSense 2.4.4-RELEASE-p3
Mikrotik 6.45.3

Follow the modifications:

PFSENSE:

System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Aceleration
Certificate Depth: One (Client + Server)
IPv4 Tunnel Network: 10.200.0.0/29
IPv4 Local Network/s: 192.168.1.0/24
IPv4 Remote Network/s: 192.168.2.0/24
Compression: Omit Preference (Use OpenVPN Default)
Topology: net30 - Isolated /30 network per client

*Very important, fix the route of the remote network in PFSense
Client Specific Overrides:
+Add
Server List: *select your server
Common Name: "common name of certificate client"
Advanced: iroute 192.168.2.0 255.255.255.0;

MikroTik:
Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

PPP -> Profiles - create new:
Name: ovpn-profile
Local address: 10.200.0.6
Remote address: 10.200.0.5
Change TCP MSS: yes
*Protocols:
Use Compression: no
Use Encryption: yes

PPP -> Interface
create new OVPN Client:
Name: ovpn-office
Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
Port: 24100
Mode: ip
User: any
Profile: ovpn-profile
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: aes 256
Add Default Route: (do not check this)

It is working perfectly with these settings.
Remember that in PFSense the rules for the OpenVPN interface must be created.
In Mikrotik, in firewall, check the lists of interface "LAN".

marcelo.comtix · Aug 9, 2019, 11:51 PM

@fabianoheringer , I posted the update of instructions.
The version of mikrotik firmware is the problem. For the newest version, the update instructions worked fine.

Rodrigo Lucio · Aug 22, 2019, 1:10 PM

@marcelo-comtix
Boa noite marcelo!
Estou usando dois PfSense ambos com a versão 2.4.4-RELEASE-p3, configurados exatamente iguais (192.168.1.0/24 e 192.168.2.0/24) como OVPN server para um Mikrotik como client de ambos (192.168.0.0/24). A conexão entre o PfSense server (192.168.1.0/24) está perfeita com o MK, fiz conforme o processo mensionado acima. Porém a outra conexão eu consigo "pingar" o tunel nas duas pontas (10.10.10.6 e 10.10.10.5), e do Mikrotik consigo "pingar" o PfSense e as maquinas da rede (192.168.2.0/24), mas ao contrário não funciona e de nenhuma máquina consigo "pingar" de ambos os lados.
Consegue me ajudar?

Obrigado!

Mod Edit: If your going to post in an english section, you need to post in english.. I have done a google translate for you - I have no idea if correct... But please refrain from posting non english in the english boards. Thank you.

translated:
Good night Marcelo!
I am using two PfSense both with version 2.4.4-RELEASE-p3, configured exactly the same (192.168.1.0/24 and 192.168.2.0/24) as OVPN server for a Mikrotik as client of both (192.168.0.0/24). The connection between PfSense server (192.168.1.0/24) is perfect with MK, I made according to the process mentioned above. But the other connection I can "ping" the tunnel at both ends (10.10.10.6 and 10.10.10.5), and from Mikrotik I can "ping" PfSense and network machines (192.168.2.0/24), but on the contrary not works and no machine can "drip" on both sides.
Can you help me?

Thank you!

DavidBell · Sep 20, 2019, 1:47 PM

Thanks for the tutorial
I followed this and the VPN works. On the other hand, the tunnel does not route any traffic between the equipments. if I force a srcnat on an ip it works but temporally and not stable. Does one have a fire rule to add?
PFSense 2.4.4-RELEASE-p3
Mikrotik 6.45.6

Can you help me?

Thank you!

marcelo.comtix · Sep 20, 2019, 6:03 PM

@DavidBell , I have 2 mikrotik router working with the mentioned setup. It may be that in your case there is some other configuration in pfsense or mikrotik. It would be interesting to better understand its structure.

On the Mikrotik side it worked even not informing the IPS in openvpn profile.

I will post again with this setting.

If you can post how is your configuration, I help you.

Tks

marcelo.comtix · Sep 20, 2019, 6:11 PM

@Rodrigo-Lucio

Let me get this straight.
You have 2 PFSense - OVPN Server.

PFSense1 - 192.168.1.0/24
PFSense2 - 192.168.2.0/24

Mikrotik is a client of PFSense1 and PFSense2.

That is:
PFSense1 - 192.168.1.0/24 - OVPN Server
PFSense2 - 192.168.2.0/24 - OVPN Server
Mikrotik - 192.168.0.0/24
OVPN Client1 -> PFSense1
OVPN Client2 -> PFSense2

That's right?

If so, are you using different networks for your Tunnel Network?
Example:
PFSense1- 10.10.10.0/24
PFSense2 -10.20.20.0/24

In this case, the tunnel network must be different. Understanding is easier.

tks.

rfmendes · Sep 30, 2019, 2:28 PM

Hi guys...
I have the same problem as the @marcelo.comtix
You resolved this?

Att;
Rafael Mendes
rafael@rmitsolucoes.com.br

rubic · Oct 1, 2019, 3:26 AM

@marcelo-comtix said in [SOLVED] Site-to-site OpenVPN between pfSense and MikroTik:

Here are my settings that worked:

Thank you for some tips! My settings are almost the same. The only difference is that I use topology subnet on pfSense and default PPP profile on Mikrotik. As Mikrotik WIKI states that both 'use-compression' and 'use-encryption' do not work on OVPN tunnels and default PPP profile changes TCP MSS, you do not need separate profile for OVPN.

Sidaum · Mar 6, 2020, 10:07 PM

@marcelo-comtix said in [SOLVED] Site-to-site OpenVPN between pfSense and MikroTik:

Here are my settings that worked:
PFSense 2.4.4-RELEASE-p3
Mikrotik 6.45.3

Follow the modifications:

PFSENSE:

System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Aceleration
Certificate Depth: One (Client + Server)
IPv4 Tunnel Network: 10.200.0.0/29
IPv4 Local Network/s: 192.168.1.0/24
IPv4 Remote Network/s: 192.168.2.0/24
Compression: Omit Preference (Use OpenVPN Default)
Topology: net30 - Isolated /30 network per client

*Very important, fix the route of the remote network in PFSense
Client Specific Overrides:
+Add
Server List: *select your server
Common Name: "common name of certificate client"
Advanced: iroute 192.168.2.0 255.255.255.0;

MikroTik:
Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

PPP -> Profiles - create new:
Name: ovpn-profile
Local address: 10.200.0.6
Remote address: 10.200.0.5
Change TCP MSS: yes
*Protocols:
Use Compression: no
Use Encryption: yes

PPP -> Interface
create new OVPN Client:
Name: ovpn-office
Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
Port: 24100
Mode: ip
User: any
Profile: ovpn-profile
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: aes 256
Add Default Route: (do not check this)

It is working perfectly with these settings.
Remember that in PFSense the rules for the OpenVPN interface must be created.
In Mikrotik, in firewall, check the lists of interface "LAN".

Hy, so many time after this post, I had this porblem on my work, following @marcelo-comtix updated instruction I was able to put the tunnel up, but only on PFsense Open VPN Status and MK Interface Traffic page. I cant ping any side to any side, Can u help me with this old post? R u Brazilian?

marcelo.comtix · Mar 7, 2020, 3:30 PM

UPDATE

My setup:
PFSense 2.4.4-RELEASE-p3
Mikrotik 6.44.x, 6.45.x, 6.46.x
PFSense LAN (Office): 192.168.1.0/24
Mikrotik LAN (Client): 192.168.2.0/24

PFSENSE

CERTIFICATES
1. System > Cert Manager > CAs
  Create new CA (OVPN-CA)
  Export "CA cert" file (OVPN-CA.crt)
2. System -> Cert Manager -> Certificates
  Create two certificates (use CA created above):
  One for the VPN Server (OVPN-SERVER), set the option "Certificate type: Server Certificate"
  One for the VPN Client (OVPN-MK), set option "Certificate type: User Certificate"
  ATENTION! In the VPN Client creation (OVPN-MK), set "Common name: site1.example.com" and save for later use.
  Export cert and key files for client certificate (OVPN-MK.crt and OVPN-MK.key).
OPENVPN
1. VPN -> OpenVPN -> Server
  +Add
  Create new VPN server:
  Server Mode: Peer to Peer (SSL/TLS)
  Protocol: TCP
  Device Mode: tun
  Interface: WAN
  Local port: 24100
  Description: OVPN-MK
  TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
  Peer Certificate Authority: OVPN-CA
  Server Certificate: OVPN-SERVER
  Encryption algorithm: BF-CBC (128-bit)
  Auth Digest Algorithm: SHA1 (160-bit)
  Hardware Crypto: No Hardware Crypto Aceleration
  Certificate Depth: One (Client + Server)
  IPv4 Tunnel Network: 10.100.0.0/29
  IPv4 Local Network/s: 192.168.1.0/24
  IPv4 Remote Network/s: 192.168.2.0/24
  Compression: Omit Preference (Use OpenVPN Default)
  (Mikrotik have limitations, one is about LZO compression, this explaned in Mikrotik Profile section)
  Topology: net30 and Subnet works
2. VPN -> OpenVPN -> Client Specific Overrides
  ATENTION 1!
  Fix the route of the remote network in PFSense, this is mandatory to work.
  +Add
  Server List: OVPN-MK (select your vpn server configuration)
  Common Name: site1.example.com
  Advanced: iroute 192.168.2.0 255.255.255.0;
  ATENTION 2! After adding or changing the "Client Specific Overrides" restart de OVPN Server to activate the configurations. To do this, Status -> OpenVPN and click "restart icon" in your OPVN server.
FIREWALL
Firewall -> Rules -> OpenVPN
Create a rule to allow interface OpenVPN traffic. This is a sample rule to allow any traffic in the OpenVPN interface.
+Add
Action: Pass
Interface: OpenVPN
Address Family: IPV4
Protocol: Any
Source: Any
Destination: Any
Description: OpenVPN interface traffic

MIKROTIK

Certificates
Copy two certificate files and the key file to Files.
Import all of them from System -> Certificates.
PROFILE
Mikrotik OpenVPN have limitations, as @rubic commented see below on MK Wiki: (UDP and LZO Compression)
https://wiki.mikrotik.com/wiki/OpenVPN#Unsupported
For most simplified scenarios, the default profile works without any modifications.
I have tested profiles with and without Encryption option set.
I recommend creating a separate profile, if you are going to use dual WAN in PFSense and up,down scripts in mikrotik profile.
PPP Interface
PPP -> Interface
create new OVPN Client:
Name: ovpn-office
Connect To: 9.9.9.9 (Your IP PFSense VPN Server)
Port: 24100
Mode: ip
User: any
Profile: default (or custom ovpn-profile)
Certificate: OVPN-MK.crt_0
Auth: sha 1
Cipher: blowfish 128
Add Default Route: (do not check this)

rezance · May 8, 2020, 6:02 PM

@marcelo-comtix
I follow your steps precisely, but i still having problem. It looks that connections is established, but mikrotik and pfsense can not ping each other, connections is reset every 60 seconds.

In pfsense dashboard I see that connection is up, but after 60 seconds it is reseted due in activity.
In mikrotik I see only rx packets. I see that routes are in place.

Also I was not able to made connection until I did not create own openvpn profile in mikrotik, where I assigned ip to local interface, otherwise connection was mikrotik with error "no ip address provided"
Any idea?

andersonkiyoshi · May 29, 2020, 4:52 PM

@rezance
A solução para o Mikrotik se comunicar ao Pfsense é fazer um masquerade. É a única coisa que falta da última configuração acima do @marcelo-comtix
Chain: src-nat
Out-Interface: ovpn-office
Action: masquerade

The solution for Mikrotik to communicate with Pfsense is to make a masquerade. It's the only thing missing from the last configuration above @ marcelo-comtix
Chain: src-nat
Out-Interface: ovpn-office
Action: masquerade

huutai1996 · Aug 12, 2020, 10:44 AM

@andersonkiyoshi i followed the your solution. i ping from mikrotik to pfsense ok but ping from pfsense to mik not ok

marcelo.comtix · Aug 12, 2020, 1:24 PM

@rezance what's your mikrotik version ?

Please, send your networks the both sides of tunnel.

andersonkiyoshi · Aug 21, 2020, 11:39 AM

@huutai1996

VPN -> OpenVPN -> Client Specific Overrides
ATENTION 1!
Fix the route of the remote network in PFSense, this is mandatory to work.
+Add
Server List: OVPN-MK (select your vpn server configuration)
Common Name: site1.example.com
Advanced: iroute 192.168.2.0 255.255.255.0;
ATENTION 2! After adding or changing the "Client Specific Overrides" restart de OVPN Server to activate the configurations. To do this, Status -> OpenVPN and click "restart icon" in your OPVN server.

This route has to be done correctly, you need to take the path to reach the destination.