[SOLVED] Site-to-site OpenVPN between pfSense and MikroTik

marcelo.comtix

@DavidBell , I have 2 mikrotik router working with the mentioned setup. It may be that in your case there is some other configuration in pfsense or mikrotik. It would be interesting to better understand its structure.

On the Mikrotik side it worked even not informing the IPS in openvpn profile.

I will post again with this setting.

If you can post how is your configuration, I help you.

Tks

marcelo.comtix

@Rodrigo-Lucio

Let me get this straight.
You have 2 PFSense - OVPN Server.

PFSense1 - 192.168.1.0/24
PFSense2 - 192.168.2.0/24

Mikrotik is a client of PFSense1 and PFSense2.

That is:
PFSense1 - 192.168.1.0/24 - OVPN Server
PFSense2 - 192.168.2.0/24 - OVPN Server
Mikrotik - 192.168.0.0/24
OVPN Client1 -> PFSense1
OVPN Client2 -> PFSense2

That's right?

If so, are you using different networks for your Tunnel Network?
Example:
PFSense1- 10.10.10.0/24
PFSense2 -10.20.20.0/24

In this case, the tunnel network must be different. Understanding is easier.

tks.

rfmendes

Hi guys...
I have the same problem as the @marcelo.comtix
You resolved this?

Att;
Rafael Mendes
rafael@rmitsolucoes.com.br

rubic

@marcelo-comtix said in [SOLVED] Site-to-site OpenVPN between pfSense and MikroTik:

Here are my settings that worked:

Thank you for some tips! My settings are almost the same. The only difference is that I use topology subnet on pfSense and default PPP profile on Mikrotik. As Mikrotik WIKI states that both 'use-compression' and 'use-encryption' do not work on OVPN tunnels and default PPP profile changes TCP MSS, you do not need separate profile for OVPN.

Sidaum

@marcelo-comtix said in [SOLVED] Site-to-site OpenVPN between pfSense and MikroTik:

Here are my settings that worked:
PFSense 2.4.4-RELEASE-p3
Mikrotik 6.45.3

Follow the modifications:

PFSENSE:

System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Aceleration
Certificate Depth: One (Client + Server)
IPv4 Tunnel Network: 10.200.0.0/29
IPv4 Local Network/s: 192.168.1.0/24
IPv4 Remote Network/s: 192.168.2.0/24
Compression: Omit Preference (Use OpenVPN Default)
Topology: net30 - Isolated /30 network per client

*Very important, fix the route of the remote network in PFSense
Client Specific Overrides:
+Add
Server List: *select your server
Common Name: "common name of certificate client"
Advanced: iroute 192.168.2.0 255.255.255.0;

MikroTik:
Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

PPP -> Profiles - create new:
Name: ovpn-profile
Local address: 10.200.0.6
Remote address: 10.200.0.5
Change TCP MSS: yes
*Protocols:
Use Compression: no
Use Encryption: yes

PPP -> Interface
create new OVPN Client:
Name: ovpn-office
Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
Port: 24100
Mode: ip
User: any
Profile: ovpn-profile
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: aes 256
Add Default Route: (do not check this)

It is working perfectly with these settings.
Remember that in PFSense the rules for the OpenVPN interface must be created.
In Mikrotik, in firewall, check the lists of interface "LAN".

Hy, so many time after this post, I had this porblem on my work, following @marcelo-comtix updated instruction I was able to put the tunnel up, but only on PFsense Open VPN Status and MK Interface Traffic page. I cant ping any side to any side, Can u help me with this old post? R u Brazilian?

marcelo.comtix

UPDATE

My setup:
PFSense 2.4.4-RELEASE-p3
Mikrotik 6.44.x, 6.45.x, 6.46.x
PFSense LAN (Office): 192.168.1.0/24
Mikrotik LAN (Client): 192.168.2.0/24

PFSENSE

• CERTIFICATES

  1. System > Cert Manager > CAs
     Create new CA (OVPN-CA)
     Export "CA cert" file (OVPN-CA.crt)

  2. System -> Cert Manager -> Certificates
     Create two certificates (use CA created above):
     One for the VPN Server (OVPN-SERVER), set the option "Certificate type: Server Certificate"
     One for the VPN Client (OVPN-MK), set option "Certificate type: User Certificate"
     ATENTION! In the VPN Client creation (OVPN-MK), set "Common name: site1.example.com" and save for later use.
     Export cert and key files for client certificate (OVPN-MK.crt and OVPN-MK.key).

• OPENVPN

  1. VPN -> OpenVPN -> Server
     +Add
     Create new VPN server:
     Server Mode: Peer to Peer (SSL/TLS)
     Protocol: TCP
     Device Mode: tun
     Interface: WAN
     Local port: 24100
     Description: OVPN-MK
     TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
     Peer Certificate Authority: OVPN-CA
     Server Certificate: OVPN-SERVER
     Encryption algorithm: BF-CBC (128-bit)
     Auth Digest Algorithm: SHA1 (160-bit)
     Hardware Crypto: No Hardware Crypto Aceleration
     Certificate Depth: One (Client + Server)
     IPv4 Tunnel Network: 10.100.0.0/29
     IPv4 Local Network/s: 192.168.1.0/24
     IPv4 Remote Network/s: 192.168.2.0/24
     Compression: Omit Preference (Use OpenVPN Default)
     (Mikrotik have limitations, one is about LZO compression, this explaned in Mikrotik Profile section)
     Topology: net30 and Subnet works

  2. VPN -> OpenVPN -> Client Specific Overrides
     ATENTION 1!
     Fix the route of the remote network in PFSense, this is mandatory to work.
     +Add
     Server List: OVPN-MK (select your vpn server configuration)
     Common Name: site1.example.com
     Advanced: iroute 192.168.2.0 255.255.255.0;
     ATENTION 2! After adding or changing the "Client Specific Overrides" restart de OVPN Server to activate the configurations. To do this, Status -> OpenVPN and click "restart icon" in your OPVN server.

• FIREWALL
  Firewall -> Rules -> OpenVPN
  Create a rule to allow interface OpenVPN traffic. This is a sample rule to allow any traffic in the OpenVPN interface.
  +Add
  Action: Pass
  Interface: OpenVPN
  Address Family: IPV4
  Protocol: Any
  Source: Any
  Destination: Any
  Description: OpenVPN interface traffic

MIKROTIK

• Certificates
  Copy two certificate files and the key file to Files.
  Import all of them from System -> Certificates.

• PROFILE
  Mikrotik OpenVPN have limitations, as @rubic commented see below on MK Wiki: (UDP and LZO Compression)
  https://wiki.mikrotik.com/wiki/OpenVPN#Unsupported
  For most simplified scenarios, the default profile works without any modifications.
  I have tested profiles with and without Encryption option set.
  I recommend creating a separate profile, if you are going to use dual WAN in PFSense and up,down scripts in mikrotik profile.

• PPP Interface
  PPP -> Interface
  create new OVPN Client:
  Name: ovpn-office
  Connect To: 9.9.9.9 (Your IP PFSense VPN Server)
  Port: 24100
  Mode: ip
  User: any
  Profile: default (or custom ovpn-profile)
  Certificate: OVPN-MK.crt_0
  Auth: sha 1
  Cipher: blowfish 128
  Add Default Route: (do not check this)

rezance

@marcelo-comtix
I follow your steps precisely, but i still having problem. It looks that connections is established, but mikrotik and pfsense can not ping each other, connections is reset every 60 seconds.

In pfsense dashboard I see that connection is up, but after 60 seconds it is reseted due in activity.
In mikrotik I see only rx packets. I see that routes are in place.

Also I was not able to made connection until I did not create own openvpn profile in mikrotik, where I assigned ip to local interface, otherwise connection was mikrotik with error "no ip address provided"
Any idea?

andersonkiyoshi

@rezance
A solução para o Mikrotik se comunicar ao Pfsense é fazer um masquerade. É a única coisa que falta da última configuração acima do @marcelo-comtix
Chain: src-nat
Out-Interface: ovpn-office
Action: masquerade

The solution for Mikrotik to communicate with Pfsense is to make a masquerade. It's the only thing missing from the last configuration above @ marcelo-comtix
Chain: src-nat
Out-Interface: ovpn-office
Action: masquerade

huutai1996

@andersonkiyoshi i followed the your solution. i ping from mikrotik to pfsense ok but ping from pfsense to mik not ok

marcelo.comtix

@rezance what's your mikrotik version ?

Please, send your networks the both sides of tunnel.

andersonkiyoshi

@huutai1996

VPN -> OpenVPN -> Client Specific Overrides
ATENTION 1!
Fix the route of the remote network in PFSense, this is mandatory to work.
+Add
Server List: OVPN-MK (select your vpn server configuration)
Common Name: site1.example.com
Advanced: iroute 192.168.2.0 255.255.255.0;
ATENTION 2! After adding or changing the "Client Specific Overrides" restart de OVPN Server to activate the configurations. To do this, Status -> OpenVPN and click "restart icon" in your OPVN server.

This route has to be done correctly, you need to take the path to reach the destination.

mike8888

@marcelo-comtix thanks bro, your configuration (march 7th) works for me

i use pfsense 2.4.4 p3 as server
and mikrotik RB750G3 (6.46.7) as client

cheers

mike