Site-To-Site OpenVPN using PKI (something of a howto)



  • This is a guide for VPN-ing a dozen or more sites using PKI.  If you only wish to VPN 2 or 3 sites together, the OVPN shared key method will certainly be simpler.  The stalwart board moderator GruensFroeschli has suggested the following, and I wholeheartedly concur: "Up to 5 sites i wouldnt bother setting up a PKI."


    Earlier this year, I wanted to set up a VPN connection between about 12 offices.  Several threads on this forum, particularly http://forum.pfsense.org/index.php/topic,9624.0.html, helped get me started.

    Basically, I needed each branch to be able to route to the home office network, and the home office network to be able to route to each of the branch office networks (but the branches did not need to route each other).

    (Just to be clear on this approach: all machines from the home network can reach all machines in the client networks.  Similarly, all machine in the client networks can reach all machines in the home network.  However, machines in a given client network cannot typically reach machines in a different client network.  I believe it is possible to extend this approach to allow client networks to intercommunicate, but I have not done so.)

    It is a sort of hub and spoke model.  For us, this allowed everyone to share/print documents through a file/print server located in the home office.  And for me, this allowed for fairly easy addition of new satellites.

    If you have similar needs, then the following information might help you.  It is scaled down to 4 networks.


    The home network should have a fixed IP address, but the satellites need not.  A funky dyndns name for the home network might be sufficient, but I haven't run it with anything like that.

    For simplicity's sake, the home network is the 10.9 class B, and each of the satellite offices is a Class C located in the 10.10 block.  Each site is located behind a pfsense box.  An additional network, required by OpenVPN to mediate communication, I located in the 10.8 block (somewhat arbitrarily).

    | Vpn | 10.8.1.0/24
    |
    | Home | 10.9.0.0/16
    |
    | Sat0 | 10.10.0.0/24
    |
    | Sat1 | 10.10.1.0/24
    |
    | Sat2 | 10.10.2.0/24

    Sat0 (10.10.0/24)
          |
          |
    Home (10.9/16) –-- Sat1 (10.10.1/24)
          |
          |
    Sat2 (10.10.2/24)


    Before getting started in earnest, configure the 10.9.0.1 (home network) firewall to allow for incoming 1194 UDP connections.  The rule should look something like this:

    | UDP | * | * | WAN address | 1194(OpenVpn) | * | * | OVPN

    Unless you have unusually restrictive firewall rules at your satellite offices, that should be the only firewall rule you'll need.


    So, first we need to do some PKI.  Specifically, we need a server key for the home network and a regular key for each satellite network.  For the purposes of this thread, I'm naming the home key home, and the satellite keys sat0, sat1, and sat2.

    There are several good tutorials for generating these here in the forums.  The only thing that I'll add here is that the file/common names of the satellite office keys are very important to keep straight, as they are relevant later in the configuration.

    You will need to have ca.crt, dh1024.pem, home.key, home.crt, sat0.key, sat0.crt, sat1.key, sat1.crt, sat2.key, and sat2.crt handy to continue.  And be sure not to lose ca.key.


    Now, lets get to work on the home office router.  Under VPN -> OpenVPN -> Server, click on the plus sign to add a new server, and we'll get to work.

    First, scroll down a bit and change Authentication Method from Shared Key to PKI (Public Key Infrastructure).  Doing this changes which fields are enabled and disabled on the form.

    | Disable this tunnel | uncheck
    |
    | Protocol | UDP
    |
    | Dynamic IP | check
    |
    | Local port | 1194
    |
    | Address pool | 10.8.1.0/24
    |
    | Use static IPs | uncheck
    |
    | Local network | leave blank
    |
    | Remote network | leave blank
    |
    | Client-to-client VPN | check
    |
    | Cryptography | BF-CBC (128-bit)
    |
    | Authentication Method | PKI (Public Key Infrastructure)
    |
    | Shared key | leave blank
    |
    | CA certificate | copy your ca.crt
    |
    | Server certificate | copy your home.crt
    |
    | Server key | copy your home.key
    |
    | DH parameters | copy your dh1024.pem
    |
    | a whole bunch of DHCP options | leave em alone
    |
    | LZO compression | check
    |
    | Custom options | route 10.10.0.0 255.255.0.0;push "route 10.9.0.0 255.255.0.0"
    |
    | Description | site-to-site

    Go ahead and click save.  We should now have an entry under server tab looking something like this:

    | No
    | UDP
    | 10.8.1.0/24
    | site-to-site

    If you're playing close attention, the custom options probably jumped out at you.  They are the first bit of OpenVPN black magic necessary to get this to work and essentially translate to

    | attn: home | please route all 10.10/16 traffic into the VPN
    |
    | attn: all sats | please route all 10.9/16 traffic into the VPN

    But they aren't quite enough on their own.  Sadly, we'll need an entry under the Client-specific configuration for each of the Satellite offices.


    So, under VPN -> OpenVPN -> Client-specific configuration, click on the plus sign to add a new satellite entry.  Note: still on the home router.

    | Disabled | uncheck
    |
    | Common name | sat0 | this MUST match your sat0 key common name!!!
    |
    | Blocked | uncheck
    |
    | Push reset | uncheck
    |
    | Interface IP | leave blank
    |
    | Custom options | iroute 10.10.0.0 255.255.255.0 | this MUST match the sat0 network
    |
    | Description | 10.10.0.0/24 | using the network here make the display look nice

    Click save.

    This is the second (and last) bit of OpenVPN black magic.  This whole entry essentially translates to:

    | attn: home | please internally route all 10.10.0/24 traffic to sat0

    So we've created an entry for sat0.  We also need to create entries (still under Client-specific configuration) for sat1 and sat2.  Here's an abbreviated table showing those values:

    | - | values for sat1 | values for sat2
    |
    | Common name | sat1 | sat2
    |
    | Custom options | iroute 10.10.1.0 255.255.255.0 | iroute 10.10.2.0 255.255.255.0
    |
    | Description | 10.10.1.0/24 | 10.10.2.0/24

    Once you're finished, the Client-specific configuration tab should look something like:

    | no | sat0 | 10.10.0.0/24
    |
    | no | sat1 | 10.10.1.0/24
    |
    | no | sat2 | 10.10.2.0/24

    Just a warning, I have at times messed up one of these entries and broken VPN functionality for other entries.  So try to get these right the first time.


    Now, we configure the (much simpler) clients.  Bring up the sat0 router (10.10.0/24) and we'll begin at VPN -> OpenVPN -> Client tab.  Click on the plus to add a new client.

    | Disable this tunnel | uncheck
    |
    | Protocol | UDP
    |
    | Server address | the public IP of the home network
    |
    | Server port | 1194
    |
    | Interface IP | leave blank
    |
    | Remote network | leave blank
    |
    | Proxy Host | leave blank
    |
    | Proxy port | 3128
    |
    | Cryptography | BF-CBC(128-bit)
    |
    | Authentication method | PKI (Public Key Infrastructure)
    |
    | Shared key | leave blank
    |
    | CA certificate | copy your ca.crt
    |
    | Client certificate | copy your sat0.crt
    |
    | Client key | copy your sat0.key
    |
    | LZO compression | enable | just make sure you're consistent with the server here
    |
    | Limit outgoing bandwidth | leave blank
    |
    | Dynamic sourceport | uncheck
    |
    | Custom options | leave blank
    |
    | Description | sat0

    Click save.

    You should note that there is no real black magic here.  We already baked most of the voodoo into the client-specific configs.


    Rather than finishing up the configs for your other 2 satellites, stop to do some testing here.  You should be able to ping an arbitrary machine on the satellite network from the home office network.  The converse should work as well.  (I'll warn you that Windows firewall blocking pings has often made this process more infuriating than it should be for me.)

    The OpenVPN logs, acessible under the Status->System logs->OpenVPN tab, are your main tool for tracking down any configuration errors.


    Assuming that everything works, then great.  Lets go ahead create OpenVPN clients for your other two satellites.  The only differences among the 3 satellite configurations is the key and cert you paste into the form (and possibly the description).

    Congratulations!


    Epilogue:

    In order to add a new Satellite office, say sat3 using the 10.10.3/24 block:

    • create a new key/crt with common name sat3

    • create a new OpenVPN Client-specific configuration entry on the home office server binding sat3 to the custom option iroute 10.10.3.0 255.255.255.0

    • create an OpenVPN Client entry on the sat3 router, using the new keys

    • enjoy the simplicity you reap now after fighting through the complexity earlier

    |

    |

    |

    |

    |

    |

    |

    |

    |

    |



  • Thanks for this excellent How-To. I think this should be made sticky and also be put on the Documentation-Wiki.



  • Stickied and i fixed your tables :)



  • Sorry about the tables (thanks for all your hard work here on the forums, GruensFroeschli).

    Anyway, I'll try to touch up this little howto when pfsense 2.0 gets released.



  • Added caveat about when how many networks should be involved before using this this technique.


Locked