looking for advice on implementing site to site VPN

pzanga

I believe this is the appropriate forum for this question, since it is a general VPN question, but feel free to move it if not.

I am looking at implementing a site-to-site vpn between our main office and 2 satellites (all with pfsense/Netgate devices) and am looking for any advice, recommendations (such as OpenVPN vs IPSec), or any other input folks may like to provide. I am reading though all the pfsense documentation and researching in the forums and elsewhere online, but hoping for some advice tailored to my situation, described below, so I can better focus my efforts. I haven't implemented vpn before, so not necessarily sure what questions I should be asking.

TLDR; Essentially I have 7 users at 2 satellite offices and want their client PCs to act as if they are on the main office LAN, where they only need to connect to 2 specific servers hosting the 2 programs they need to access.

More detail:
Our 3 sites all have symmetric fiber connections: main is 50M, satellites are 20M each. At the main site we have a Netgate SG-2100, and the satellites have SG-1100s.
Currently the 7 users at the satellite offices use RDP to connect to virtual machines running on the terminal server at the main office, allowing them to use our practice management system (the main program our employees use all day) on one server, and to access the time clock which runs on another server. They use their local desktop for all other tasks, including internet access.
Optimally, I would like to have the client machines at the satellite offices behave as if they are on the main office LAN and be able to launch the programs they need from a simple shortcut. They would only need the vpn for connecting to the 2 servers hosting those programs, nothing else i.e. general internet access would be through their local netgate device.
Some other considerations:
We have a VoIP system at all 3 sites. VoIP runs on its own VLAN at each site.
Packages: main office is running Snort and pfblockerng-dev, and satellites are both running pfblockerng-dev.
There is a secondary use case of the lab at our main site wanting to print directly to the network printers at the satellites. I am thinking a solution that works for the main use case would support this, but not sure, and it is not critical, just a nice to have if possible.
Satellite offices do not need to communicate with each other, only the main office.
A very simplified diagram of my networks is included below.

site to site2.png

Like I said, I am looking for any advice/guidance based on the above. I'm trying to learn as much as I can, but also would like to focus on what is most relevant to my situation. I've gotten lots of good advice from the community here before and appreciate any help you can provide now. Thanks ahead of time.

JKnott

@pzanga

My understanding is that IPSec supports multithreading, but OpenVPN doesn't. So, that might be a performance issue if you have a lot of VPN use.

jimp

The good news is that appears to be a fairly simple use case that shouldn't give you much trouble. Just a matter of getting the phase 2 entries and/or routing setup right. Even printing should be fine provided you can contact the printers by IP address and assuming they allow being contacted from off their main subnet. Lots of printers can but it's hard to say whether or not that's universal.

IPsec would be the best solution there, especially on that hardware. Use AES-GCM and make sure the SafeXcel module is active under System > Advanced, Misc tab. WireGuard would be a good second choice. I would avoid using OpenVPN.

pzanga

@jimp and @JKnott

Thanks for the input. From my research so far, IPSec has seemed like the best solution for me. I will keep on reading, with a focus on IPSec.
Wireguard did seem like an interesting solution that I was seriously looking at before it was removed from FreeBSD and pfsense. Seemed like a pretty straightforward configuration that would have met my needs. Once the current package is further along in development it is something I would like to revisit.

Any further advice is still welcome. And I am sure I will have some more questions as I get closer to actually implementing.

Thanks again.

jlw52761

@pzanga IPSec with VTI, then use BGP for the routing. Works really well and you can even push default routes using BGP, or just use Policy Based Routing (PBR) and gateway groups.

pzanga

@jimp @jlw52761

Thought I'd give some quick follow-up since I finally had time to set this up.
I went with IPsec using AES-GCM as suggested and enabled the SafeXcel module. I used tunnel mode for phase 2 as that seemed simplest at this point, given my knowledge/comfort level.
The tunnel connects and I can ping the various devices (network printers, APs, managed routers, etc) at the remote site in either direction, i.e. Site A-->Site B or Site B-->Site A, as well as connect to their web UIs.
However, I cannot ping any of the remote PCs (Windows 10, Windows Server 2012 R2) in either direction. I can ping them locally. I'm assuming it's not due to the firewall/pfsense since I can connect to anything not a PC. But never assume, right? IPsec firewall rules are configured to allow any/all on both sides.
I'm just starting to dig into this, but I don't see anything obvious in the network settings on my PCs and haven't found any posts describing the same situation. I'll likely put up a new post once I have more info, but any thoughts on where to focus my efforts would be appreciated.

stephenw10

Typically that would be Windows firewall on the PCs configured to allow traffic only from their own subnet. Since you are now trying to connect from a remote subnet they reject it.
You can test that by adding an outbound NAT rule on the pfSense LAN at the remote end. PCs will then see the traffic as coming from the pfSense LAN IP and allow it. That should be a test only though. If it works then add the remote subnets as allowed on the PCs you need to reach.

Steve

pzanga

@stephenw10
Thanks. That makes sense. From my researching so far it looks like Windows firewall is the likely culprit.
I'm just not sure exactly how to configure the outbound NAT rule. I think it would be as follows:
Site A=main office Site B=satellite (remote) office, setting up rule on pfsense at Site B

Interface: IPsec
Address family: IPv4 (we don't use IPv6)
Protocol: Any
Source: Network, Site B subnet 192.168.0.0/24
Destination: Network, Site A subnet 192.168.0.0/24
Translation
Address: Interface address or other subnet? - this one I'm not clear on

Appreciate any help.

(edit - I hit submit before I was done)

stephenw10

In order to access a PC at site B from site A the OBN rule would have to be on the LAN interface at site B and match the traffic coming from site A. That way it translates the source IP to the site B LAN B IP and hosts there see it as coming from their subnet.

Steve

pzanga

@stephenw10
Thanks Steve. Pretty sure I get it now.
So the interface would be the LAN,
Source would be the Site A subnet,
Destination would be Site B subnet,
Address would be Interface address (the IP of the LAN).

I was making the mistake of thinking Outbound is always outbound to the internet, instead of outbound from the interface in question (i.e. traffic inbound from the internet to the WAN interface becomes outbound from the LAN interface to the LAN).
Would it be an oversimplification to say Inbound NAT is used to modify/change the destination of traffic across an interface, and Outbound NAT is used to modify/change the source of traffic across an interface? I don't see that as part of any definition I have found, but seems to be one way to look at it. But I digress from the topic at hand.

Thanks again.

stephenw10

Yes, outbound NAT is Source NAT. You might also see that as S-NAT in some places.

Further reading : https://www.freebsd.org/cgi/man.cgi?pf.conf(5)#TRANSLATION

Steve

pzanga

@stephenw10
Thanks again. The test worked. So now I'll update the individual PCs as needed.

And thanks for the reading material. I really appreciate it.

bmeeks

@pzanga said in looking for advice on implementing site to site VPN:

@stephenw10
Thanks again. The test worked. So now I'll update the individual PCs as needed.

And thanks for the reading material. I really appreciate it.

If your Windows devices are part of an Active Directory Domain, you can easily manage the Windows Firewall policies via Group Policy. Here's a link to some Microsoft documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security. What you will want to do is add "allow" rules for traffic inbound from your remote site networks.