Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    looking for advice on implementing site to site VPN

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 6 Posters 1.3k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pzangaP Offline
      pzanga
      last edited by

      I believe this is the appropriate forum for this question, since it is a general VPN question, but feel free to move it if not.

      I am looking at implementing a site-to-site vpn between our main office and 2 satellites (all with pfsense/Netgate devices) and am looking for any advice, recommendations (such as OpenVPN vs IPSec), or any other input folks may like to provide. I am reading though all the pfsense documentation and researching in the forums and elsewhere online, but hoping for some advice tailored to my situation, described below, so I can better focus my efforts. I haven't implemented vpn before, so not necessarily sure what questions I should be asking.

      TLDR; Essentially I have 7 users at 2 satellite offices and want their client PCs to act as if they are on the main office LAN, where they only need to connect to 2 specific servers hosting the 2 programs they need to access.

      More detail:
      Our 3 sites all have symmetric fiber connections: main is 50M, satellites are 20M each. At the main site we have a Netgate SG-2100, and the satellites have SG-1100s.
      Currently the 7 users at the satellite offices use RDP to connect to virtual machines running on the terminal server at the main office, allowing them to use our practice management system (the main program our employees use all day) on one server, and to access the time clock which runs on another server. They use their local desktop for all other tasks, including internet access.
      Optimally, I would like to have the client machines at the satellite offices behave as if they are on the main office LAN and be able to launch the programs they need from a simple shortcut. They would only need the vpn for connecting to the 2 servers hosting those programs, nothing else i.e. general internet access would be through their local netgate device.
      Some other considerations:
      We have a VoIP system at all 3 sites. VoIP runs on its own VLAN at each site.
      Packages: main office is running Snort and pfblockerng-dev, and satellites are both running pfblockerng-dev.
      There is a secondary use case of the lab at our main site wanting to print directly to the network printers at the satellites. I am thinking a solution that works for the main use case would support this, but not sure, and it is not critical, just a nice to have if possible.
      Satellite offices do not need to communicate with each other, only the main office.
      A very simplified diagram of my networks is included below.

      site to site2.png

      Like I said, I am looking for any advice/guidance based on the above. I'm trying to learn as much as I can, but also would like to focus on what is most relevant to my situation. I've gotten lots of good advice from the community here before and appreciate any help you can provide now. Thanks ahead of time.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @pzanga
        last edited by

        @pzanga

        My understanding is that IPSec supports multithreading, but OpenVPN doesn't. So, that might be a performance issue if you have a lot of VPN use.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          The good news is that appears to be a fairly simple use case that shouldn't give you much trouble. Just a matter of getting the phase 2 entries and/or routing setup right. Even printing should be fine provided you can contact the printers by IP address and assuming they allow being contacted from off their main subnet. Lots of printers can but it's hard to say whether or not that's universal.

          IPsec would be the best solution there, especially on that hardware. Use AES-GCM and make sure the SafeXcel module is active under System > Advanced, Misc tab. WireGuard would be a good second choice. I would avoid using OpenVPN.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          pzangaP 2 Replies Last reply Reply Quote 0
          • pzangaP Offline
            pzanga @jimp
            last edited by

            @jimp and @JKnott

            Thanks for the input. From my research so far, IPSec has seemed like the best solution for me. I will keep on reading, with a focus on IPSec.
            Wireguard did seem like an interesting solution that I was seriously looking at before it was removed from FreeBSD and pfsense. Seemed like a pretty straightforward configuration that would have met my needs. Once the current package is further along in development it is something I would like to revisit.

            Any further advice is still welcome. And I am sure I will have some more questions as I get closer to actually implementing.

            Thanks again.

            J 1 Reply Last reply Reply Quote 0
            • J Offline
              jlw52761 @pzanga
              last edited by

              @pzanga IPSec with VTI, then use BGP for the routing. Works really well and you can even push default routes using BGP, or just use Policy Based Routing (PBR) and gateway groups.

              1 Reply Last reply Reply Quote 0
              • pzangaP Offline
                pzanga @jimp
                last edited by

                @jimp @jlw52761

                Thought I'd give some quick follow-up since I finally had time to set this up.
                I went with IPsec using AES-GCM as suggested and enabled the SafeXcel module. I used tunnel mode for phase 2 as that seemed simplest at this point, given my knowledge/comfort level.
                The tunnel connects and I can ping the various devices (network printers, APs, managed routers, etc) at the remote site in either direction, i.e. Site A-->Site B or Site B-->Site A, as well as connect to their web UIs.
                However, I cannot ping any of the remote PCs (Windows 10, Windows Server 2012 R2) in either direction. I can ping them locally. I'm assuming it's not due to the firewall/pfsense since I can connect to anything not a PC. But never assume, right? IPsec firewall rules are configured to allow any/all on both sides.
                I'm just starting to dig into this, but I don't see anything obvious in the network settings on my PCs and haven't found any posts describing the same situation. I'll likely put up a new post once I have more info, but any thoughts on where to focus my efforts would be appreciated.

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Typically that would be Windows firewall on the PCs configured to allow traffic only from their own subnet. Since you are now trying to connect from a remote subnet they reject it.
                  You can test that by adding an outbound NAT rule on the pfSense LAN at the remote end. PCs will then see the traffic as coming from the pfSense LAN IP and allow it. That should be a test only though. If it works then add the remote subnets as allowed on the PCs you need to reach.

                  Steve

                  pzangaP 1 Reply Last reply Reply Quote 1
                  • pzangaP Offline
                    pzanga @stephenw10
                    last edited by pzanga

                    @stephenw10
                    Thanks. That makes sense. From my researching so far it looks like Windows firewall is the likely culprit.
                    I'm just not sure exactly how to configure the outbound NAT rule. I think it would be as follows:
                    Site A=main office Site B=satellite (remote) office, setting up rule on pfsense at Site B

                    Interface: IPsec
                    Address family: IPv4 (we don't use IPv6)
                    Protocol: Any
                    Source: Network, Site B subnet 192.168.0.0/24
                    Destination: Network, Site A subnet 192.168.0.0/24
                    Translation
                    Address: Interface address or other subnet? - this one I'm not clear on

                    Appreciate any help.

                    (edit - I hit submit before I was done)

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      In order to access a PC at site B from site A the OBN rule would have to be on the LAN interface at site B and match the traffic coming from site A. That way it translates the source IP to the site B LAN B IP and hosts there see it as coming from their subnet.

                      Steve

                      pzangaP 1 Reply Last reply Reply Quote 0
                      • pzangaP Offline
                        pzanga @stephenw10
                        last edited by

                        @stephenw10
                        Thanks Steve. Pretty sure I get it now.
                        So the interface would be the LAN,
                        Source would be the Site A subnet,
                        Destination would be Site B subnet,
                        Address would be Interface address (the IP of the LAN).

                        I was making the mistake of thinking Outbound is always outbound to the internet, instead of outbound from the interface in question (i.e. traffic inbound from the internet to the WAN interface becomes outbound from the LAN interface to the LAN).
                        Would it be an oversimplification to say Inbound NAT is used to modify/change the destination of traffic across an interface, and Outbound NAT is used to modify/change the source of traffic across an interface? I don't see that as part of any definition I have found, but seems to be one way to look at it. But I digress from the topic at hand.

                        Thanks again.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Yes, outbound NAT is Source NAT. You might also see that as S-NAT in some places.

                          Further reading ๐Ÿ˜‰ : https://www.freebsd.org/cgi/man.cgi?pf.conf(5)#TRANSLATION

                          Steve

                          pzangaP 1 Reply Last reply Reply Quote 1
                          • pzangaP Offline
                            pzanga @stephenw10
                            last edited by

                            @stephenw10
                            Thanks again. The test worked. So now I'll update the individual PCs as needed.

                            And thanks for the reading material. I really appreciate it.

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB Offline
                              bmeeks @pzanga
                              last edited by bmeeks

                              @pzanga said in looking for advice on implementing site to site VPN:

                              @stephenw10
                              Thanks again. The test worked. So now I'll update the individual PCs as needed.

                              And thanks for the reading material. I really appreciate it.

                              If your Windows devices are part of an Active Directory Domain, you can easily manage the Windows Firewall policies via Group Policy. Here's a link to some Microsoft documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security. What you will want to do is add "allow" rules for traffic inbound from your remote site networks.

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.