Best way to VPN two pfsense boxes over the internet?
-
Hi Everyone,
I have OpenVPN setup on an Alix2d13 with pfSense. I have another exact Alix2d13 running pfSense (both v1.2.3). I want to connect these two boxes together. I failed attempting to make one Alix board as a server and the other as a client. In fact the server works and I can connect to it using MS Windows or a linux distribution but when I try to setup Client and Client Specific Configuration on the second pfSense box it never connects and I am not sure where to exactly check to display the problem.
I have followed the road worrier guide posted on the forums for OpenVPN and so that is working fine. Can you point me to another guide or would you prefer me use PPTP or IPSEC for this direct link? Either ways Iwould need some details like the road worrier guide.
Thanks alot
-
When you connect two routers together, the better way is to use a shared key tunnel, not PKI.ย You can do PKI, but it's much harder to setup.
-
Thanks for the input. I wan just noticing that yesterday before I give up.
How can I produce the shared key for the tunnel? please explain a bit. Also, I do have the PKI method as well on one of the routers as I mentioned and I don't want to get rid of that as it's serving my road worrier users.
Thanks
-
You can make a shared key easy by going to Diagnostics > Command and entering:
openvpn --genkey --secret /dev/stdout
Then copy and paste the result into the shared key both on both routers.
Leave your PKI setup for road warriors alone, and just make a new entry for the site-to-site setup. There are some OpenVPN site-to-site tutorials elsewhere here on the forum and on the doc wiki, book, etc.
-
Thanks a lot. And if I want to use that shared key with a CentOS server that has OpenVPN server installed. Should I just do the same thing on the CentOS and copy it to a file (name?) in /etc/openvpn and copy that into the shared key for pfsense as well?
Thanks
-
The shared key can be used on any OS, it's just plain text. Just put it wherever the client expects it to be.
-
What would the client.conf look like for using PKI on the OS?
Thanks