[SOLVED] Site-to-site OpenVPN between pfSense and MikroTik



  • I need some help with site-to-site OpenVPN configuration.

    I use only pfSense for my site-to-site connections, but now I want to use on some remote sites MikroTik. I need to run OpenVPN (IPsec will be too hard to manage with different NAT issues on remote locations).

    My network diagram:

    192.168.151.0/24 -> 192.168.14.254 (pfSense 1.1.1.1) -> Internet <- (2.2.2.2 MikroTik) 192.168.14.254 <- 192.168.14.0/24

    pfSense is OpenVPN server, Peer to Peer - (SSL/TLS),  IPv4 Tunnel Network 10.30.30.0/29, IPv4 Local Network: 192.168.151.0/24, IPv4 Remote Network: 192.168.14.0/24.

    From MikroTik side: PPP - OVPN Client, Mode: ip.

    The tunnel is up, MikroTik is connected and from the terminal ping to 192.168.151.7 works. But ping from workstations behind the MikroTik does not work at all.

    If I add to MikroTik NAT rule (srcnat, vpn-tunnel, masquerade) it works, but I want to use site-to-site connection.

    I know that I miss something big, but I'm new to MikroTik and can't find any useful information about this.



  • It works now, here my mini howto:

    My task: site-to-site between pfSense and MikroTik:

    192.168.151.0/24 -> (pfSense 1.1.1.1) -> Internet <- (2.2.2.2 MikroTik) <- 192.168.14.0/24

    pfSense:

    1. System -> Cert Manager -> CAs
    Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

    2. System -> Cert Manager -> Certificates
    Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

    3. VPN -> OpenVPN -> Server
    Create new VPN server:

    Server Mode: Peer to Peer (SSL/TLS)
    Protocol: TCP
    Device Mode: tun
    Interface: ITD
    Local port: 24100
    TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
    Peer Certificate Authority: vpn-tunnel-ca
    Server Certificate: vpn-tunnel
    Encryption algorithm: BF-CBC (128-bit)
    Auth Digest Algorithm: SHA1 (160-bit)
    IPv4 Tunnel Network: 10.30.30.0/29
    IPv4 Local Network/s: 192.168.151.0/24
    IPv4 Remote Network/s: 192.168.14.0/24
    Compression: No Preference
    Advanced: client-to-client

    4. VPN -> OpenVPN -> Client Specific Overrides
    Create new override:

    Common name: mik-vpn
    Advanced: iroute 192.168.14.0 255.255.255.0

    MikroTik:

    1. Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

    2. PPP -> Interface - create new OVPN Client:
    Name: ovpn-office
    Connect To: 1.1.1.1
    Port: 24100
    Mode: ip
    User: any
    Certificate: mik-vpn.crt_0
    Auth: sha 1
    Cipher: blowfish 128
    Add Default Route: (do not check this)

    It works as expected - I can ping workstations from both sides of the tunnel.



  • great mini how-to… thanks...
    do you know how to make this work for mikrotik with dial-out network?

    UPDATE:
    my ovpn setting is working fine.



  • @agismaniax:

    great mini how-to… thanks...
    do you know how to make this work for mikrotik with dial-out network?

    UPDATE:
    my ovpn setting is working fine.

    It works just fine with PPPoE for example, after PPPoE connection OVPN Client connects as usual. What problem do you have and what dial-out protocol you are using in MikroTik?



  • @unguzov:

    Advanced: client-to-client

    4. VPN -> OpenVPN -> Client Specific Overrides
    Create new override:

    Common name: mik-vpn
    Advanced: iroute 192.168.14.0 255.255.255.0

    MikroTik:

    Same setup, server and client are connected, but:

    mikrotik clients can reach pfsense LAN clients, only if I enable NAT on Ovpn interface on mikrotik,
    but with this the Pfsense LAN clients get traffic from tunnel IP  10.30.30.2  not from Remote LAN.

    Please explain what you mean with the advanced client-to-client, I can't see any option, also in specific override I've added "push  route 192.168.14.0 255.255.255.0".

    Please,help. Thanks, BR



  • @unguzov:

    It works now, here my mini howto:

    My task: site-to-site between pfSense and MikroTik:

    192.168.151.0/24 -> (pfSense 1.1.1.1) -> Internet <- (2.2.2.2 MikroTik) <- 192.168.14.0/24

    pfSense:

    1. System -> Cert Manager -> CAs
    Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

    2. System -> Cert Manager -> Certificates
    Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

    3. VPN -> OpenVPN -> Server
    Create new VPN server:

    Server Mode: Peer to Peer (SSL/TLS)
    Protocol: TCP
    Device Mode: tun
    Interface: ITD
    Local port: 24100
    TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
    Peer Certificate Authority: vpn-tunnel-ca
    Server Certificate: vpn-tunnel
    Encryption algorithm: BF-CBC (128-bit)
    Auth Digest Algorithm: SHA1 (160-bit)
    IPv4 Tunnel Network: 10.30.30.0/29
    IPv4 Local Network/s: 192.168.151.0/24
    IPv4 Remote Network/s: 192.168.14.0/24
    Compression: No Preference
    Advanced: client-to-client

    4. VPN -> OpenVPN -> Client Specific Overrides
    Create new override:

    Common name: mik-vpn
    Advanced: iroute 192.168.14.0 255.255.255.0

    MikroTik:

    1. Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

    2. PPP -> Interface - create new OVPN Client:
    Name: ovpn-office
    Connect To: 1.1.1.1
    Port: 24100
    Mode: ip
    User: any
    Certificate: mik-vpn.crt_0
    Auth: sha 1
    Cipher: blowfish 128
    Add Default Route: (do not check this)

    It works as expected - I can ping workstations from both sides of the tunnel.

    hi.. i have this error..
    the PFsense site cannot connect to mikrotik site. but from mikrotik site can connect..

    orry for the images…
    just want to make al things clear..
    need your help..
    thank you very much sir..








    sorry for the images…
    just want to make al things clear..
    need your help..
    thank you very much sir..



  • hi all..
    excuse me… it's been solved..
    the service of OpenVPN have to be restarted..
    then the flow goes well..

    thank you very much anyway sir...
    *Salute



  • Hi guys

    I have read your potst,  followed the instructions but still have trouble with set up openvpn in this configuration like 'kahardreams described'.

    LAN computers behind openvpn server on pfsense can't ping mikrotik LAN computers (and mikrotik LAN interface address) , but in other way its working great (mikrotik LAN computer have access to LAN behind pfsense).
    Situation is the same like on diagram provided by 'kahardreams '.

    Maybe i forgot something on firewall/nat on mikrotik ?
    When ping from pfsene to mikrotik lan ip, tcpdump on pfsense on ovpns1 interface shows echo request packages
    but nothing shows on mikrotik ovpn-out1 interface.

    Could you help me ?

    Regards



  • I had the same problem @kahardreams, the LAN behind pfsense could not communicate with the LAN behind the Mikrotik.

    After some modifications, I was successful and it worked perfectly.
    I was based on howto from @unguzov .
    Follow the modifications:

    PFSENSE:

    1. System -> Cert Manager -> CAs
      Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

    2. System -> Cert Manager -> Certificates
      Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

    3. VPN -> OpenVPN -> Server
      Create new VPN server:
      Server Mode: Peer to Peer (SSL/TLS)
      Protocol: TCP
      Device Mode: tun
      Interface: WAN
      Local port: 24100
      TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
      Peer Certificate Authority: vpn-tunnel-ca
      Server Certificate: vpn-tunnel
      Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
      Auth Digest Algorithm: SHA1 (160-bit)
      Hardware Crypto: No Hardware Crypto Aceleration
      Certificate Depth: One (Client + Server)
      IPv4 Tunnel Network: 10.0.9.0/30
      IPv4 Local Network/s: 192.168.1.0/24
      IPv4 Remote Network/s: 192.168.2.0/24
      Compression: No Preference
      Topology: Subnet -- One IP address per client

    MikroTik:
    Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

    1. PPP -> Profiles - create new:
      Name: ovpn-profile
      Local address: 10.0.9.2
      Remote address: 10.0.9.1

    2. PPP -> Interface
      create new OVPN Client:
      Name: ovpn-office
      Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
      Port: 24100
      Mode: ip
      User: any
      Profile: ovpn-profile
      Certificate: mik-vpn.crt_0
      Auth: sha 1
      Cipher: aes 256
      Add Default Route: (do not check this)

    In this way, worked perfectly, the two sites are communicating perfectly.

    Thanks to @unguzov.

    Hope this helps.