How to create site to site vpn from pfsense to openvpn server.part3

  1. How to create site to site VPN for SMB with low IT budget. part1
  2. How to setup OpenVPN server on debian? part2
  3. How to create site to site vpn from pfsense to openvpn server.part3

OK, we already have Openvpn server at central office. Now our task is to configure branch office pfsenses (why pfsense) to connect central office Openvpn server:

  1. create Hyperv VM for pfsense at branch office 01:
    • mount pfsense iso to the pfsense VM
    • create fixed size virtual disk, 5gb is enough. if you use dynamic disk – pfsense freebsd installer can fail
    • before pfsense installation add second vNIC
    • connect both vNICs to the same vswitch (based on one physical NIC) !
  2. install pfsense on the VM
  3. during first booting choose en1 for WAN and en2 for LAN.
  4. Let’s consider that branch01 has on tplink/dlink/Univsion-smartbox and so on router. Therefore assign to WAN of pfsense and to LAN interface.
  5. access to from browser (before assign your workstation for example ). Default credentials for pfsense is admin/pfsense.
  6. copy content of ca.crt and ca.key from Debian openvpn server to pfsense (i recommend – instead of ftp/winscp and so on, just from putty/ssh “cat ca.key” and by mouse select/copy content from screen – now just paste it into browser)
  7. add into pfsense client01.key and client01.crt
  8. configure openvpn client:
  9. enable optional interface:
  10. allow any traffic thru new OPT1 interface:

  11. create routing to central office :
  12. to check state of vpn see from:
  13. above pfsense configuration more or less equals to openvpn client conf file:
    dev tun01
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/client01.crt
    key /etc/openvpn/easy-rsa/keys/client01.key
    reneg-sec 60
    verb 5
    status /var/log/openvpn.log
    #log-append /var/log/openvpn01
    port 51191
    proto udp
    keepalive 10 120
    cipher AES-256-CBC
  14. Result: each branch office device with configured dgw (for example will ping central office subnet and vice versa