Skip to content

site

Step By Step Guide On How To Create A Site To Site VPN With PFsense Using OpenVPN With A Pre Shared Key

PFsense is one of the the greatest Open Source packages out there. It is an extremely reliable enterprise grade routing platform. For me, it has been incredibly useful in virtualized scenarios. A common usage scenario for me goes like this. Someone wants to deploy a single ESXi host to a datacenter for backup, as a web server, mail server, spam filter, and/or various other tasks. One network interface on the server connects directly to the datacenter network. This NIC is assigned to a network on the ESXi host named “WAN.” Another network (vswitch) is created on the ESXi host called “Internal Network.” A pfsense virtual machine is created with two NICs. One assigned to WAN, and one assigned to Internal Network. This pfsense virtual machine takes care of all routing and firewall functions for each virtual machine set up on the ESXi host. PFsense can handle multiple WAN IP addresses, firewall functionality and NAT capability. It provides all needed mechanisms to give access and lock down all virtual machines on the ESXi host. This is just an example.

This step by step how to will help you create a site to site VPN on any virtual machine or physical machine running pfsense. The steps are the same for both. This assumes you have pfsense running on each end of the VPN. My particular scenario has pfsense running on a virtual machine at a datacenter, and another running on my home network. My goal is to allow access to the private network at the datacenter from my home network. So lets get started.

How To Setup A Site To Site VPN On PFsense

First thing’s first. Here is the addressing scheme of both of my pfsense routers and their subnets. I have substituted my public WAN ip addresses for security.

Router A, (setup as OpenVPN server, located at datacenter)

  • WAN IP Address: 74.51.1.1
  • LAN IP Address: 10.0.0.1
  • LAN Subnet: 10.0.0.0/8

Router B (setup as OpenVPN client, located at home)

  • WAN IP Address: 108.50.10.5
  • LAN IP Address: 192.168.1.1
  • LAN Subnet: 192.168.1.0/24

One side will be configured as a client, and the other as a server. It doesn’t really matter which is which, but if you are connecting more than two sites, it would probably be a good idea to put the “server” on the fastest, most reliable connection. In my scenario, that would be the system at the datacenter. The pfsense documentation recommends shared key mode for site to site VPNs, unless there are more than 6 sites.

Click Here To Read The Entire Tutorial!