Basic Site to Site OpenVPN between PfSense 2.2.1 and Vyos 1.1.4

After banging my head for a while how to achieve site to site vpn through openvpn between PfSense and Vyos I finally ended with the following working configuration and wanted to share it, maybe it will help to someone like me. Please note that by no means I am not a vyos expert, to be honest I installed it out of curiosity 20 days ago (and now there is no turning back, great job, thank you guys), kvm virtualized on top of ProxmoxVE 3.3-5 running on SuperMicro A1SRI-2758F-O with just 512mb ram and it is running flawlessly since day one, so don’t crucify me :slight_smile:

On the PfSense router create an OpenVPN Server with the following settings

  1. Server mode – Peer to Peer Shared Key
  2. Protocol – UDP
  3. Device mode – tun
  4. Interface – WAN
  5. Local Port – 33458 (could be whatever you want)
  6. Description – testvpn
  7. Shared Key – Tick Automatically generate, needs to be copied to vyos /config/auth
  8. Encryption algorithm – BF-CBC-128 bit (could be different, needs to match both ends)
  9. Auth Digest Alghorithm – SHA1 (default for openvpn, could be different, needs to match both ends)
  10. Hardware crypto – No
  11. IPv4 Tunnel network – 10.10.199.0/24 – could be any private network as long as it is unique for both ends
  12. IPv4 Local Network – 192.168.5.0/24 – LAN network behind PfSense, you can have more than one comma separated networks, change it to match yours
  13. IPv4 Remote Networks – 192.168.25.0/24 – Lan network behind VyOS, again you can have more than one comma separated networks, change it to match yours
  14. Concurrent Connections – As much as you need
  15. Compression – Enabled With Adaptive Compression

Config could be exported through Shared Key Export tab, it looks like this:

dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
auth SHA1
pull
resolv-retry infinite
remote your dynamic host name or Real IP 33458
route local lan IP and Subnet Mask
ifconfig 10.10.199.2 10.10.199.1
keepalive 10 60
ping-timer-rem
secret testvpn.secret
comp-lzo

VyOS Side

This config translated to VyOs ended into this:

  1. set interface openvpn vtun0
  2. set interface openvpn vtun0 description ‘testvpn’
  3. set interface openvpn vtun0 protocol udp
  4. set interface openvpn vtun0 mode site-to-site
  5. set interface openvpn vtun0 encryption bf128 (could be different as long as it’s matching the other end)
  6. set interface openvpn vtun0 hash sha1 (default for openvpn, if changed should match both ends)
  7. set interface openvpn vtun0 local-address 10.10.199.2 (second ip of the openvpn server network)
  8. set interface openvpn vtun0 local-port 33458
  9. set interface openvpn vtun0 openvpn-option ‘comp-lzo’ (all openvpn specific options unavailable in cli goes here, it supports pretty much everything)
  10. set interface openvpn vtun0 remote-address 10.10.199.1
  11. set interface openvpn vtun0 remote-host Real IP or hostname of the remote host
  12. set interface openvpn vtun0 remote-port 33458
  13. set interface openvpn vtun0 shared-secret-key-file /config/auth/testvpn.psk (copied from the pfsense server) it was giving me errors with the # on top, after I removed them it was OK afterwards
  14. Open Firewall Port
    • set firewall name OUTSIDE-IN rule 5 action accept
    • set firewall name OUTSIDE-IN rule 5 destination port 33458
    • set firewall name OUTSIDE-IN rule 5 protocol udp
  15. Set a static route to the PfSense server LAN
    • Set protocols static route 192.168.5.0/26 next-hop 10.10.199.1
  16. commit
  17. save

Following commands might help troubleshoot if something is wrong (I usually run them in separate putty window)

monitor log
show log tail
show openvpn site-to-site status

This blog helped me a lot, thanks Jason.

If an additional roadwarriors VPN on the PfSense side is present, vpn users will not have an access to the LAN behind VyOS. To fix that add the route to the LAN in the roadwarriors VPN custom(advanced) options:

push route 192.168.25.0 255.255.255.0;

and add one more static route to VyOS:

set protocols static route 192.168.5.0/24 next-hop 10.10.199.1