After banging my head for a while how to achieve site to site vpn through openvpn between PfSense and Vyos I finally ended with the following working configuration and wanted to share it, maybe it will help to someone like me. Please note that by no means I am not a vyos expert, to be honest I installed it out of curiosity 20 days ago (and now there is no turning back, great job, thank you guys), kvm virtualized on top of ProxmoxVE 3.3-5 running on SuperMicro A1SRI-2758F-O with just 512mb ram and it is running flawlessly since day one, so don’t crucify me
On the PfSense router create an OpenVPN Server with the following settings
- Server mode – Peer to Peer Shared Key
- Protocol – UDP
- Device mode – tun
- Interface – WAN
- Local Port – 33458 (could be whatever you want)
- Description – testvpn
- Shared Key – Tick Automatically generate, needs to be copied to vyos /config/auth
- Encryption algorithm – BF-CBC-128 bit (could be different, needs to match both ends)
- Auth Digest Alghorithm – SHA1 (default for openvpn, could be different, needs to match both ends)
- Hardware crypto – No
- IPv4 Tunnel network – 10.10.199.0/24 – could be any private network as long as it is unique for both ends
- IPv4 Local Network – 192.168.5.0/24 – LAN network behind PfSense, you can have more than one comma separated networks, change it to match yours
- IPv4 Remote Networks – 192.168.25.0/24 – Lan network behind VyOS, again you can have more than one comma separated networks, change it to match yours
- Concurrent Connections – As much as you need
- Compression – Enabled With Adaptive Compression
Config could be exported through Shared Key Export tab, it looks like this:
dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
auth SHA1
pull
resolv-retry infinite
remote your dynamic host name or Real IP 33458
route local lan IP and Subnet Mask
ifconfig 10.10.199.2 10.10.199.1
keepalive 10 60
ping-timer-rem
secret testvpn.secret
comp-lzo
VyOS Side
This config translated to VyOs ended into this:
- set interface openvpn vtun0
- set interface openvpn vtun0 description ‘testvpn’
- set interface openvpn vtun0 protocol udp
- set interface openvpn vtun0 mode site-to-site
- set interface openvpn vtun0 encryption bf128 (could be different as long as it’s matching the other end)
- set interface openvpn vtun0 hash sha1 (default for openvpn, if changed should match both ends)
- set interface openvpn vtun0 local-address 10.10.199.2 (second ip of the openvpn server network)
- set interface openvpn vtun0 local-port 33458
- set interface openvpn vtun0 openvpn-option ‘comp-lzo’ (all openvpn specific options unavailable in cli goes here, it supports pretty much everything)
- set interface openvpn vtun0 remote-address 10.10.199.1
- set interface openvpn vtun0 remote-host Real IP or hostname of the remote host
- set interface openvpn vtun0 remote-port 33458
- set interface openvpn vtun0 shared-secret-key-file /config/auth/testvpn.psk (copied from the pfsense server) it was giving me errors with the # on top, after I removed them it was OK afterwards
- Open Firewall Port
• set firewall name OUTSIDE-IN rule 5 action accept
• set firewall name OUTSIDE-IN rule 5 destination port 33458
• set firewall name OUTSIDE-IN rule 5 protocol udp - Set a static route to the PfSense server LAN
• Set protocols static route 192.168.5.0/26 next-hop 10.10.199.1 - commit
- save
Following commands might help troubleshoot if something is wrong (I usually run them in separate putty window)
monitor log
show log tail
show openvpn site-to-site status
This blog helped me a lot, thanks Jason.