Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 346 views

    Peer To Peer OpenVPN Pfsense

    Uploaded by

    David Gato
    The document provides instructions for configuring a site-to-site OpenVPN connection between a pfSense firewall and a MikroTik router. It describes the certificate and VPN configuration needed on the pfSense server and MikroTik client to establish the VPN tunnel and route traffic between the two networks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Peer To Peer OpenVPN Pfsense

    Uploaded by

    David Gato
    346 views17 pages
    The document provides instructions for configuring a site-to-site OpenVPN connection between a pfSense firewall and a MikroTik router. It describes the certificate and VPN configuration needed on the pfSense server and MikroTik client to establish the VPN tunnel and route traffic between the two networks.

    Original Description:

    PfSense OpenVPN p2p

    Original Title

    Peer to Peer OpenVPN Pfsense

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides instructions for configuring a site-to-site OpenVPN connection between a pfSense firewall and a MikroTik router. It describes the certificate and VPN configuration needed on the pfSense server and MikroTik client to establish the VPN tunnel and route traffic between the two networks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    346 views17 pages

    Peer To Peer OpenVPN Pfsense

    Uploaded by

    David Gato
    The document provides instructions for configuring a site-to-site OpenVPN connection between a pfSense firewall and a MikroTik router. It describes the certificate and VPN configuration needed on the pfSense server and MikroTik client to establish the VPN tunnel and route traffic between the two networks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 17

    Welcome, Guest.

    Please login or register.

    Search...

    Home Help Search Login Register

    pfSense Forum pfSense English Support OpenVPN [SOLVED] Site-to-site OpenVPN between pfSense and MikroTik

    previous next

    Pages: [1] Go Down PRINT

    Author Topic: [SOLVED] Site-to-site OpenVPN between pfSense and MikroTik (Read 10019 times)

    0 Members and 1 Guest are viewing this topic.

    unguzov [SOLVED] Site-to-site OpenVPN between pfSense and


    MikroTik
    Jr. Member
    on: March 21, 2016, 03:05:11 pm

    Posts: 79 I need some help with site-to-site OpenVPN configuration.


    Karma: +3/-0

    I use only pfSense for my site-to-site connections, but now I want to use on some remote sites MikroTik. I need to run
    OpenVPN (IPsec will be too hard to manage with different NAT issues on remote locations).

    My network diagram:
    192.168.151.0/24 -> 192.168.14.254 (pfSense 1.1.1.1) -> Internet <- (2.2.2.2 MikroTik) 192.168.14.254 <-
    192.168.14.0/24

    pfSense is OpenVPN server, Peer to Peer - (SSL/TLS), IPv4 Tunnel Network 10.30.30.0/29, IPv4 Local Network:
    192.168.151.0/24, IPv4 Remote Network: 192.168.14.0/24.

    From MikroTik side: PPP - OVPN Client, Mode: ip.

    The tunnel is up, MikroTik is connected and from the terminal ping to 192.168.151.7 works. But ping from workstations
    behind the MikroTik does not work at all.

    If I add to MikroTik NAT rule (srcnat, vpn-tunnel, masquerade) it works, but I want to use site-to-site connection.

    I know that I miss something big, but I'm new to MikroTik and can't find any useful information about this.
    Last Edit: March 25, 2016, 07:42:51 am by unguzov Logged

    unguzov Re: Site-to-site OpenVPN between pfSense and


    MikroTik
    Jr. Member
    Reply #1 on: March 25, 2016, 07:42:34 am

    Posts: 79 It works now, here my mini howto:


    Karma: +3/-0

    My task: site-to-site between pfSense and MikroTik:

    192.168.151.0/24 -> (pfSense 1.1.1.1) -> Internet <- (2.2.2.2 MikroTik) <- 192.168.14.0/24

    pfSense:

    1. System -> Cert Manager -> CAs


    Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

    2. System -> Cert Manager -> Certificates


    Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-
    vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

    3. VPN -> OpenVPN -> Server


    Create new VPN server:
    Server Mode: Peer to Peer (SSL/TLS)
    Protocol: TCP
    Device Mode: tun
    Interface: ITD
    Local port: 24100
    TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
    Peer Certificate Authority: vpn-tunnel-ca
    Server Certificate: vpn-tunnel
    Encryption algorithm: BF-CBC (128-bit)
    Auth Digest Algorithm: SHA1 (160-bit)
    IPv4 Tunnel Network: 10.30.30.0/29
    IPv4 Local Network/s: 192.168.151.0/24
    IPv4 Remote Network/s: 192.168.14.0/24
    Compression: No Preference
    Advanced: client-to-client

    4. VPN -> OpenVPN -> Client Specific Overrides


    Create new override:

    Common name: mik-vpn


    Advanced: iroute 192.168.14.0 255.255.255.0

    MikroTik:

    1. Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

    2. PPP -> Interface - create new OVPN Client:


    Name: ovpn-office
    Connect To: 1.1.1.1
    Port: 24100
    Mode: ip
    User: any
    Certificate: mik-vpn.crt_0
    Auth: sha 1
    Cipher: blowfish 128
    Add Default Route: (do not check this)

    It works as expected - I can ping workstations from both sides of the tunnel.
    Last Edit: April 23, 2016, 01:49:58 am by unguzov Logged
    agismaniax Re: [SOLVED] Site-to-site OpenVPN between pfSense
    and MikroTik
    Full Member
    Reply #2 on: April 01, 2016, 07:17:30 pm

    Posts: 143 great mini how-to... thanks...


    Karma: +1/-1 do you know how to make this work for mikrotik with dial-out network?

    UPDATE:
    my ovpn setting is working fine.
    Last Edit: April 03, 2016, 11:46:36 pm by agismaniax Logged

    unguzov Re: [SOLVED] Site-to-site OpenVPN between pfSense


    and MikroTik
    Jr. Member
    Reply #3 on: April 21, 2016, 09:50:11 am

    Posts: 79 Quote from: agismaniax on April 01, 2016, 07:17:30 pm


    Karma: +3/-0
    great mini how-to... thanks...
    do you know how to make this work for mikrotik with dial-out network?

    UPDATE:
    my ovpn setting is working fine.

    It works just fine with PPPoE for example, after PPPoE connection OVPN Client connects as usual. What problem do you
    have and what dial-out protocol you are using in MikroTik?
    Logged

    Summer Re: Site-to-site OpenVPN between pfSense and


    MikroTik
    Jr. Member
    Reply #4 on: November 17, 2016, 12:04:51 pm

    Posts: 67 Quote from: unguzov on March 25, 2016, 07:42:34 am


    Karma: +0/-0
    Advanced: client-to-client

    4. VPN -> OpenVPN -> Client Specific Overrides


    Create new override:
    Common name: mik-vpn
    Advanced: iroute 192.168.14.0 255.255.255.0

    MikroTik:

    Same setup, server and client are connected, but:

    mikrotik clients can reach pfsense LAN clients, only if I enable NAT on Ovpn interface on mikrotik,
    but with this the Pfsense LAN clients get traffic from tunnel IP 10.30.30.2 not from Remote LAN.

    Please explain what you mean with the advanced client-to-client, I can't see any option, also in specific override I've
    added "push route 192.168.14.0 255.255.255.0".

    Please,help. Thanks, BR
    Logged

    kahardreams Re: Site-to-site OpenVPN between pfSense and


    MikroTik
    Newbie
    Reply #5 on: January 04, 2017, 10:40:34 pm

    Posts: 12 Quote from: unguzov on March 25, 2016, 07:42:34 am


    Karma: +1/-0
    It works now, here my mini howto:

    My task: site-to-site between pfSense and MikroTik:

    192.168.151.0/24 -> (pfSense 1.1.1.1) -> Internet <- (2.2.2.2 MikroTik) <- 192.168.14.0/24

    pfSense:

    1. System -> Cert Manager -> CAs


    Create new CA (vpn-tunnel-ca). Export "CA cert" file (my-ca.crt).

    2. System -> Cert Manager -> Certificates


    Create two certificates (use CA created above) - one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export
    cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

    3. VPN -> OpenVPN -> Server


    Create new VPN server:

    Server Mode: Peer to Peer (SSL/TLS)


    Protocol: TCP
    Device Mode: tun
    Interface: ITD
    Local port: 24100
    TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS key)
    Peer Certificate Authority: vpn-tunnel-ca
    Server Certificate: vpn-tunnel
    Encryption algorithm: BF-CBC (128-bit)
    Auth Digest Algorithm: SHA1 (160-bit)
    IPv4 Tunnel Network: 10.30.30.0/29
    IPv4 Local Network/s: 192.168.151.0/24
    IPv4 Remote Network/s: 192.168.14.0/24
    Compression: No Preference
    Advanced: client-to-client

    4. VPN -> OpenVPN -> Client Specific Overrides


    Create new override:

    Common name: mik-vpn


    Advanced: iroute 192.168.14.0 255.255.255.0

    MikroTik:

    1. Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

    2. PPP -> Interface - create new OVPN Client:


    Name: ovpn-office
    Connect To: 1.1.1.1
    Port: 24100
    Mode: ip
    User: any
    Certificate: mik-vpn.crt_0
    Auth: sha 1
    Cipher: blowfish 128
    Add Default Route: (do not check this)

    It works as expected - I can ping workstations from both sides of the tunnel.

    hi.. i have this error..


    the PFsense site cannot connect to mikrotik site. but from mikrotik site can connect..

    orry for the images...


    just want to make al things clear..
    need your help..
    thank you very much sir..
    Quote
    sorry for the images...
    just want to make al things clear..
    need your help..
    thank you very much sir..
    Logged

    kahardreams Re: [SOLVED] Site-to-site OpenVPN between pfSense


    and MikroTik
    Newbie
    Reply #6 on: January 05, 2017, 01:15:38 am

    Posts: 12 hi all..
    Karma: +1/-0 excuse me... it's been solved..
    the service of OpenVPN have to be restarted..
    then the flow goes well..

    thank you very much anyway sir...


    *Salute
    Logged

    lukasz.s Re: [SOLVED] Site-to-site OpenVPN between pfSense


    and MikroTik
    Newbie
    Reply #7 on: September 11, 2017, 11:25:27 am

    Posts: 2 Hi guys
    Karma: +0/-0
    I have read your potst, followed the instructions but still have trouble with set up openvpn in this configuration like
    'kahardreams described'.

    LAN computers behind openvpn server on pfsense can't ping mikrotik LAN computers (and mikrotik LAN interface
    address) , but in other way its working great (mikrotik LAN computer have access to LAN behind pfsense).
    Situation is the same like on diagram provided by 'kahardreams '.

    Maybe i forgot something on firewall/nat on mikrotik ?


    When ping from pfsene to mikrotik lan ip, tcpdump on pfsense on ovpns1 interface shows echo request packages
    but nothing shows on mikrotik ovpn-out1 interface.

    Could you help me ?

    Regards

    Logged

    Pages: [1] Go Up PRINT

    previous next

    pfSense Forum pfSense English Support OpenVPN [SOLVED] Site-to-site OpenVPN between pfSense and MikroTik

    Jump to: => OpenVPN go

    SMF 2.0.13 | SMF 2016, Simple Machines


    Flagrantly by, Crip XHTML RSS WAP2
    Page created in 0.101 seconds with 16 queries.

    You might also like