mirror of
https://github.com/opnsense/docs
synced 2024-10-30 21:20:20 +00:00
225 lines
9.3 KiB
ReStructuredText
225 lines
9.3 KiB
ReStructuredText
=================================
|
|
Setup SSL VPN site to site tunnel
|
|
=================================
|
|
|
|
Site to site VPNs connect two locations with static public IP addresses and allow
|
|
traffic to be routed between the two networks. This is most commonly used to
|
|
connect an organization's branch offices back to its main office, so branch users
|
|
can access network resources in the main office.
|
|
|
|
.. contents:: Index
|
|
|
|
----------------
|
|
Before you start
|
|
----------------
|
|
Before starting with the configuration of an OpenVPN SSL tunnel you need to have a
|
|
working OPNsense installation with a unique LAN IP subnet for each side of your
|
|
connection (your local network needs to be different than that of the remote
|
|
network).
|
|
|
|
.. Note::
|
|
|
|
For the sample we will use a private IP for our WAN connection.
|
|
This requires us to disable the default block rule on WAN to allow private traffic.
|
|
To do so, go to :menuselection:`Interfaces --> [WAN]` and uncheck "Block private networks".
|
|
*(Don't forget to save and apply)*
|
|
|
|
.. image:: images/block_private_networks.png
|
|
|
|
|
|
--------------------------------
|
|
Network topology
|
|
--------------------------------
|
|
|
|
The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.8.0/24)
|
|
to peer both firewalls. We will create a tunnel network :code:`10.1.8.0/24` between both sites.
|
|
|
|
.. nwdiag::
|
|
:scale: 100%
|
|
|
|
nwdiag {
|
|
|
|
span_width = 90;
|
|
node_width = 180;
|
|
network A {
|
|
address = "10.0.8.0/24";
|
|
pclana [label="PC Site A\n10.0.8.20",shape="cisco.pc"];
|
|
fwa [shape = "cisco.firewall", address="10.0.8.1/24"];
|
|
}
|
|
network Ext {
|
|
address = "10.10.8.0/24";
|
|
label = "Tunnel net 10.1.8.0/24";
|
|
fwa [shape = "cisco.firewall", address="10.10.8.1/24"];
|
|
fwb [shape = "cisco.firewall", address="10.10.8.2/24"];
|
|
}
|
|
network B {
|
|
address = "192.168.8.0/24"
|
|
fwb [shape = "cisco.firewall", address="192.168.8.20"];
|
|
pclanb [label="PC Site B\n192.168.8.20",shape="cisco.pc"];
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
--------------------------------
|
|
Preparations
|
|
--------------------------------
|
|
|
|
.....................
|
|
Trust
|
|
.....................
|
|
|
|
|
|
In order to setup a tunnel on both ends, we need to configure certificates to warrant trust between both machines.
|
|
We have chosen to setup the server on "Site B", so we start with Trust configuration there.
|
|
|
|
* First we need an **Authority** which we are going to create in :menuselection:`System --> Trust --> Authorities`
|
|
|
|
* Select `Create an internal Certificate Authority`
|
|
* Choose cryptographic settings and a lifetime (you may want to increase the default as after this time you do need to redistribute certificates to both server and client).
|
|
* Add descriptive information for this CA (`Descriptive name`, `City`, `Email`, ..`)
|
|
* Set the `Common Name` to something descriptive for this certificate, like "Office-ovpn"
|
|
|
|
|
|
* Next generate a **Certficate** for the server using :menuselection:`System --> Trust --> Certificates`
|
|
|
|
* Select `Create an internal Certificate`
|
|
* Choose the just created authority in `Certificate authority`
|
|
* Add descriptive information for this CA (`Descriptive name`, whereabouts are copied from the CA)
|
|
* Set Type to `Server`
|
|
* Choose cryptographic settings, lifetime determines the validaty of the server certificate (you do need to track this yourself), it's allow to choose a longer period here
|
|
* Set the `Common Name` to the fqdn of this machine.
|
|
|
|
* As the client (Site A) will also need a **Certificate**, we need to create a certificate, also using :menuselection:`System --> Trust --> Certificates`
|
|
|
|
* Select `Create an internal Certificate`
|
|
* Choose the just created authority in `Certificate authority`
|
|
* Add descriptive information for this CA (`Descriptive name`, whereabouts are copied from the CA)
|
|
* Set Type to `Server`
|
|
* Choose cryptographic settings, lifetime determines the validaty of the server certificate (you do need to track this yourself), it's allow to choose a longer period here
|
|
* Set the `Common Name` to username the other end will use for identification. For this example we use :code:`test-client`
|
|
|
|
.. Note::
|
|
|
|
It's a best practice to offer each user it's own certificate using the same common name as the username, although
|
|
it is also possible to clients to share a certificate. When adding a certificate from the user manager the CN is automatically
|
|
set to its name. In this example we will only authenticate using the certificate, no additional user or password will be required.
|
|
|
|
|
|
.....................
|
|
Static keys
|
|
.....................
|
|
|
|
We create a static key and define it's use in :menuselection:`VPN --> OpenVPN --> Instances --> Static Keys`, for this example
|
|
select `auth` as mode and click the gear button to generate one. Provide a description for this key.
|
|
|
|
..........................................
|
|
Prepare Site A
|
|
..........................................
|
|
|
|
* Copy the public part of the certificate authority to the firewall at Site a (use the download button and copy the contents into a new CA on this host)
|
|
* Copy the public and private part of the client certificate into a new one on Site A
|
|
* Copy the contents of the static key to a new entry and select the same type
|
|
|
|
|
|
------------------------------------
|
|
Create a server instance (Site B)
|
|
------------------------------------
|
|
|
|
Now the generic setup is done, we can configure a new server type instance via :menuselection:`VPN --> OpenVPN --> Instances`
|
|
|
|
===============================================================
|
|
|
|
======================= =======================================
|
|
Property site B
|
|
======================= =======================================
|
|
Role Server
|
|
Description MyServer
|
|
Protocol UDP (IPv4)
|
|
Port number 1194
|
|
Bind address 10.10.8.1 :sup:`1`
|
|
Server (IPv4) 10.1.8.0/24 (the tunnel network used)
|
|
Certificate choose the prepared server certificate
|
|
TLS static key choose the prepared static key
|
|
Local Network 192.168.8.0/24
|
|
Remote Network 10.0.8.0/24 :sup:`2`
|
|
======================= =======================================
|
|
|
|
.. admonition:: Note :sup:`1`
|
|
|
|
Leave empty to bind to all addresses assigned to this machine or use a loopback address combined with a port forward when
|
|
the external address is not static.
|
|
|
|
.. admonition:: Note :sup:`2`
|
|
|
|
The network(s) served by this openvpn instance, after startup routes will be created. In order to bind
|
|
the network to the correct client a `Client Specific Overwrite` is also needed.
|
|
|
|
|
|
Hit the apply button when the instance is configured and add a client specific overwrite in :menuselection:`VPN --> OpenVPN --> Client Specific Overrides`
|
|
|
|
===============================================================
|
|
|
|
======================= =======================================
|
|
Property site B
|
|
======================= =======================================
|
|
Servers leave empty or select our server
|
|
Common name test-client
|
|
Remote Network 10.0.8.0/24 :sup:`1`
|
|
======================= =======================================
|
|
|
|
.. admonition:: Note :sup:`1`
|
|
|
|
The remote network bound to this common name, without this entry the traffic will not be routed between hosts.
|
|
|
|
|
|
Next go to :menuselection:`Firewall --> Rules --> WAN` and add a rule to allow traffic on port :code:`1494/UDP` from the other
|
|
host. At minimum we should add a rule similar to this one:
|
|
|
|
===============================================================
|
|
|
|
======================= =======================================
|
|
Property site B
|
|
======================= =======================================
|
|
Interface WAN
|
|
Protocol UDP
|
|
Destination port range 1194
|
|
======================= =======================================
|
|
|
|
Finally we are going to allow traffic on the tunnel itself by adding a rule to :menuselection:`Firewall --> Rules --> OpenVPN`,
|
|
for this example we keep it simple and add one to allow all, in which case we can save the defaults when adding a rule.
|
|
|
|
|
|
------------------------------------
|
|
Create a client instance (Site A)
|
|
------------------------------------
|
|
|
|
With the server in place it's time to setup the client on OPNsense, for this we go to :menuselection:`VPN --> OpenVPN --> Instances`
|
|
and add a new instance using the following settings.
|
|
|
|
===============================================================
|
|
|
|
======================= =======================================
|
|
Property site A
|
|
======================= =======================================
|
|
Role Client
|
|
Description MyClient
|
|
Protocol UDP (IPv4)
|
|
Remote 10.10.8.1
|
|
Certificate choose the prepared client certificate
|
|
TLS static key choose the prepared static key
|
|
Remote Network 192.168.8.0/24
|
|
======================= =======================================
|
|
|
|
|
|
--------------------------------
|
|
Test connectivity
|
|
--------------------------------
|
|
|
|
Use the :menuselection:`VPN: OpenVPN: Connection Status` page to watch the status of both server and client, when
|
|
passing traffic over the link on both ends the counters should increase.
|
|
|
|
Now try to ping from Site A (:code:`10.0.8.20`) to Site B (:code:`192.168.8.20`).
|