OPENVPN Site-to-Site using SSL/TLS Certificate-Based Authentication between multiple sites with OPNSENSE

 

OpenVPN is a robust, secure, and flexible solution for setting up a site-to-site VPN. Its strengths lie in its strong security features, flexibility, and cost-effectiveness. However, it requires a good level of expertise to set up and maintain, and it may introduce some performance overhead. Carefully weighing these pros and cons will help determine if OpenVPN is the right choice for your site-to-site VPN needs.

 

Why OPENVPN Certificate-Based Authentication connection is better than Shared Key (Legacy) on OPNSENSE?

While OPENVPN legacy method on OPNSENSE with shared key authentication is simpler and may be sufficient for smaller, less critical deployments, certificate-based authentication provides a higher level of security, scalability, flexibility, and ease of management. For site-to-site VPNs, where security and scalability are often paramount, certificate-based authentication is the preferred choice due to its robust security mechanisms and centralized management capabilities.

 

What is OPENVPN Certificate-Based Authentication

OpenVPN certificate-based authentication is a method that uses SSL/TLS certificates to authenticate both clients and servers before establishing a VPN connection. This approach enhances security by ensuring that only authenticated devices can connect to the VPN, preventing unauthorized access.

 

Key Components

  • Certificate Authority (CA): A CA is responsible for creating and signing digital certificates. In an OpenVPN setup, you typically create your own CA to manage server and client certificates.
  • Server Certificate and Key: These are used to authenticate the VPN server. The server’s certificate is presented to clients to verify its identity.
  • Client Certificates and Keys: Each client is issued a unique certificate and key. The client uses its certificate to authenticate itself to the server.
  • TLS-Auth Key (Optional):A shared secret key used to add an additional layer of security by protecting against certain types of attacks, such as DoS attacks.

 

Benefits of Certificate-Based Authentication

  • Strong Security: Uses public key infrastructure (PKI) to verify identities, making it very secure.
  • Mutual Authentication: Both the client and server authenticate each other, enhancing trust.
  • Unique Identification: Each client has a unique certificate, allowing fine-grained control over access.

 

Pros & cons of using OPENVPN Site-to-site tunneling

Setting up a site-to-site VPN using OpenVPN can have several advantages and disadvantages. Here’s a detailed look at the pros and cons:

 

Pros

Security:

  • Strong Encryption: OpenVPN uses robust encryption protocols, ensuring data security over the internet.
  • Certificate-Based Authentication: SSL/TLS certificates provide a high level of authentication and security.

Flexibility:

  • Cross-Platform Compatibility: OpenVPN works on various operating systems, including Windows, Linux, macOS, and more.
  • Customizable: Offers a high degree of customization to suit specific network requirements and policies.

Open Source:

  • Transparency: Being open-source, OpenVPN allows anyone to review its code for security vulnerabilities or backdoors.
  • Community Support: A large community contributes to ongoing development, troubleshooting, and support.

Cost-Effective:

  • Free Software: OpenVPN is free to use, which can save on licensing costs compared to proprietary VPN solutions.

Performance:

  • Efficient Protocol: OpenVPN can handle high-throughput traffic with proper configuration.
  • Compression: Supports data compression to reduce the amount of data transmitted, potentially improving performance.

Scalability:

  • Expandable: Can be scaled to connect multiple sites and manage increased traffic without major changes to the infrastructure.

 

Cons

Complexity:

  • Initial Setup: The setup process can be complex, especially for those without experience in networking and VPNs.
  • Maintenance: Ongoing maintenance and troubleshooting can be challenging, requiring a deep understanding of networking concepts.

Performance Overhead:

  • Processing Power: Encryption and decryption processes require significant CPU resources, which can impact performance on low-powered devices.
  • Latency: May introduce additional latency compared to other VPN protocols, depending on configuration and network conditions.

Configuration Management:

  • Manual Configuration: Requires manual setup, which can be time-consuming and error-prone, especially for larger deployments.
  • Certificate Management: Managing SSL/TLS certificates for authentication adds to the administrative burden.

Limited Native Support:

  • Integration Issues: May require additional software or scripts for integration with certain network devices or operating systems that do not natively support OpenVPN.

Troubleshooting:

  • Complex Logs: Log files can be extensive and difficult to parse, making troubleshooting more complex.

Compatibility:

  • Non-Standard Protocol: As a non-standard VPN protocol (compared to IPsec or PPTP), it might not be natively supported by some networking hardware without additional configuration.

 

SAMPLE SCENARIO FOR THE OPENVPN SITE-TO-SITE TUNNELING

SITE A (SERVER)

  • Site has public IP static/dynamic IP over DDNS domain server.domain.com
  • Site A acts as OVPN server

NETWORKS

  • LAN: 192.168.10.0/24
  • VLAN10: 10.10.10.0/24
  • VLAN20: 10.10.20.0/24
  • VLAN30: 10.10.30.0/24

 

SITE B (CLIENT)

  • Site has dynamic Public IP
  • Site B acts as OVPN client

NETWORKS

  • LAN: 192.168.20.0/24
  • VLAN40: 10.10.40.0/24
  • VLAN50: 10.10.50.0/24
  • VLAN60: 10.10.60.0/24

TUNNEL NETWORK FOR OPENVPN: 10.90.1.0/24

 

SITE C (CLIENT)

  • Site has no public IP, behind CGNAT, LTE NETWORK
  • Site C acts as OVPN client

NETWORKS

  • LAN: 192.168.30.0/24
  • VLAN70: 10.10.70.0/24
  • VLAN80: 10.10.80.0/24
  • VLAN90: 10.10.90.0/24

TUNNEL NETWORK FOR OPENVPN: 10.90.2.0/24

 

 

STEP1: Setup CLOUDFLARE Dynamic DNS (DDNS) on Site A (SERVER)

This step is recommended to perform, in case the Server’s Public IP changes over time.

In our case we are using domain called server.domain.com already bought and attached to the Cloudflare account via DNS records (example tutorial by Furhan Reviews)

Setting up Cloudflare Dynamic DNS (DDNS) on OPNsense involves several steps. You need to create an API token on Cloudflare, configure your domain settings, and then set up the DDNS service in OPNsense. Here’s a step-by-step guide:

 

1.1 Create Cloudflare API Token. Log in to Cloudflare:

  • Go to the Cloudflare dashboard and log in.

1.2        Create API Token:

  • Navigate to the Overview > API > Get your API token
  • Click on “Create Token.”
  • Select the “Edit zone DNS” template.
  • Set permissions to allow access to the zone and DNS edit for the specific zone.
  • Define the zone resources by specifying the domain you wish to manage.
  • Generate and save the token somewhere secure in notepad (API key will only display once)

1.3 Configure Your Domain in Cloudflare

  • Go to your Cloudflare > Domain > DNS > Records > Add record for a subdomain (server.domain.com)
  • Type: A
  • Name: server
  • IPv4 address: random ex. 192.168.1.1
  • Proxy status: DNS only
  • TTL: Auto

1.4  Set Up DDNS in OPNsense

  • Log in to OPNsense web interface
  • Go to OPNSENSE > Services > Dynamic DNS.
  • Add a New Dynamic DNS Entry by clicking on “+” button to add a new DDNS entry
  • Fill in the required fields as with example
  • Description: Dynamic DNS for domain
  • Service: Cloudflare.
  • Username: token    (username must be set to “token”)
  • Password: <API-KEY-TOKEN>
  • ZONE: domain.com
  • Hostname: server.domain.com
  • Check IP method: ip4only.me or defined
  • Interface to monitor: WAN
  • Check IP timeout: 10

 

1.5 Click “Save” and then “Apply” to activate the DDNS service.

1.6 Testing and Verification

  • Verify that the DDNS service is running correctly by checking the status in the Dynamic DNS settings.
  • You should see the last updated IP and other relevant information.
  • Check that the DNS record has been updated on Cloudflare by using tools like dig or nslookup. For example: dig server.domain.com should return your current WAN IP. DNS should resolve the server’s address with with NSLOOKUP command CMD> nslookup server.domain.com

1.7 Troubleshooting:

  • If there are issues, review the verbose logs for errors.
  • Ensure that your API token has the correct permissions and that your hostname is correctly entered.

By following these steps, you should have a functioning Cloudflare DDNS setup on OPNsense, allowing your domain to dynamically update with your current IP address.

VIDEO HIGHLIGHTING ALL THE STEPS

 

Source: SYSADMIN102 Youtube channel

 

STEP2: OPENVPN server configuration on SITE A

All steps were based on official guide for the new OpenVPN site-to-site recommended connection requirements –https://docs.opnsense.org/manual/vpnet.html#new-vpn-openvpn-instances

 

2.1 Generate Certificates and Keys

  • Login to OPNsense Web GUI on the server side (Site A).
  • Navigate to OPNSENSE > System > Trust > Authorities.
  • Click + to add a new authority.
  • Fill in the details to create a new Root CA.

 

  • Descriptive name: OPENVPN-site-to-site-CA
  • Method: Create an internal Certificate Authority
  • Key type: RSA (defined by user)
  • Key length: 4096 (defined by user)
  • Digest Algorithm: SHA512 (defined by user)
  • Lifetime (days): 7304 days (certificate validation date can be defined ex. 20 years)
  • Country code: DE (Germany) as example
  • State: Bavaria as example
  • City: Munich as example
  • Organization: Lab as example
  • E-mail address: [email protected] as example
  • Common Name: opnsense.domain.com as example, this should be the FQDN hostname of OPNSENSE server. The hostname can be found in right-top corner of screen OPNSENSE dashboard.

2.2 Save the new Certificate Authority. Then next to the certificate authority name, please click on the download icons to save Certificate file and Private Key for CA that will be needed in further steps.

2.3 Navigate to OPNSENSE > System > Trust > Certificates & Click + to create a new certificate.

  • Descriptive name: OPENVPN-site-to-site-SERVER
  • Method: Create an internal Certificate Authority
  • Certificate Authority: <previously-created> ex. OPENVPN-site-to-site-CA
  • Type: Server Certificate
  • Key type: RSA (defined by user)
  • Key length: 4096 (defined by user)
  • Digest Algorithm: SHA512 (defined by user)
  • Lifetime (days): 7304 days (certificate validation date can be defined ex. 20 years)
  • Country code: DE (Germany) as example
  • State: Bavaria as example
  • City: Munich as example
  • Organization: Lab as example
  • E-mail address: [email protected] as example
  • Common Name: opnsense.domain.com as example, this should be the FQDN hostname of OPNSENSE server. The hostname can be found in right-top corner of screen OPNSENSE dashboard.

 

2.4 Save the certificate

 

2.5 Navigate to OPNSENSE > VPN > OPENVPN > Instances > Static Keys & create a new TLS static key

  • Description: <define> ex. OPENVPN-site-to-site-TLS-key
  • Mode: crypt <unchanged/defaultoption>
  • Click on Generate static key
  • Copy & Paste the key to the notepad and save it on your desktop for later use
  • Click on Save

 

STEP3: Import Trust Authority Certificate (CA), TLS static Key and create certificates on Site B and Site C

3.1 Navigate to OPNSENSE > System > Trust > Authorities > click on ADD and fill out the fields:

  • Descriptive name: OPENVPN-site-to-site-CA  (same as on Site A)
  • Method: Import an existing Certificate Authority
  • Certificate data: <copy content of the downloaded CA certificate saved earlier in step 2.2>
  • Certificate private key: <copy content of the downloaded CA private key saved earlier in step 2.2>
  • Click on Save. Please repeat the same step on Site C

 

3.3 Navigate to OPNSENSE > System > Trust > Certificates. & click + to create a new certificate on Site B .

  • Descriptive name: OPENVPN-site-to-site-SiteB
  • Method: Create an internal Certificate Authority
  • Certificate Authority: <imported> ex. OPENVPN-site-to-site-CA
  • Type: Client Certificate
  • Key type: RSA (defined by user)
  • Key length: 4096 (defined by user)
  • Digest Algorithm: SHA512 (defined by user)
  • Lifetime (days): 7304 days (certificate validation date can be defined ex. 20 years)
  • Country code: DE (Germany) as example
  • State: Bavaria as example
  • City: Munich as example
  • Organization: Lab as example
  • E-mail address: [email protected] as example
  • Common Name: siteb (this name will be later used in server’s configuration)

3.4 Click on Save. Please repeat the same step on Site C

3.5 Navigate to OPNSENSE > VPN > OPENVPN > INSTANCES > Static Keys & create a new static key on Site B

  • Description: <define> ex. OPENVPN-site-to-site-TLS-key
  • Mode: crypt <unchanged/defaultoption>
  • Click on Generate static key
  • Copy & Paste the key from earlier saved TLS key from step 2.5
  • Click on Save


3.6 Click on Save. Please repeat the same step on Site C

 

STEP4: Create OPENVPN server on Site A

4.1 Navigate to OPNSENSE > VPN > OPENVPN > Instances > Add (+) and create an OpenVPN server entry to establish connection between SiteA > SiteB

  • Role: Server
  • Description: OVPN-site-to-site-A-B
  • Enabled: yes
  • Protocol: UDP
  • Port number: 912 or any free port
  • Server (IPv4): 10.90.1.0/24   (we will create a new tunnel subnet for routing)
  • Certificate: OPENVPN-site-to-site-SERVER
  • TLS static Key: OPENVPN-site-to-site-TLS-key
  • Local network: 192.168.10.0/24,10.10.10.0/24,10.10.20.0/24,10.10.30.0/24,10.90.1.0/24,10.90.2.0/24 (SITE A networks + tunnel for Site B & C)
  • Remote network: 192.168.20.0/24,10.10.40.0/24,10.10.50.0/24,10.10.60.0/24  (SITE B networks)

4.2 Save & create another one for Site C


  • Role: Server
  • Description: OVPN-site-to-site-A-C
  • Enabled: yes
  • Protocol: UDP
  • Port number: 913 or any free port
  • Server (IPv4): 10.90.2.0/24   (we will create a new tunnel subnet for routing)
  • Certificate: OPENVPN-site-to-site-SERVER
  • TLS static Key: OPENVPN-site-to-site-TLS-key
  • Local network: 192.168.10.0/24,10.10.10.0/24,10.10.20.0/24,10.10.30.0/24,10.90.1.0/24,10.90.2.0/24 (SITE A networks + tunnel for Site B & C)
  • Remote network: 192.168.30.0/24,10.10.70.0/24,10.10.80.0/24,10.10.90.0/24  (SITE C networks)

4.3 Save the instance.

4.4 Navigate to OPNSENSE > Interface > Assignments > Assign a new interface. In the description of the interface, please set short name for the OpenVPN tunnel like OVPN-Site-A-B & click on Add

4.5 Repeat the same step for the Site C tunnel interface

4.6 Once interfaces are created open the interface via OPNSENSE > Interfaces > OVPNSiteAB. Select enable interface, prevent interface from removal, click on Save and Apply Changes.

4.7 Repeat the same step for the Site C tunnel interface (OVPNSITEAC)

4.8 Navigate to OPNSENSE > Firewall > Rules > WAN > Add a rule

  • Action: Pass
  • Interface: WAN
  • Direction: in
  • TCP/IP version: IPv4
  • Protocol: UDP
  • Source: any or defined
  • Destination: WAN address
  • Destination port range: (other) 912 – (other) 912
  • Log: Log packets that are handled by this rule
  • Description: OVPN-site-to-site-A-B

4.9 Save & repeat same step for OVPN Site C that will run on port 913

4.10 Navigate to OPNSENSE > Firewall > Rules > OVPNSiteAB > Add a rule

  • Action: Pass
  • Interface: OVPNSiteAB
  • Direction: in
  • TCP/IP version: IPv4
  • Protocol: any
  • Source: OVPNSiteAB net
  • Destination: any or defined
  • Log: Log packets that are handled by this rule
  • Description: Allow packets

4.11 Save & repeat same step for OVPN Site C – OPNSENSE > Firewall > Rules > OVPNSiteAB > Add a rule

4.12 Navigate to OPNSENSE > System > Gateways > Configuration > Add Gateway

  • Name: OVPN-site-to-site-A-B
  • Description: OVPN-site-to-site-A-B
  • Interface: OVPNSiteAB
  • AddressFamily: IPv4

4.13 Save & repeat same step for OVPN Site C gateway

4.14 Navigate to OPNSENSE > VPN > OpenVPN > Client specifics override > Add entry

  • Servers: OVPN-site-to-site-A-B
  • Common name: siteb (needs to be same as defined in certificate under Site B & Site C)
  • IpV4 Tunnel network: 10.90.1.0/24  (OVPN server for Site B tunnel)
  • Remote network: 192.168.20.0/24,10.10.40.0/24,10.10.50.0/24,10.10.60.0/24  (SITE B networks – same as defined in OVPN server config for Site B)

4.14 Save & repeat same step for OVPN Site C client specifics

  • Servers: OVPN-site-to-site-A-C
  • Common name: sitec (needs to be same as defined in certificate under Site B & Site C)
  • IpV4 Tunnel network: 10.90.2.0/24  (OVPN server for Site B tunnel)
  • Remote network: 192.168.30.0/24,10.10.70.0/24,10.10.80.0/24,10.10.0.0/24  (SITE B networks – same as defined in OVPN server config for Site B)

 

STEP5: Configuration of OPENVPN client on Site B

5.1 Navigate to OPNSENSE > VPN > OPENVPN > INSTANCES > Add (+) and let’s create an OpenVPN server entry to establish connection between SiteA > SiteB

  • Role: Client
  • Description: OVPN-Site-to-Site-A-B
  • Enabled: yes
  • Protocol: UDP (IPv4)
  • Remote: server.domain.com:912
  • Certificate: OPENVPN-site-to-site-SiteB
  • TLS static Key: OPENVPN-site-to-site-TLS-key
  • Remote network: 192.168.10.0/24,10.10.10.0/24,10.10.20.0/24,10.10.30.0/24, 192.168.30.0/24,10.10.70.0/24,10.10.80.0/24,10.10.90.0/24,10.90.2.0/24  (SITEA+SITEC networks + tunnel to site C)

5.2 Save & Navigate to OPNSENSE > Interface > Assignments > Assign a new interface. In the description set short name for the OpenVPN client interface ex. OVPN-Site-A-B

5.3 Once interface is created open the OPNSENSE >  Interfaces > OVPNSiteAB, select enable interface, prevent interface from removal, click on Save and Apply Changes

5.4 Navigate to OPNSENSE > Firewall > Rules > OVPNSiteAB > Add a rule

  • Action: Pass
  • Interface: OVPNSiteAB
  • Direction: in
  • TCP/IP version: IPv4
  • Protocol: any
  • Source: OVPNSiteAB net
  • Destination: any or defined
  • Log: Log packets that are handled by this rule
  • Description: Allow packets

Save, Apply Changes

5.5 Navigate OPNSENSE > System > Gateways > Configuration > Add Gateway

  • Name: OVPN-site-to-site-A-B
  • Description: OVPN-site-to-site-A-B
  • Interface: OVPNSiteAB
  • AddressFamily: IPv4

Save, Apply

5.6 Navigate to OPENVPN > VPN > OpenVPN > Connection status  and see if the client gets connected

If something is wrong, check all the settings above for any mistake or check the OPENVPN > VPN > OpenVPN > Log-file > Debug

 

STEP6: Configuration of OPENVPN client on Site C

6.1 Navigate to OPNSENSE > VPN > OPENVPN > INSTANCES > Add (+) and let’s create an OpenVPN server entry to establish connection between SiteA > SiteB

  • Role: Client
  • Description: OVPN-Site-to-Site-A-C
  • Enabled: yes
  • Protocol: UDP (IPv4)
  • Remote: server.domain.com:913
  • Certificate: OPENVPN-site-to-site-SiteC
  • TLS static Key: OPENVPN-site-to-site-TLS-key
  • Remote network: 192.168.10.0/24,10.10.10.0/24,10.10.20.0/24,10.10.30.0/24, 192.168.20.0/24,10.10.40.0/24,10.10.50.0/24,10.10.60.0/24,10.90.1.0/24  (SITEA+SITEB networks + tunnel to site B)

6.2 Save & Navigate to OPNSENSE > Interface > Assignments > Assign a new interface for the client tunnel interface. In the description set short name for the OpenVPN client interface ex. OVPN-Site-A-C

6.3 Once interface is created open the OPNSENSE >  Interfaces > OVPNSiteAC, select enable interface, prevent interface from removal, click on Save and Apply Changes

5.4 Navigate to OPNSENSE > Firewall > Rules > OVPNSiteAC > Add a rule

  • Action: Pass
  • Interface: OVPNSiteAC
  • Direction: in
  • TCP/IP version: IPv4
  • Protocol: any
  • Source: OVPNSiteAC net
  • Destination: any or defined
  • Log: Log packets that are handled by this rule
  • Description: Allow packets

Save, Apply Changes

5.5 Navigate OPNSENSE > System > Gateways > Configuration > Add Gateway

  • Name: OVPN-site-to-site-A-C
  • Description: OVPN-site-to-site-A-C
  • Interface: OVPNSiteAB
  • AddressFamily: IPv4

Save, Apply

6.6 Navigate to OPENVPN > VPN > OpenVPN > Connection status  and see if the client gets connected

If something is wrong, check all the settings above for any mistake or check the OPENVPN > VPN > OpenVPN > Log-file > Debug

 

STEP7 Verify the Connection

7.1 In order to verify the connection you may:

  • Ping from one site to another to verify connectivity.
  • Ensure that devices on Site A can reach devices on Site B and vice versa.

7.2 Check the OpenVPN logs for any errors or issues under OPENVPN > VPN > OpenVPN > Log-file > Debug

 

Troubleshooting Tips

  • Ensure the correct certificate and CA are selected on both sides.
  • Verify firewall rules allow OpenVPN traffic.
  • Check logs for any hints if the connection fails.
  • Ensure the correct network settings and routes are in place.

 

By following these steps, you should be able to set up an OpenVPN Site-to-Site connection using SSL/TLS Certificate-Based Authentication on OPNsense. If you encounter issues, reviewing the OPNsense forums and documentation can provide additional insights and troubleshooting steps.

0 Shares:
You May Also Like