How to configure OpenVPN shared key tunnels using pfSense and OpenWRT.


9 Δεκ 2013 (πριν από 4 χρόνια και 7 μήνες)

693 εμφανίσεις

How to configure OpenVPN shared key tunnels using pfSense and OpenWRT.

Ver. 1.0 (11.1.2006)
Author: Ville Leinonen

In this document I try to explain how to configure ssl-based site-to-site tunnels using pfSense /1/ and
OpenWRT /2/. In this example I use shared key, because it’s easiest way to set up site-to-site
tunnel. Bad thing for this is that I can use only one tunnel/key, but it’s enough for me. This document
assume that reader have some experience how to use pfSense and OpenWRT.


Bellow is picture for this document example environment. WAN address for pfSense is picked up in
my head.

Picture 1. Example network environment.

Home office: LAN:
WAN: dhcp

pfSense: LAN:

Generating key

You must generate shared static key.

Step 1. Take ssh session to your pfSense firewall.
Step 2. Select 8 and press enter.

pfSense console setup
0) Logout (SSH only)
1) Assign Interfaces
2) Set LAN IP address
3) Reset webConfigurator password
4) Reset to factory defaults
5) Reboot system
6) Halt system
7) Ping host
8) Shell
9) PFtop
10) Filter Logs
11) Restart webConfigurator

Enter an option: 8

Step 3. Generate key
# openvpn --genkey --secret /tmp/myshared.key

Example key:
# more /tmp/myshared.key
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

Step 4. Copy key into your computer.
Step 5. Delete generated key file.
# rm /tmp/myshared.key
Step 6. Logout
# exit
Step 7. Choose 0 and press enter.

Setup pfSense

This document assumes that you have existing and working pfSense environment.

Step 1. Select OpenVPN link.

Step 2. Select add “new server button”.

Step 3. Create OpenVPN server.

- Protocol : TCP (this is communication protocol)
- Local port 1194 (server listens this port)
- Address pool: (client takes tun0 address from this pool)
- Cryptography: BF-CBC (128-bit) (we use this cryptography cipher algorithm)
- Authentication method: Share key (paste here your generated key)
- LZO compression (put mark for this)
- Description: OPTIONAL Insert tunnel description
- Click Save.

Step 4. Select Rules.

Step 5. Select “Add new rule”.

Step 6. Add rule to allow OpenVPN tunnel traffic.

- Action: Pass (allow traffic)
- Interface: WAN (select WAN interface if your client connects this interface/address)
- Protocol: TCP
- Log: Put mark here (Yes we want to log this traffic)
- Destination port range: 1194 (allow OpenVPN tunnel connections)
- Description: OPTIONAL Insert rule description
- Click Save
Setup OpenWRT

This document assumes that you have working OpenWRT environment.
This document assumes that you have update your OpenWRT packages list access to backports.

Step 1. Take ssh session to your OpenWRT box.
Step 2. Paste your key file /etc/openvpn directory. (OpenWRT use vi editor. vi help /3/)
# vi /etc/openvpn/myshared.key
- Inside vi press Esc and then i
- Paste your key
- Press Esc
- Write :wq! and press enter
Step 3. Generate configuration file to /etc/config/ directory

dev tun0 # Generate/use tunnel 0
proto tcp-client # Use tcp
keepalive 10 60 # Some ping like messages
persist-tun # Some persist options
persist-key # Some persist options
ifconfig # Tun0 ip-address
route # Route for corporate network
remote 1194 # OpenVPN server address
resolv-retry infinite # Some Road warrior stuff
nobind # We don’t need to specific port number
mute-replay-warnings # Some WLAN stuff
secret /etc/openvpn/myshared.key # Where our secret file is located
comp-lzo # Enable compression
verb 3 # Log verbosity

Example. myopenvpn.cfg file

Step 4. Generate startup script for /etc/init.d directory.

# Make sure that tun module is loaded
insmod tun
# Start OpenVPN daemon
openvpn --daemon --config /etc/config/openvpn.oma --ifconfig-nowarn
# Allow traffic to tunnel /4/
iptables -A INPUT -i tun+ -j ACCEPT
# Allow forwarding traffic from tunnel
iptables -A FORWARD -i tun+ -j ACCEPT
# Allow forwarding traffic from br0 interface to tunnel
iptables -A FORWARD -i br0 -o tun+ -j ACCEPT

Example. S98openvpn file

Step 5. Restart your OpenWRT box and watch your pfSense firewall and OpenVPN logs.

There should be something like this
Jan 11 12:52:47 openvpn[9494]: Initialization Sequence Completed
Jan 11 12:52:46 openvpn[9494]: Peer Connection Initiated with
Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link remote:
Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link local (bound): [undef]:1194
Jan 11 12:52:46 openvpn[9494]: TCP connection established with