S2S VPN between Raspberry Pi and pfSense

I’ve recently bought a Raspberry Pi 4 device and, amongst other things, I thought of implementing a Site to Site VPN (using OpenVPN) on it, so I can more efficiently connect to environments I use, like Azure labs and stuff like that.

I’m not usually a step-by-step guides writer and, as such, I’ll just tell you the configuration I’ve used to setup the environment mentioned on this post’s subject. Another reason for writing this is that I wasn’t able to find a fully functional guide into this.

So, to start, let me describe both peers involved here:

  • Site A: Raspberry Pi 4 with private IP 172.16.250.253 connected behind a Vodafone router (with DMZ stuff in place – you know, my home, basically!)
    • Local network: 172.16.250.0/24
  • Site B: pfSense network appliance behind the same ISP using the same configuration
    • Local network(s): 172.16.0.0/24, 172.16.1.0/24 and so on…

From the Raspberry side, here’s the stuff needed:

  1. Install Raspbian. There are multiple guides out there, so I’ll not describe this part
  2. Enable kernel IP forwarding on your network interface
    1. For this, you’ll need to make sure that under file /etc/sysctl.conf there’s the following uncommented line: net.ipv4.ip_forward=1
  3. Install the OpenVPN daemon using the command: apt install openvpn
  4. Make sure you’ll enable VPN tunnels on daemon’s startup by editing /etc/default/openvpn with the line AUTOSTART="all"
  5. Generate a “pre-shared key” so your peers can connect to each other (and which you’ll later to pfSense’s configuration), using the command: openvpn --genkey --secret static.key
  6. Create (and edit) your OpenVPN “client” configuration file (/etc/openvpn/vpn.conf) as follows (replacing x.x.x.x with your peer’s public IP address).
dev tun
proto tcp-client
tun-mtu 1500
remote x.x.x.x 1194
secret static.key
resolv-retry infinite
nobind
verb 3
keepalive 10 60
ping-timer-rem
comp-lzo
cipher AES-128-CBC
auth SHA1
user root
group root
daemon
ifconfig 172.16.250.253 255.255.255.0
route 172.16.0.0 255.255.255.0
route 172.16.1.0 255.255.255.0
route 172.16.2.0 255.255.255.0
route 172.16.3.0 255.255.255.0
route 172.16.4.0 255.255.255.0
route 172.16.5.0 255.255.255.0
route 172.16.6.0 255.255.255.0
route 172.16.7.0 255.255.255.0
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

We’re pretty done here, so let’s configure pfSense to match these settings.

So, this will be our final configuration and this is where you’ll start:

So, under General Information, you’ll need to change these settings:

Under the crypto stuff, make sure to match our Raspberry Pi’s OpenVPN server settings and also input the previously generated key:

For the tunneling configuration part, we’ll just need to populated both peer’s local networks like this:

Take note on the compression side of this, since I lost some minutes struggling with warning messages on the log files because of this setting.

Last but not least, make sure you “announce” your local networks to your OpenVPN client so that it can reach all the local networks you want:

Now you can enable and start OpenVPN server on Raspbian with the following commands:

systemctl enable openvpn
systemctl start openvpn

You can monitor your tunnel status and logging by looking at Raspbian syslog file with this filter:

grep ovpn /var/log/syslog

If you see something like this, then you’re good to go and can start testing network connectivity:

Jul 17 17:58:06 hatchery ovpn-vpn[21154]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Jul 17 17:58:08 hatchery ovpn-vpn[21154]: TCP connection established with [AF_INET]x.x.x.x:1194
Jul 17 17:58:08 hatchery ovpn-vpn[21154]: TCP_CLIENT link local: (not bound)
Jul 17 17:58:08 hatchery ovpn-vpn[21154]: TCP_CLIENT link remote: [AF_INET]x.x.x.x6:1194
Jul 17 17:58:08 hatchery ovpn-vpn[21154]: GID set to root
Jul 17 17:58:08 hatchery ovpn-vpn[21154]: UID set to root
Jul 17 17:58:08 hatchery ovpn-vpn[21154]: Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Jul 17 17:58:09 hatchery ovpn-vpn[21154]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 17 17:58:09 hatchery ovpn-vpn[21154]: Initialization Sequence Completed

Hope you like it. Feel free to comment or contact me in case you have any question!

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published. Required fields are marked *

%d bloggers like this: