In this article, we’re modifying an existing OpenVPN site-to-site (peer to peer) VPN. We’re aware of the change that will come into effect soon that OpenVPN will no longer support shared keys for site-to-site VPNs. We’re going to modify an existing VPN to use SSL rather than the shared key method.
We have access to both firewalls regardless of the state of the VPN. Therefore, we can take down the VPN, make our changes to both ends, and then bring the VPN back up without loosing access to any of the firewalls.
We’re using Netgate pfSense appliances.
TIP: The certificates are the hard part to get right. Here’s a quick summary of what we need to do:
- On the server-firewall: Generate a CA, a Server certificate, and a User certificate. Specify the Server CA and Server certificate on the OpenVPN server-firewall. Export the CA certificate, and the User certificate (and key) for use with the client-firewall.
- On the client-firewall: Import the CA certificate and import the User certificate from the server-firewall. Specify the Server CA and the User certificate on the OpenVPN client-firewall.
Table of Contents
Server side settings
Make sure you have a “CA” and “server” certificate:
- Log into pfSense - click System - click Cert. Manager - click Certificates
Export the “CA” certificate to your local system.
- click System - click Cert. Manager - click CAs - click Export "CA" icon next to the CA you want to use
Save the exported “CA” certificate to your local system. We’ll use that later on the client-side.
Generate (but don’t export) a “Server” type certificate and key.
- click System - click Cert. Manager - click Certificates - # Generate a new Server certificate if you don't already have one
We don’t need to do anything with that Server certificate for now. We’ll reference it later when configuring the Server-side OpenVPN configuration.
Generate and export a “User” type certificate and key to your local system.
Important: Make sure to remember (take notes) on the CN (Common Name) that you give to the client certificate. It will be needed later on in the section that talks about “Client specific overrides”.
- click System - click Cert. Manager - click Certificates - # Generate a new User certificate if you don't already have one - click Export Certificate icon next to the certificate you want to use - click Export Key icon next to that same certificate
Save the exported User certificate and key to your local system. We’ll use those later on the client-side.
Now we need to modify the OpenVPN server settings:
- Log into pfSense - click VPN - click OpenVPN - click Servers - click Edit on the VPN we want to modify
Cryptographic Settings
– Record the TLS key that was already in place. We’ll re-use this later.
– Change the “server mode” to “Peer to Peer (SSL/TLS)”.
– Check the “TLS Configuration” option.
– Uncheck the “Automatically generate a TLS Key” option.
– Paste the key you copied from earlier.
– Set “TLS Key Usage Mode” to “TLS Encryption and Authentication”.
– Set “TLS keydir direction” to “Both directions”.
– Set “Peer Certificate Authority” to your “Server Key” that you verified/created earlier in this walk-through.
Client Specific Overrides
Still on the server-firewall, we need to add a “client specific override”. This ties the certificate to the service.
- Log into pfSense - click VPN - click OpenVPN - click Server Specific Overrides - click Add
– Give a description.
– Specific the CN (common name) that I mentioned above that you should remember for later.
– Select the OpenVPN service from the “Server List”,
– Specify the client-side LAN network in the “IPv4 Remote Network/s” field,
– Click Save.
Client side settings
We need to import both the CA certificate, and the User certificate that we exported from the server-firewall.
Starting with the CA certificate:
- Log into pfSense - click System - click Cert. Manager - click CA - click Add - # Select to "import" and complete the form. You need to copy/paste the contents of the certificate only
Now we import the User certificate and key:
- Log into pfSense - click System - click Cert. Manager - click Certificate - click Add - # Select to "import" and complete the form. You need to copy/paste both the certificate and key
Now we need to modify the OpenVPN client settings:
- Log into pfSense - click VPN - click OpenVPN - click Clients - click Edit on the VPN we want to modify
Cryptographic Settings
– Record the TLS key that was already in place. We’ll re-use this later.
– Change the “server mode” to “Peer to Peer (SSL/TLS)”.
– Check the “TLS Configuration” option.
– Uncheck the “Automatically generate a TLS Key” option.
– Paste the key you copied from earlier.
– Set “TLS Key Usage Mode” to “TLS Encryption and Authentication”.
– Set “TLS keydir direction” to “BOth directions”.
– Set “Peer Certificate Authority” to your “CA” that you imported earlier in this section of the walk-through.
– Set “Peer Certificate Authority” (User certificate) to your “Certificate” that you imported earlier in this section of the walk-through.
Save your work. It should be all done now. You can check Netgate documentation on this topic here “https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html”.
Thank you for this guide! I just upgraded from pfsense 2.6 to 2.7 and this helped me a lot 🙂