Configure Peer-to-Peer VPN with OpenVPN

Hello, I'm trying to setup a peer-to-peer connection for bi-directional communications between my home network and a remote network. The remote network is using PFSense if that matters. So far, I've configured most of it, and the communication is working Remote->Home, but not vice versa.

Home network is 10.0.0.0/24, remote network is 10.0.33.0/24, vpn subnet is 10.0.9.0/24.

This works Remote->Home, if I setup a covered interface on the WAN zone, OR, if I setup a covered interface on the LAN zone (but only if I enable masquerading, which seems not ideal, and probably breaking Home->Remote communications). I'll attach my configs.

Thanks so much in advance!

NETWORK:

root@gw01:/etc/config# cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2a:4a1a:1bfd::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.33.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wwan'
	option proto 'dhcp'

OpenVPN:

root@gw01:/etc/config# cat /etc/openvpn/fw00.ovpn
dev tun
persist-tun
persist-key
data-ciphers AES-128-GCM:CHACHA20-POLY1305:AES-256-GCM
data-ciphers-fallback AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xx.xx.xx.xx 1194 udp4
nobind
ca /etc/openvpn/glaske-ca.crt
verify-x509-name "fw00.glaske.net" name
pkcs12 /etc/openvpn/fw00-UDP4-1194-boat-vpn.p12
tls-auth /etc/openvpn/fw00-UDP4-1194-boat-vpn-tls.key 1
remote-cert-tls server
explicit-exit-notify
pull-filter ignore redirect-gateway

Firewall:

root@gw01:/etc/config# cat firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wwan'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

I think you are referring to a site-to-site setup allowing bidirectional traffic between sites.
Yes this can be done with OpenVPN but it needs route and iroute with ccd files on the server.

Meaning it is somewhat complicated.

Have you considered using WireGuard, much faster and easier to setup?

1 Like

I definitely did. Can you forward me a guide to setting that up? Most of the stuff I found was related to a WireGuard client, not site to site..

See: https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

1 Like