OpenWRT and PFsense, site-to-site OpenVPN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi there,

I have been banging my head against this seemingly simple issue for a while now, and i really need some help before i jump out of a window ;o). Any tips or hints would be greatly appreciated.

For my organisation i run a few pfSense (24.11) firewalls on our permanent locations. We have many temporary locations for events we set up that i want to connect to HQ. I want to do this using a site to site VPN so we can do (birectional) remote hardware management on those sites. The pfSense firewall at HQ i want the sites to connect to, is already running an openVPN server for employee remote access, and a site-to-site IPSec VPN to our other permanent locations (that have a static IP).

Now i have a bunch of low cost Ubiquity Edgerouter-X firewalls, flashed with the latest version of OpenWRT (24.10.1). I want to use these edgerouters to set up a local network for us, and act as gateway and firewall between any network/internet connection offered on site. I want the edgerouters to automatically connect to HQ using openVPN, so that i can hand one of these edgerouters to the engineers and when they have an internet uplink on site, they just have to plug it in and it phones home, allowing us to access all the devices behind the edgerouter on its DHCP enabled LAN. The intended setup is as follows (the goal is to have about 20 edgerouters at different event locations in the field connected to HQ)

HQ-LAN <> HQ(pfsense) >> [INTERNET] << remote_edgerouter-openwrt_1 <> remote lan 1
HQ-LAN <> HQ(pfsense) >> [INTERNET] << remote_edgerouter-openwrt_2 <> remote lan 2

Now i have succeeded in getting the edgerouters to use a dial up remote access connection, where it connects using the remote access openvpn server on pfSense. from the network behind the edgerouter i am able to reach everything at HQ behind the pfSense firewall, but from hosts on the HQ network i am not able to reach the edgerouter or anything behind it.

So i have set up a second Peer-to-Peer VPN server on the pfSense firewall in HQ, using port 1195, but i cannot get the edgerouters to connect to it. The current config does try to connect to the server, where i can even see the incoming connections in pfsense, but they keep disconnecting due to a TLS handshake error.
Sadly all the manuals on how to set up site-to-site OpenVPN between pfSense and openWRT seem to be very outdated, and most still use the since-deprecated ' Peer-to-Peer (Shared Key)' server setting in pfSense. I would like to set up a Peer-to-Peer (SSL/TLS) connection between HQ and the edgerouters. And i am a little stuck in how to configure the edgerouter properly for this type of connection.

The following is the VPN config on the edgerouters. The many different manuals i have tried to troubleshoot the issue left my config a bit of a mess, as i am no expert on OpenVPN. But i do have some experience with (ipsec) VPN's. So i am fairly confident the server settings and (omitted) certificates i used and are reflected here below, are correct. I feel the issue is with the openVPN config on the edgerouter not correctly setting up TLS authentication, likely because i am using the wrong openvpn commands to tell openWRT to do what i want. Could anyone tell me what am i doing wrong in this setup for the client, and how i can correct it? (thanks in advance for any help!)

dev tun
nobind
persist-tun
persist-key
data-ciphers AES-256-CBC
auth SHA512
tls-client
resolv-retry infinite
keepalive 10 60
remote [[HQ-REMOTE-IP]] 1195 udp4
route [[HQ-LAN-IP-RANGE]] 255.255.255.0
verb 5
verify-x509-name "HQ-site-to-site" name
remote-cert-tls server
explicit-exit-notify
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

</tls-auth>
2
  1. The ER-X would appear to be too low end to perform the task of a "road warrior" VPN LAN.
  2. I would use Tailscale instead of OpenVPN as it will function behind another router to provide a "road warrior" VPN LAN.
  3. Tailscale can be installed on your pfSense Routers so it would be pretty seamless.
3

Each remote LAN must be a different subnet. This system is based on symmetric routing to and from the remote LANs.
OpenVPN must use TLS authentication with a different client certificate for each remote, all signed by the same CA certificate.
At the OpenVPN server, set up a client config directory and install an iroute to each remote LAN based on the CN of the remote's certificate.
Do not NAT into the VPN tunnel in either direction.

4

thanks for your reply, Summit.

  1. The ER-X is not very powerful, but powerful enough to do what i need (access devices on SSH and their config web pages). It can make a connection that works without issue. I just want the routing through the dialup tunnel to be bidirectional.
  2. i have not looked into tailscale extensively since pfSense does not play nice with wireguard, and i assumed that would include tailscale, though i now see there is an option to do it. But i do not like that tailscale uses a middle man approach, i would like to maintain these connections without need for a third party login somewhere. We currently use LogMeIn for the middle man approach for connections to our event-lans, but that is exactly what i am trying to rid ourselves of.
  3. i did check to see how installation of tailscale works on both OpenWRT and pfSense, and it does seem to be pretty straight forward process. But it requires an account on the tailscale site, and third party dependency is something i want to avoid.

Thanks to you as well mk24. I do have the subnets well defined, and the routing should not be an issue, as the routing works for the ipsec and openvpn remote access connections. I also made a unique CA certificate on the pfsense box, and certificates for the connections from that. The problem seems to be in the way i am telling openWRT to open this specific connection.
Your comment did make me think. I will try to build the same connection on a pfsense box first, and then try to copy it to the openWRT box, to exclude any possibility the fault is on the server side.

5

The OpenVPN server knows which particular client has connected by the CN of its certificate. This is then used to get the remote LAN subnet from the server's client config directory and make a route in the server to the particular remote LAN. (that is done both in the server's kernel routing table, routing the subnet to the OpenVPN tunnel, and in an internal table in OpenVPN which dispatches packets that enter the tunnel to a particular client) Since the OpenVPN server here is on pfsense you need to go there for support.

6

The process for site-to-site setup is much easier if you use WireGuard which is also much more performant.
That said I do run an OpenVPN site-to-site setup as backup for WireGuard.

Maybe may notes can be helpful describing the process, but basically mk24 already explained it:

In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that overrule the global options, or to add extra options to a particular client. The option client-config-dir is very useful for this. It allows the VPN administrator to assign a specific IP address to a client, in order to push specific options such as a DNS server to a particular client or to temporarily disable a client altogether.
This option is also vital if you want to route a subnet from the server side to the client side.

Add to the OpenVPN servers config file:
#set option for CCD dir in openvpn config:
client-config-dir /etc/openvpn/ccd

This example has the LAN subnet of the server to be 192.168.6.0/24, the LAN subnet of the client is 172.18.18.0/24
Push server side LAN subnet to clients by adding redirect default gateway or
push "route 192.168.6.0 255.255.255.0 vpn_gateway"

Instruct server to add a route to the client-side LAN for all local server side clients:
route 172.18.18.0 255.255.255.0 vpn_gateway

From Command line:
#Make ccd directory
mkdir /etc/openvpn/ccd

#Make DEFAULT file which is used if no named file is used so only suitable if there is just one VPN client, If the server serves multiple clients, certificate authentication must be used with a unique certificate for each client. The CN of the certificate matches the file name for that client in the ccd.
touch /etc/openvpn/ccd/DEFAULT

#Add iroute to DEFAULT ccd file
echo "iroute 172.18.118.0 255.255.255.0" > /etc/openvpn/ccd/DEFAULT

Firewall
The firewall on the Client side must be setup as if it is a OpenVPN Server, so with ACCEPT on INPUT and FORWARD and no Masquerading.

7

If you need something more powerful than the ER-X then look for the Ubiquiti ER-4 on the second hand market. I have both routers and the difference is significant. With the ER-4 you get the choice of running Tailscale on EdgeOS via some help from GitHub or running Tailscale on OpenWRT.

I had a look at LogMeIn and it has limited features, and device support when compared to Tailscale. It seems to require software on every device and no opportunity to establish a VPN Server on the pfSense like the Tailscale Exit Node.

Tailscale does make use of their own DERP Servers in circumstances where a direct connection is not possable. However the VPN tunnel is never decrypted as Tailscale is end-to-end VPN encryption.

Tailscale Connection types

8

Why involve a third party if you do not have to?

1 Like