Bobcares
Client Area
Emergency Support
Latest | pfsense

How to Set Up pfSense Multi Site-to-Site VPN with OpenVPN

PDF Header PDF Footer

Learn how to set up pfSense multi site-to-site VPN with OpenVPN. Our pfSense Support team is here to answer the queries and concerns.

How to Set Up pfSense Multi Site-to-Site VPN with OpenVPN

Our Experts recommend setting up a pfSense multi site-to-site VPN with OpenVPN to securely connect multiple remote offices or branch locations over the internet.

Instead of relying on expensive leased lines, this setup leverages pfSense firewalls and the OpenVPN protocol to create encrypted tunnels between sites, enabling seamless communication as if they were on the same local network.

Today, we will walk through the process of building a multi-site VPN using pfSense and OpenVPN, with examples and real-world performance insights.

What Is a Multi Site-to-Site VPN?

A multi site-to-site VPN connects more than two locations in a secure, point-to-point manner. In a pfSense setup, one site typically acts as the OpenVPN server, while the other locations connect as clients. This allows all offices to route traffic between each other securely and efficiently.

Need a basic walkthrough first? Here’s how we easily set up a pfSense site-to-site VPN.

Here are the key components:

  • pfSense: An open-source firewall with advanced VPN capabilities.
  • OpenVPN: A secure, flexible VPN protocol supported by pfSense.
  • Site-to-Site VPN: A connection between network gateways that allows full network access between remote sites.
  • Multi Site: Multiple VPN connections to various locations using one pfSense server.

Sample Network Setup

Let’s take a real-world example of three sites, Site X, Site Y, and Site Z, connected via a combination of OpenVPN and IPSec.

Here is the VPN Tunnel Configuration:

  • Site X: OpenVPN Server (UDP 14447 and 14448)
  • Site Y: OpenVPN Client (10.10.10.0/16)
  • Site Z: OpenVPN Client (10.10.11.0/16), also uses IPSec to connect with Site Y

Here is the internet connection speed:

  • Site X connection: 1Gbps UP/DOWN
  • Site Y connection: 100Mbps UP/DOWN
  • Site Z connection: ADSL 20Mbps DOWN / 5Mbps UP

Performance Test:

  • SITE X – SITE Y OpenVPN download test: ~10MB/s
  • SITE X – SITE Y IPSec download test: ~2MB/s

While IPSec worked without routing errors, it was significantly slower. To address this, the plan is to implement a complete OpenVPN setup across all sites by configuring a second WAN IP at Site Y.

Step-by-Step: Configuring Site-to-Site VPN with OpenVPN on pfSense

If you’re new to OpenVPN on pfSense, we recommend reviewing this guide to setting up OpenVPN on pfSense before diving into multi-site configurations.

Site X – OpenVPN Server Configuration

  1. First, go to VPN > OpenVPN > Servers and click +Add.
  2. Here are the basic settings:
    • Server Mode: Peer to Peer (Shared Key)
    • Device Mode: tun
    • Interface: WAN
    • Local Port: 1194 (or another unique port)
    • Shared Key: Auto-generate
    • Tunnel Network: `192.168.100.0/30`
    • Remote Network: `192.168.2.0/24` (Site Y’s LAN)
  3. For encryption, enable NCP and choose algorithms: AES-128-CBC or AES-128-GCM.
  4. Now, save the configuration.
  5. Then, add a firewall rule on the WAN interface with the following settings:
    • Protocol: UDP
    • Source: Any
    • Destination Port: 1194
  6. Next, add a firewall rule on the LAN interface with the following settings:
    • Source: LAN net
    • Destination: 192.168.2.0/24
    • Destination port: any

    This allows traffic from the LAN to the network of site Y.

  7. Finally, we have to add a firewall rule on the OpenVPN interface with these settings:
    • Source: network – 192.168.2.0/24 (the local network of the site Y)
    • Destination: LAN net
    • Destination port: any

    This allows traffic from the network of site Y to the LAN.

Site Y – OpenVPN Client Configuration

  1. First, go to `VPN > OpenVPN > Clients` and click +Add.
  2. Here are the basic settings:
    • Server Mode: Peer to Peer (Shared Key)
    • Protocol: UDP
    • Device Mode: tun
    • Server Host: Public IP of Site X
    • Server Port: 1194
    • Shared Key: Paste the key from Site X
    • Tunnel Network: `192.168.100.0/30`
    • Remote Network: `192.168.1.0/24` (Site X’s LAN)
  3. Save the configuration.
  4. Then, add a firewall rule on the LAN interface with these settings:
    • Source: LAN net
    • Destination: 192.168.1.0/24
    • Destination port: any</li
  5. Next, add a firewall rule on the OpenVPN interface with these settings:
    • Source: 192.168.1.0/24
    • Destination: LAN net
    • Destination port: any

Running into connection issues like TLS errors? This guide on troubleshooting TLS read errors in pfSense OpenVPN can help you further.

How to Verify the VPN Connection

  1. Go to Status > OpenVPN on both pfSense routers.
  2. The connection should display as UP, showing IP addresses and traffic statistics.
  3. Test connectivity using ping from one site to the other.

If the test was unsuccessful, check Firewall rules, OpenVPN logs, Shared key match, and correct routes.

If you’re stuck during hostname resolution, see this troubleshooting guide for when OpenVPN cannot resolve host address.

Troubleshooting Tips

How to Set Up pfSense Multi Site-to-Site VPN with OpenVPN

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

Setting up a pfSense multi site-to-site VPN with OpenVPN is a cost-effective and scalable way to connect remote offices.

In brief, our Support Experts demonstrated how to set up pfSense multi site-to-site VPN with OpenVPN.

Related posts:

    1. Snort on pfsense Rules | About
    2. Remote Access Pfsense WebGui Via SSH Tunnel: How To?
    3. pfSense HAProxy Authentication | Tutorial Note
    4. pfSense Allow web GUI from WAN | Guide
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. Snort on pfsense Rules | About
  2. Remote Access Pfsense WebGui Via SSH Tunnel: How To?
  3. pfSense HAProxy Authentication | Tutorial Note
  4. pfSense Allow web GUI from WAN | Guide

Top Categories

Speed issues driving customers away?
We’ve got your back!

OPTIMIZE TODAY

Privacy Preference Center

Consent Management

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Privacy Policy

Required
By using this site, you agree to our Privacy Policy.

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

Cookies Used

Required
PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]

livechat.bobcares.com

Opt Out
PHPSESSID

my.bobcares.com

Opt Out
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

Cookies Used

_ga, _gat, _gid

google.com

Opt Out
_ga, _gat, _gid

manager.smartlook.com

Opt Out
smartlookCookie

clarity.microsoft.com

Opt Out
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

Cookies Used

IDE, test_cookie, 1P_JAR, NID, DV, NID

doubleclick.net

Opt Out
IDE, test_cookie

google.co.in

Opt Out
1P_JAR, NID, DV

google.com

Opt Out
NID

olark.com

Opt Out
hblid

rb2b.com

Opt Out
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

Cookies Used

SID, APISID, HSID, NID, PREF

google.com

Opt Out
SID, APISID, HSID, NID, PREF