pfSense <-> Mikrotik OpenVPN Site-to-Site

Graeme Noble
5 min readSep 13, 2019

--

Summary

This guide will provide guidance on setting up a OpenVPN Site-to-Site VPN between a pfSense and Mikrotik devices.

  • Hyper-V lab was setup to implement and test the solution.
  • IP addressing configuration is intentionally selected as close to vendor defaults.
  • Firewall rules are intentionally lax for proof of concept and should be adjusted based on real world implementation.

Create Certificates

pfSense is selected as the OpenVPN Server in this scenario because it has the most flexible configuration of the two devices, the Mikrotik support for OpenVPN is limited so it is configured as the client device that will dial out.

OpenVPN uses certificate authentication, a CA cert is created on the pfSense machine which will sign two certificates for the configuration, the first a server certificate for pfSense and the second a client cert for the Mikrotik.

  1. Create CA cert on pfSense device.
  2. Create Server certificate for pfSense OpenVPN server.
  3. Create Client certificate for the Mikrotik OpenVPN client.

Additional certificate details are not completed in this documentation, but would be configured based on implementation.

Create OpenVPN Server

OpenVPN server is created on the pfSense device, important settings for Mikrotik compatibility:

  • Server mode Peer-to-Peer.
  • Protocol changed to TCP.
  • TLS Key disabled as it’s not supported on Mikrotik.
  • pfSense server certificate is selected.
  • Encryption Algorithm changed to AES-256-CBC
  • AES-256-CBC added to NCP.
  • Auth digest algorithm changed to SHA1.
  • A IPv4 Tunnel Network is set. (This should be a new unique network, pfSense documentation uses 10.0.8.0/24).
  • IPv4 Local networks are set. (The networks on the server side that need to be accessed remotely).
  • IPv4 Remote networks are set. (The networks on the client side that need to be accessed remotely).
  • Compression is set to Omit Preference.
  • Logging level set to 4 for troubleshooting.

Export client cert for Mikrotik

Export the Mikrotik client cert as a p12 file so it will include the CA cert as a bundle and transfer it to the Mikrotik so the OpenVPN client can be setup.

Setup Mikrotik OpenVPN client

Upload the P12 client certificate file to the Mikrotik and import it into System->Certificates, they should be renamed for easier OpenVPN client configuration.

Create a new OpenVPN client interface on the Mikrotik with settings to match OpenVPN server:

  • Connect to set to WAN IP of pfSense device.
  • A username needs to be set but is not used.
  • The correct Mikrotik client certificate selected.
  • Auth is set to SHA1.
  • Cipher is set AES-256

It will attempt to dial the OpenVPN server, but it will be blocked by pfSense default WAN firewall rules.

Update pfSense WAN Firewall Rules

Allow access to the OpenVPN server ports which have been configured on TCP1194, if the WAN address of the Mikrotik is static, configure the rule to this source IP.

Confirm OpenVPN connectivity

Once firewall rules have been added to allow traffic on the OpenVPN port between the server and client, the Mikrotik should be able to obtain a connection.

Update pfSense OpenVPN Firewall Rules

A new tab will appear under pfSense firewall rules for the OpenVPN interface, in this example all traffic is allowed, during implementation only traffic required to be allowed over the VPN should be allowed. (Rules added for incoming traffic to pfSense)

Add Client Specific Overrides for Mikrotik subnets.

Although all the local/remote subnets have been added to the pfSense OpenVPN server configuration, it doesn’t know which clients have which remote subnets and will drop the incoming traffic because it’s not in the OpenVPN routing table for that OpenVPN client.

A client specific override is added to the pfSense OpenVPN configuration, this is matched based on the certificate name the client is using, it’s best practice to use unique names/certificates for each client during implementation which identify the site/client clearly.

Because the OpenVPN client should be connected you can use the pfSense OpenVPN status page to copy and paste the exact certificate name of the connected OpenVPN client. Important settings are as follows:

  • Common Name is set to the client certificate name.
  • iroute <network> <netmask> for each remote network of that client is added in the Advanced field.

The OpenVPN server is restarted to force the OpenVPN client to reconnect and apply the changes, the network routes will now appear in the OpenVPN routing table in the status page.

Network Connectivity Testing

Traffic should now be routing over the OpenVPN connection and not blocked by any firewall rules, perform connectivity testing to ensure the traffic is allowed as expected.

--

--

Graeme Noble

I'm not actually wearing a santa hat.. you need to clear your cache.