I want to establish a S2S OpenVPN connection between pfSense and a Unifi Gateway, the server being in pfSense
If I create the server with shared key in pfSense, it tells you that OpenVPN deprecated peer-to-peer shared key and it will be removed. So you must use SSL/TLS.
On the Unifi side (Network version 10.0.162), I cannot create an OpenVPN Site-to-Site peer that uses TLS - it currently only supports shared key.
Is there a Unifi roadmap where they will support S2S OpenVPN with TLS?
What’s the best way to proceed? I don’t want to use WireGuard.
Use Peer to Peer SSL/TLS in pfsense and then in the UniFI don’t use the Site to Site, instead import the pfsense settings into the “VPN Client” settings. Not sure why you don’t want to use Wireguard but just so you know it will be a lot faster if you did.
Some time ago, I did managed to successfully setup OpenVPN S2S between pfSense and UniFi (for some reason I did not managed to so what I wanted with Wireguard… but I don’t remember what exactly).
There where a few bump on the road… and this is what I remember:
As @LTS_Tom mentioned, you need to use Peer to Peer SSL/TLS
On UniFi side:
I used S2S OpenVPN
Cipher AES-256-CBC
On pfSense side:
OpenVPN Client Peer to Peer (Shared Key)
UDP over IPv4
AES-256-CBC as allowed algorithm and as fallback
Auth digest: SHA1 (that’s the default of OpenVPN and that’s what UniFi sticks too)
Compression: Refuse any non-stub compression
Also you will have to manually put some static route on your OpenVPN interface
Will give it a go and try and get the routing and such sorted. The reason why I wonder about the speed is the UCG-Ultra doesn’t have a particularly great CPU etc.