Site to site VPN USG to pfsense Fix IP to dynamic


We have a fully UniFi setup with all USG firewalls across multiple sites. A small example can be find in this diagram.

On one site the USG can’t keep up anymore and we are testing pfsense.

One very important part is the VPN.

So the setup we have now is a USG on the main site, with fixed IP and the pfsense on site A with a dynamic IP.

We would like to stay clear of the json file and because we have one dynamic IP IPsec is no solution for us.

So we are trying to setup an OpenVPN site to site from USG to pfsense like discribed in this post but with no succes at the moment.

Is this the way to go or is there a better way?

Greetings from Belgium

Site to Site VPNs should be straight forward to get going, though I only have it on pfsense to pfsense.

The easiest way to troubleshoot is to simply set up the OpenVPN server, then export the cert to your phone or other device, if that is all working then the server is ok.

Then set up your client on the USG, if it doesn’t work then you’ll know it’s the client.

I would bet you have a minor error in your config, double check with clear eyes.

This is one of those instances that without logs we would just be trying to ping the tail on the donkey.

We got it working and here how. Its been a while so I don’t know if all settings are the same.

On the pfSense side:

  • Go to VPN - OpenVPN

  • Create the firewall rules
    I ran the wizard for a fictual connection so the rules are made automatically but you can also create them manually.

The Peer to Peer server mode we use cannot be set via the wizard so we had to set it manually:

General Information

  • Server mode: Peer to Peer (shared key)
  • choose a local port. Default is 1194
  • Description: give a name for instance “USG to pfSense”

Cryptographic Settings

  • Shared key => Automatically generate a shared key (You will need this to configure the site to site connection in UniFi)
  • Encryption Algorithm: BF-CBC (128 bit key by default, 64 bit block)
  • Auth digest algorithm: SHA1 (160-bit)

Tunnel Settings

  • IPv4 Tunnel Network: (IP for creating the tunnel, for nothing else. Just make sure it does not create a conflict with your other networks)
  • IPv4 Remote network(s):,, …. (speaks for itself)
  • Compression: Omit Preference (Use OpenVPN Default)

UniFi with USG

  • Create new network
    Site-to-Site VPN
  • Enable this Site-to-Site VPN
  • Remote Subnets: the subnets from the other site. The site with the pfSense. (The one’s you want routed)
  • Remote host: IP of host (bv (with dynamic dns it does not have to be a fixed IP)
  • Remote Address: IP that you specified for the tunnel in pfSense
    Port: the port you gave in pfSense e.g. 1194
  • Local address:the next IP in the range for the tunnenl e.g.
    Port: the port you gave in pfSense e.g.1194
  • Shared Secret Key: the key that was generated. Only the key!
    So under:
    -----BEGIN OpenVPN Static key V1-----
    and above:
    -----END OpenVPN Static key V1-----

And make sure the key is only one line. (So remove breaklines)

Hi. I am trying to set this up, but the USG3 complains when I enter the key after following your steps. Pfsense generated a 2048 bit key as the shared secret, and even when i take the line breaks out, cutting it and pasting it in just gets a red line under the key and it won’t let me save it.

What am I doing wrong?



Can you post your key. I wil test it for you. You can regenerate one afterwards.


Sure. Here it is:

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----


I can enter it without a problem. The red line issue does ring a bell but I can’t remember…

Maybe in UniFi deleting the VPN network and creating it again did the trick.

But your key should work.

OK, I did that and fiddled around and managed to get this to stick. :slight_smile:

Now I get this error from PFsense after the USG tries to connect:

Jul 26 21:57:32 openvpn 96678 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jul 26 21:57:32 openvpn 96678 Authenticate/Decrypt packet error: packet HMAC authentication failed

Is there something the crypto settings that I need to set or not set to get this to work?

Also, I am trying to use this on a starlink installation, and I have to manually mod the USG3 config file to route to the starlink network interface (this is where the starlink stats are available), and the normal static route doesn’t work because I have a backup WAN network that is much slower, and two WANs apparently break static routes on the USG3. :frowning:

I notice that when I make changes to the VPN config, my mods that I had made before disappear. So I guess I have to get this to work before trying to fix the problem. :slight_smile:

Thanks for the help!

Can you post a screenshot for the crypto settings?

Are you using a json file for your manually mods? If not, every provisioning the configfile is overwritten.

I try not to use a json file but in some cases you have no other chose.

I am remote today without a laptop that has access to PFsense (though my tablet works fine to make changes etc…).

The problem is in the crypto session indeed. When I select the BF-CBC algorithm, it only adds it to AES-256GCM, AES-128-GCM, and chacha20-poly1305… If I try and disable the Data Encryption negotiation, I can’t seem to select only the BF-CBC algorithm. There is a note on that item that disabling the Data Encryption Negotiation is Deprecated. :slight_smile:

I am running PFsense 2.5.1.


Ok, I got it to work! Turns out the algorithm selection menu doesn’t work well unless you have desktop mode enabled in the browser. Once there I could select the BF-CBC algorithm as the only allowable option and for the fallback as well. Once I did that the link came up just fine!

Thanks for all your help!

On the config file setting, I don’t know how to do it via a json file. It’s generating a pseudo ethernet device and setting a new NAT rule. Even doing it by JSON means it has to be provisioned from the controller, which adds more complexity. But now I have the VPN up, I don’t think I will need to change the rules that much…