Site to site VPN USG to pfsense Fix IP to dynamic

Networking & Firewalls
1

Hi

We have a fully UniFi setup with all USG firewalls across multiple sites. A small example can be find in this diagram.

30.09.2020_19.53.28_REC
30.09.2020_19.53.28_REC998×484 59.5 KB

On one site the USG can’t keep up anymore and we are testing pfsense.

One very important part is the VPN.

So the setup we have now is a USG on the main site, with fixed IP and the pfsense on site A with a dynamic IP.

We would like to stay clear of the json file and because we have one dynamic IP IPsec is no solution for us.

So we are trying to setup an OpenVPN site to site from USG to pfsense like discribed in this post but with no succes at the moment.

Is this the way to go or is there a better way?

Greetings from Belgium

2

Site to Site VPNs should be straight forward to get going, though I only have it on pfsense to pfsense.

The easiest way to troubleshoot is to simply set up the OpenVPN server, then export the cert to your phone or other device, if that is all working then the server is ok.

Then set up your client on the USG, if it doesn’t work then you’ll know it’s the client.

I would bet you have a minor error in your config, double check with clear eyes.

3

This is one of those instances that without logs we would just be trying to ping the tail on the donkey.

4

We got it working and here how. Its been a while so I don’t know if all settings are the same.

On the pfSense side:

  • Go to VPN - OpenVPN

  • Create the firewall rules
    I ran the wizard for a fictual connection so the rules are made automatically but you can also create them manually.

The Peer to Peer server mode we use cannot be set via the wizard so we had to set it manually:

General Information

  • Server mode: Peer to Peer (shared key)
  • choose a local port. Default is 1194
  • Description: give a name for instance “USG to pfSense”

Cryptographic Settings

  • Shared key => Automatically generate a shared key (You will need this to configure the site to site connection in UniFi)
  • Encryption Algorithm: BF-CBC (128 bit key by default, 64 bit block)
  • Auth digest algorithm: SHA1 (160-bit)

Tunnel Settings

  • IPv4 Tunnel Network: 10.111.10.1/24 (IP for creating the tunnel, for nothing else. Just make sure it does not create a conflict with your other networks)
  • IPv4 Remote network(s): 10.0.0.0/16,10.4.0.0/22, …. (speaks for itself)
  • Compression: Omit Preference (Use OpenVPN Default)

UniFi with USG

  • Create new network
    Site-to-Site VPN
    openVPN
  • Enable this Site-to-Site VPN
  • Remote Subnets: the subnets from the other site. The site with the pfSense. (The one’s you want routed)
  • Remote host: IP of host (bv vpn.ddns.net) (with dynamic dns it does not have to be a fixed IP)
  • Remote Address: IP that you specified for the tunnel in pfSense 10.111.10.1/24
    Port: the port you gave in pfSense e.g. 1194
  • Local address:the next IP in the range for the tunnenl e.g. 10.111.10.2/24
    Port: the port you gave in pfSense e.g.1194
  • Shared Secret Key: the key that was generated. Only the key!
    So under:
    -----BEGIN OpenVPN Static key V1-----
    and above:
    -----END OpenVPN Static key V1-----

And make sure the key is only one line. (So remove breaklines)

5

Hi. I am trying to set this up, but the USG3 complains when I enter the key after following your steps. Pfsense generated a 2048 bit key as the shared secret, and even when i take the line breaks out, cutting it and pasting it in just gets a red line under the key and it won’t let me save it.

What am I doing wrong?

thanks!

6

Hi

Can you post your key. I wil test it for you. You can regenerate one afterwards.

Greetz

7

Sure. Here it is:

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
fe4fa855f9cd8596f80a31a33508641d
30cc1fd356668e5cdeb43b5899b5c4bf
44364f552003b6b72815ddd2e9c33ea5
758193687d1fbeb4fd1bf1f94cbd8673
1cf8ea78d301c3ffc6e20729335e54d1
34136e750208f06d66cda390f6aa4fe8
8e9ab752d93627777e57954ec4052350
2a0c0d180f2efe01fd5eebf01cd9d418
1f47f47d7a47c6f0332561fb64e43909
0ecc2ca25ba87ea37c5f39d624219583
0d216cea06f18ed15234abb298aa2af0
c3ff372905aad2e0d642a96527979b21
ab1ba5180799cdc4281209bbd70c6bc1
fb6add98ae7b441eb7324bb379c4f45c
5352d016daf3c8dfd4a0000548c08047
effd079b5a181d7fbb53b2dd4db63662
-----END OpenVPN Static key V1-----

8

Hi

I can enter it without a problem. The red line issue does ring a bell but I can’t remember…

Maybe in UniFi deleting the VPN network and creating it again did the trick.

But your key should work.

9

OK, I did that and fiddled around and managed to get this to stick. :slight_smile:

Now I get this error from PFsense after the USG tries to connect:

Jul 26 21:57:32 openvpn 96678 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jul 26 21:57:32 openvpn 96678 Authenticate/Decrypt packet error: packet HMAC authentication failed

Is there something the crypto settings that I need to set or not set to get this to work?

Also, I am trying to use this on a starlink installation, and I have to manually mod the USG3 config file to route 192.168.100.1 to the starlink network interface (this is where the starlink stats are available), and the normal static route doesn’t work because I have a backup WAN network that is much slower, and two WANs apparently break static routes on the USG3. :frowning:

I notice that when I make changes to the VPN config, my mods that I had made before disappear. So I guess I have to get this to work before trying to fix the 192.168.100.1 problem. :slight_smile:

Thanks for the help!

10

Can you post a screenshot for the crypto settings?

Are you using a json file for your manually mods? If not, every provisioning the configfile is overwritten.

I try not to use a json file but in some cases you have no other chose.

11

I am remote today without a laptop that has access to PFsense (though my tablet works fine to make changes etc…).

The problem is in the crypto session indeed. When I select the BF-CBC algorithm, it only adds it to AES-256GCM, AES-128-GCM, and chacha20-poly1305… If I try and disable the Data Encryption negotiation, I can’t seem to select only the BF-CBC algorithm. There is a note on that item that disabling the Data Encryption Negotiation is Deprecated. :slight_smile:

I am running PFsense 2.5.1.

thx!

12

Ok, I got it to work! Turns out the algorithm selection menu doesn’t work well unless you have desktop mode enabled in the browser. Once there I could select the BF-CBC algorithm as the only allowable option and for the fallback as well. Once I did that the link came up just fine!

Thanks for all your help!

On the config file setting, I don’t know how to do it via a json file. It’s generating a pseudo ethernet device and setting a new NAT rule. Even doing it by JSON means it has to be provisioned from the controller, which adds more complexity. But now I have the VPN up, I don’t think I will need to change the rules that much…

Thanks!