OpenVPN Site-to-Site entre PFsense Server e Mikrotik client

OpenVPN between pfSense and Mikrotik

PFSense 2.4.4-RELEASE-p3
Mikrotik 6.45.3

Follow the modifications:

PFSENSE:

System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export “CA cert” file (my-ca.crt).

System -> Cert Manager -> Certificates
Create two certificates (use CA created above) – one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn’t support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Aceleration
Certificate Depth: One (Client + Server)
IPv4 Tunnel Network: 10.200.0.0/29
IPv4 Local Network/s: 192.168.1.0/24
IPv4 Remote Network/s: 192.168.2.0/24
Compression: Omit Preference (Use OpenVPN Default)
Topology: net30 – Isolated /30 network per client

*Very important, fix the route of the remote network in PFSense
Client Specific Overrides:
+Add
Server List: *select your server
Common Name: “common name of certificate client”
Advanced: iroute 192.168.2.0 255.255.255.0;

MikroTik:
Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

PPP -> Profiles – create new:
Name: ovpn-profile
Local address: 10.200.0.6
Remote address: 10.200.0.5
Change TCP MSS: yes
*Protocols:
Use Compression: no
Use Encryption: yes

PPP -> Interface
create new OVPN Client:
Name: ovpn-office
Connect To: 1.1.1.1 (Your IP PFSense VPN Server)
Port: 24100
Mode: ip
User: any
Profile: ovpn-profile
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: aes 256
Add Default Route: (do not check this)

Ulisses Féres

Blog destinado a documentação. Se você deseja postar algo interessante peça seu login e senha no email abratel@abratel.com.br

Você pode gostar...

Deixe uma resposta