OpenVPN Site-to-Site entre PFsense Server e Mikrotik client

OpenVPN between pfSense and Mikrotik

PFSense 2.4.4-RELEASE-p3
Mikrotik 6.45.3

Follow the modifications:


System -> Cert Manager -> CAs
Create new CA (vpn-tunnel-ca). Export “CA cert” file (my-ca.crt).

System -> Cert Manager -> Certificates
Create two certificates (use CA created above) – one for the VPN Server (vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key files for client certificate (mik-vpn.crt and mik-vpn.key).

VPN -> OpenVPN -> Server
Create new VPN server:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN
Local port: 24100
TLS Authentication: (clear checkbox, MikroTik doesn’t support shared TLS key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
Hardware Crypto: No Hardware Crypto Aceleration
Certificate Depth: One (Client + Server)
IPv4 Tunnel Network:
IPv4 Local Network/s:
IPv4 Remote Network/s:
Compression: Omit Preference (Use OpenVPN Default)
Topology: net30 – Isolated /30 network per client

*Very important, fix the route of the remote network in PFSense
Client Specific Overrides:
Server List: *select your server
Common Name: “common name of certificate client”
Advanced: iroute;

Copy two certificate files and the key file to Files. Import all of them from System/Certificates.

PPP -> Profiles – create new:
Name: ovpn-profile
Local address:
Remote address:
Change TCP MSS: yes
Use Compression: no
Use Encryption: yes

PPP -> Interface
create new OVPN Client:
Name: ovpn-office
Connect To: (Your IP PFSense VPN Server)
Port: 24100
Mode: ip
User: any
Profile: ovpn-profile
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: aes 256
Add Default Route: (do not check this)

Deixe um comentário