Basic Site to Site OpenVPN between PfSense 2.2.1 and Vyos 1.1.4

After banging my head for a while I finally ended with the following working configuration of Basic Site to Site OpenVPN between PfSense 2.2.1 and Vyos 1.1.4

Pfsense Side

On the PfSense router create an OpenVPN Server with the following settings

1. Server mode – Peer to Peer Shared Key
2. Protocol – UDP
3. Device mode – tun
4. Interface – WAN
5. Local Port – 33458 (could be whatever you want)
6. Description – testvpn
7. Shared Key – Tick Automatically generate, needs to be copied to vyos /config/auth
8. Encryption algorithm – BF-CBC-128 bit (could be different, needs to match both ends)
9. Auth Digest Alghorithm – SHA1 (default for openvpn, could be different, needs to match both ends)
10. Hardware crypto – No
11. IPv4 Tunnel network – 10.10.199.0/24 – could be any private network as long as it is unique for both ends
12. IPv4 Local Network – 192.168.5.0/24 – LAN network behind PfSense, you can have more than one comma separated networks, change it  to match yours
13. IPv4 Remote Networks – 192.168.25.0/24 – Lan network behind VyOS, again you can have more than one comma separated networks, change it  to match yours
14. Concurrent Connections – As much as you need
15. Compression – Enabled With Adaptive Compression

Config could be exported through Shared Key Export tab, it looks like this:

dev tun
persist-tun
persist-key
proto udp
cipher BF-CBC
auth SHA1
pull
resolv-retry infinite
remote your dynamic host name or IP 33458
route local lan IP and Subnet Mask
ifconfig 10.10.199.2 10.10.199.1
keepalive 10 60
ping-timer-rem
secret testvpn.secret
comp-lzo

VyOS Side

This config translate into this on VyOS side:

1. set interface openvpn vtun0
2. set interface openvpn vtun0 description ‘testvpn’
3. set interface openvpn vtun0 protocol udp
4. set interface openvpn vtun0 mode site-to-site
5. set interface openvpn vtun0 encryption bf128 (could be different as long as it’s matching the other end)
6. set interface openvpn vtun0 hash sha1 (default for openvpn, if changed should match both ends)
7. set interface openvpn vtun0 local-address 10.10.199.2 (second ip of the openvpn server network)
8. set interface openvpn vtun0 local-port 33458
9. set interface openvpn vtun0 openvpn-option ‘comp-lzo’ (all openvpn specific options unavailable in cli goes here, it supports pretty much everything)
10. set interface openvpn vtun0 remote-address 10.10.199.1
11. set interface openvpn vtun0 remote-host Real IP or hostname of the remote host
12. set interface openvpn vtun0 remote-port 33458
13. set interface openvpn vtun0 shared-secret-key-file /config/auth/testvpn.psk (copied from the pfsense server) it was giving me errors with the # on top, after I removed them it was OK
14. Open Firewall Port
    • set firewall name OUTSIDE-IN rule 5 action accept
    • set firewall name OUTSIDE-IN rule 5 destination port 33458
    • set firewall name OUTSIDE-IN rule 5 protocol udp
15. Set a static route to the PfSense server LAN
    • Set protocols static route 192.168.5.0/24 next-hop 10.10.199.1
16. commit
17. save

The following commands might help troubleshoot if something is wrong (I usually run them in separate putty window)

monitor log

show log tail

show openvpn site-to-site status

This blog helped me a lot, thanks.