Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
other:networking:opnsense:site-to-site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
other:networking:opnsense:site-to-site [2019/07/31 10:36] – external edit 127.0.0.1other:networking:opnsense:site-to-site [2023/09/27 08:19] (current) rodolico
Line 46: Line 46:
   - Create or reuse the required certificates. It is just fine to use an existing Certificate of Authority (CA) and Server Certificate, but you should create a client certificate for each remote site. For more security and flexibility, you should create a new CA and server certificate for each server, since that allows you to invalidate one server without impacting others.   - Create or reuse the required certificates. It is just fine to use an existing Certificate of Authority (CA) and Server Certificate, but you should create a client certificate for each remote site. For more security and flexibility, you should create a new CA and server certificate for each server, since that allows you to invalidate one server without impacting others.
     - For the following, use good descriptive names. You will not only be trying to find them when you create the OpenVPN server, but you will be exporting them to import into the client. A name like //ca1// will **not** help you find anything.     - For the following, use good descriptive names. You will not only be trying to find them when you create the OpenVPN server, but you will be exporting them to import into the client. A name like //ca1// will **not** help you find anything.
-    - one CA (you can use an existing one)+    - one CA (you can use an existing one) **Note: with v21.1.2, it appears you have to create a separate one**
       - System | Trust | Authorities | Add or import CA       - System | Trust | Authorities | Add or import CA
 +      - Descriptive Name: You can enter anything here, with spaces. This will be what you will select/identify this certificate with in the future
       - **Method:** Create an internal Certificate Authority       - **Method:** Create an internal Certificate Authority
-      - Fill in the rest of the form.+      - Fill in the rest of the form down to Common Name. I generally change the Lifetime depending on the application.
       - **Common Name:** No spaces, but use something you can recognize like "VPN-N2N-office"       - **Common Name:** No spaces, but use something you can recognize like "VPN-N2N-office"
       - Save       - Save
Line 55: Line 56:
     - one Server Certificate     - one Server Certificate
       - System | Trust | Certificates | Add or import certificate       - System | Trust | Certificates | Add or import certificate
 +      - Descriptive Name: You can enter anything here, with spaces. This will be what you will select/identify this certificate with in the future
       - **Method:** Create an internal Certificate       - **Method:** Create an internal Certificate
       - **Certificate Authority:** CA created in previous step       - **Certificate Authority:** CA created in previous step
       - **Type:** Server Certificate       - **Type:** Server Certificate
-      - Fill in the rest of the form+      - Fill in the rest of the form down to Common Name. I generally change the Lifetime depending on the application.
       - **Common Name:** again, use something descriptive with no spaces       - **Common Name:** again, use something descriptive with no spaces
       - Save       - Save
       - **Do not export this certificate**       - **Do not export this certificate**
-    - one User Certificate for each remote (client) site+    - one Client Certificate for each remote (client) site
       - System | Trust | Certificates | Add or import certificate       - System | Trust | Certificates | Add or import certificate
 +      - Descriptive Name: You can enter anything here, with spaces. This will be what you will select/identify this certificate with in the future
       - **Method:** Create an internal Certificate       - **Method:** Create an internal Certificate
       - **Certificate Authority:** CA created in previous step       - **Certificate Authority:** CA created in previous step
       - **Type:** Client Certificate       - **Type:** Client Certificate
-      - Fill in the rest of the form+      - Fill in the rest of the form down to Common Name. I generally change the Lifetime depending on the application.
       - **Common Name:** again, use something descriptive with no spaces. You should really use the target (client) name or something in this.       - **Common Name:** again, use something descriptive with no spaces. You should really use the target (client) name or something in this.
       - Save       - Save
Line 73: Line 76:
       - Export the client key created       - Export the client key created
   - Create OpenVPN Server   - Create OpenVPN Server
 +    - VPN | OpenVPN | Servers | Add (or Use a Wizard)
     - **Server Mode:** Peer to Peer (SSL/TLS)     - **Server Mode:** Peer to Peer (SSL/TLS)
 +    - **Protocol:** I find it best to set specifically to UDP4 or UDP6
 +    - **Interface:** WAN
 +    - **Local Port:** Set to some unused port. 1194 or greater is the norm
     - **TLS Authentication** and create new key     - **TLS Authentication** and create new key
     - **Peer Certificate Authority:** Select the CA you are using (the one you created)     - **Peer Certificate Authority:** Select the CA you are using (the one you created)
other/networking/opnsense/site-to-site.1564587410.txt.gz · Last modified: 2019/07/31 10:36 by 127.0.0.1