Setting up a Site-to-Site VPN using OPNsense can seem daunting at first, but trust me, guys, it's totally doable! This guide breaks down the process into manageable steps, ensuring you can securely connect two networks. We'll cover everything from configuring the IPsec settings to troubleshooting common issues. So, buckle up, and let's get started on creating a secure tunnel between your networks!

Understanding IPsec and Site-to-Site VPNs

Before diving into the configuration, let's quickly understand what IPsec and Site-to-Site VPNs are all about. IPsec, or Internet Protocol Security, is a suite of protocols that secures Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. It includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (e.g., computers or servers), between a pair of security gateways (e.g., routers or firewalls), or between a security gateway and a host.

A Site-to-Site VPN, on the other hand, is a type of VPN connection that allows two or more networks to be connected across the internet. This creates a secure tunnel, allowing devices on one network to access resources on the other network as if they were on the same local network. This is extremely useful for businesses with multiple locations, allowing employees to seamlessly access resources regardless of their physical location. Think of it as building a private, encrypted bridge between two separate local networks over the public internet.

When implementing a Site-to-Site VPN with OPNsense, IPsec is commonly used as the underlying technology to provide the secure encrypted tunnel. OPNsense acts as the gateway, managing the IPsec connection and ensuring that all traffic passing between the two networks is protected. This combination offers a robust and secure solution for connecting geographically dispersed networks.

Prerequisites

Before you even think about touching your OPNsense configuration, make sure you have a few things sorted out. First, you'll need two OPNsense firewalls, one at each site you want to connect. Ensure both firewalls have a static public IP address or a dynamic DNS setup, so they can always find each other. Dynamic DNS is crucial if your IP address changes frequently. Also, have the subnet details for both networks handy. You'll need to know the IP address ranges for each network so you can tell OPNsense which traffic should be routed through the VPN tunnel.

Make sure both OPNsense firewalls are running the latest version of the software. This ensures you have the latest security patches and features. You should also have basic networking knowledge, like understanding IP addresses, subnets, and routing. If you're new to this, don't worry, there are tons of resources online to help you get up to speed.

Additionally, confirm that UDP ports 500 and 4500 are open on your firewalls and any upstream firewalls or routers. These ports are essential for IPsec to function correctly. If these ports are blocked, the VPN connection won't be able to establish. Finally, it's always a good idea to have a backup of your OPNsense configuration before making any major changes. This way, if something goes wrong, you can easily restore your settings to a known good state.

Step-by-Step Configuration of OPNsense IPsec Site-to-Site VPN

Alright, let's dive into the nitty-gritty of setting up the IPsec Site-to-Site VPN on OPNsense. This might look intimidating, but trust me, we'll break it down into simple, manageable steps. We'll start by configuring the first OPNsense firewall (let's call it Site A) and then move on to the second firewall (Site B).

Configuring Phase 1 on Site A

Phase 1 is all about establishing a secure channel for further negotiations. Log into your OPNsense firewall at Site A and navigate to VPN > IPsec > Tunnel Settings. Click the “Add” button to create a new tunnel.

• Key exchange version: Set this to IKEv2. It's the most modern and secure option.
• Internet Protocol: Choose IPv4 or IPv6 based on your network configuration.
• Interface: Select the WAN interface on your OPNsense firewall.
• Remote Gateway: Enter the public IP address or dynamic DNS hostname of the OPNsense firewall at Site B.
• Authentication method: Select Mutual PSK (Pre-Shared Key). This is the simplest method for site-to-site VPNs. Generate a strong, random pre-shared key and keep it safe. You'll need to enter the same key on Site B.
• My identifier: Choose My IP Address.
• Peer identifier: Choose Peer IP Address.
• Encryption algorithms: Select a strong encryption algorithm like AES256-GCM. Also, select a hash algorithm like SHA256.
• Lifetime: The default value of 28800 seconds (8 hours) is usually fine.
• Disable rekey: Uncheck this option to ensure regular key renegotiation for enhanced security.

Save your settings and move on to configuring Phase 2.

Configuring Phase 2 on Site A

Phase 2 defines how the actual data will be encrypted and transmitted. Stay in the VPN > IPsec > Tunnel Settings section and click on the “Show Phase 2 Entries” button for the tunnel you just created. Then, click the “Add Phase 2” button.

• Mode: Set this to Tunnel IPv4 or Tunnel IPv6 based on your network.
• Protocol: Choose ESP (Encapsulating Security Payload). This provides encryption, authentication, and integrity.
• Encryption algorithms: Select the same encryption algorithm you chose in Phase 1, such as AES256-GCM.
• Hash algorithms: Select the same hash algorithm you chose in Phase 1, such as SHA256.
• PFS key group: Select a strong Diffie-Hellman group like DH Group 14 (2048 bit). This provides Perfect Forward Secrecy, meaning that even if the key is compromised, past sessions remain secure.
• Lifetime: The default value of 3600 seconds (1 hour) is usually adequate.
• Local network: Specify the subnet of the network behind Site A. For example, 192.168.1.0/24.
• Remote network: Specify the subnet of the network behind Site B. For example, 192.168.2.0/24.

Save your settings. Now, let's configure Site B.

Configuring Phase 1 on Site B

The configuration on Site B is very similar to Site A, but with a few key differences. Log into your OPNsense firewall at Site B and navigate to VPN > IPsec > Tunnel Settings. Click the “Add” button to create a new tunnel.

• Key exchange version: Set this to IKEv2.
• Internet Protocol: Choose IPv4 or IPv6 based on your network configuration.
• Interface: Select the WAN interface on your OPNsense firewall.
• Remote Gateway: Enter the public IP address or dynamic DNS hostname of the OPNsense firewall at Site A.
• Authentication method: Select Mutual PSK (Pre-Shared Key) and enter the same pre-shared key you used on Site A.
• My identifier: Choose My IP Address.
• Peer identifier: Choose Peer IP Address.
• Encryption algorithms: Select the same encryption algorithm you chose in Phase 1 on Site A.
• Lifetime: The default value of 28800 seconds (8 hours) is usually fine.
• Disable rekey: Uncheck this option.

Save your settings and move on to configuring Phase 2.

Configuring Phase 2 on Site B

Stay in the VPN > IPsec > Tunnel Settings section and click on the “Show Phase 2 Entries” button for the tunnel you just created. Then, click the “Add Phase 2” button.

• Mode: Set this to Tunnel IPv4 or Tunnel IPv6 based on your network.
• Protocol: Choose ESP (Encapsulating Security Payload).
• Encryption algorithms: Select the same encryption algorithm you chose in Phase 2 on Site A.
• Hash algorithms: Select the same hash algorithm you chose in Phase 2 on Site A.
• PFS key group: Select the same Diffie-Hellman group you chose in Phase 2 on Site A.
• Lifetime: The default value of 3600 seconds (1 hour) is usually adequate.
• Local network: Specify the subnet of the network behind Site B. For example, 192.168.2.0/24.
• Remote network: Specify the subnet of the network behind Site A. For example, 192.168.1.0/24.

Save your settings. With both sites configured, it's time to move on to firewall rules.

Creating Firewall Rules

Now that the IPsec tunnels are configured, you need to create firewall rules to allow traffic to pass through the tunnel. Without these rules, even though the tunnel is up, no data will be able to flow between the networks. This is a crucial step, so pay close attention.

Site A Firewall Rules

On Site A, navigate to Firewall > Rules and select the IPsec tab. Create two new rules:

1. Allow traffic from the local network to the remote network:
   • Action: Set this to Pass.
   • Interface: Choose IPsec.
   • Address Family: Choose IPv4 or IPv6 depending on your setup.
   • Protocol: Set this to Any or specify the protocols you want to allow (e.g., TCP, UDP).
   • Source: Set this to your local network's subnet (e.g., 192.168.1.0/24).
   • Destination: Set this to your remote network's subnet (e.g., 192.168.2.0/24).
   • Description: Enter a descriptive name for the rule, like Allow local to remote network.
2. Allow traffic from the remote network to the local network:
   • Action: Set this to Pass.
   • Interface: Choose IPsec.
   • Address Family: Choose IPv4 or IPv6 depending on your setup.
   • Protocol: Set this to Any or specify the protocols you want to allow.
   • Source: Set this to your remote network's subnet (e.g., 192.168.2.0/24).
   • Destination: Set this to your local network's subnet (e.g., 192.168.1.0/24).
   • Description: Enter a descriptive name for the rule, like Allow remote to local network.

Site B Firewall Rules

Repeat the same process on Site B, creating the same two rules, but with the source and destination networks reversed. This ensures that traffic can flow in both directions.

1. Allow traffic from the local network to the remote network:
   • Action: Set this to Pass.
   • Interface: Choose IPsec.
   • Address Family: Choose IPv4 or IPv6 depending on your setup.
   • Protocol: Set this to Any or specify the protocols you want to allow.
   • Source: Set this to your local network's subnet (e.g., 192.168.2.0/24).
   • Destination: Set this to your remote network's subnet (e.g., 192.168.1.0/24).
   • Description: Enter a descriptive name for the rule, like Allow local to remote network.
2. Allow traffic from the remote network to the local network:
   • Action: Set this to Pass.
   • Interface: Choose IPsec.
   • Address Family: Choose IPv4 or IPv6 depending on your setup.
   • Protocol: Set this to Any or specify the protocols you want to allow.
   • Source: Set this to your remote network's subnet (e.g., 192.168.1.0/24).
   • Destination: Set this to your local network's subnet (e.g., 192.168.2.0/24).
   • Description: Enter a descriptive name for the rule, like Allow remote to local network.

With these firewall rules in place, traffic should now be able to flow freely between the two networks through the IPsec tunnel.

Verification and Testing

Alright, you've configured everything, but how do you know if it's actually working? Time for some testing! The simplest way to check if the IPsec tunnel is up and running is to ping a device on the remote network from a device on the local network, and vice versa. For example, from a computer on Site A's network, ping a computer on Site B's network. If you get a response, that's a great sign!

Navigate to VPN > IPsec > Status Overview on both OPNsense firewalls. This page will show you the status of the IPsec tunnels. Look for a green checkmark or a status indicating that the tunnel is established. If the tunnel is down, this page can also provide valuable information about why it's not working.

Another useful tool is traceroute or tracert. This command shows the path that network packets take to reach their destination. By running traceroute to a device on the remote network, you can verify that the traffic is indeed going through the IPsec tunnel.

Troubleshooting Common Issues

Even with the best guides, things can sometimes go wrong. Don't panic! Here are some common issues and how to troubleshoot them. First, if the IPsec tunnel isn't coming up, double-check that the pre-shared keys on both sides match exactly. A simple typo can prevent the tunnel from establishing. Also, verify that the IP addresses and subnets are configured correctly on both sides. An incorrect IP address can cause routing issues.

Make sure UDP ports 500 and 4500 are open on both firewalls and any upstream routers. These ports are essential for IPsec. If you're still having trouble, examine the IPsec logs on both OPNsense firewalls. These logs can provide detailed information about what's going wrong during the tunnel negotiation process. You can find the logs under System > Log Files > IPsec.

Sometimes, the issue might be related to the firewall rules. Double-check that the rules are configured correctly and that they allow traffic to flow in both directions between the local and remote networks. If you're using dynamic DNS, make sure the dynamic DNS service is updating correctly and that the hostnames are resolving to the correct IP addresses.

If you've made changes to your OPNsense configuration, try restarting the IPsec service. This can sometimes resolve issues caused by configuration changes. You can restart the service under Services > IPsec > Configuration.

Setting up a Site-to-Site VPN with OPNsense might seem complex, but by following these steps and troubleshooting tips, you can create a secure and reliable connection between your networks. Good luck, and happy networking!