 All right, this video is for setting up a VPN between two PFSense boxes in a peer-to-peer setting. This is going to be using OpenVPN. I have PFSense latest version as of November 2017, which is a 2.4 loaded on these. The lab network, as I call it, is my 192.1683.0 network. And that's what each of these boxes is connected to, is that network. So that's our pseudo internet, I guess you could say, because that's the side where these can talk. Then they have the LAN side, which has a Debian box here, Debian. Sorry, I always say that wrong. Debian box here, 40.50 is the IP address, and 20.50 is the IP address sending octets for this one over here. So currently these can't see each other. The goal when we're done is that they can not just see each other, but they can communicate back and forth fully across the network. Some of the other VPN configurations, for example, like the Road Warrior VPN, which I'm going to do a separate video for with PFSense, where you're going to connect like your laptop while you're out and about and get back into your network, those networks can be done with two PFSense boxes, but they're harder to get the routing to be bi-directional. Routing only works in one direction, which is normally what you want. You don't want everything on the network when you're connecting your laptop coming into yours, everything going back across bi-directionally, you just want to be able to get into your own network. So that'll be a separate video. This one is specifically for peer-to-peer server and client and how to set two PFSense routers at, for example, a company that has a branch office. You want all the computers across both the network to be able to talk to each other, and that's what we're going to be able to do here in this video. Let's close this and kind of get you started on this. So here's our client side, Debian, and I know it's a little small to read, but this is the one that has the 192.168. 20.50. Here's the other one. 192.168.40.50. So if I go ping 20.50, we have nothing, 100% packet loss. And we do the same here. 100% packet loss. So either one of these can see each other. These are the virtual machines that they're connected to. I've done another video on networking with Zen Center in how you can create private lands. Essentially, there's a private network connecting those two together, but bridging it off so we can't see the other machines until we do the VPN. So all the traffic once we're done will be routed across there. And here's the box that's going to be our server. And I have it in the top here. It's kind of small to read, but it says the VPN server version right here. VPN client. Just names I gave them, not real relevant. You just have to pick one to be the server and one to be the client. So the server will set up first, which is actually really easy to do. It's only a few steps. Go here, open VPN server, add and choose peer-to-peer shared key. There's other options where you can add SSL, TL, S and create more certificates. That's more advanced. We're just going to get the basic set up here. If you have something that advanced, maybe you're more advanced than IT. You probably also know how to create the other certificates. You have to share certificates between them doing it this way. We just have to create a shared key between them that we do and it makes it a lot simpler. So this can all stay at default. Description is what you want to call it and most call it our test VPN. This is just name of the VPN. Because you can specify port, leave it at default unless you have a custom use case. But this is also how you add multiple VPN servers to one PF sense box with only one WAN address. Now when you're choosing the interface you can choose WAN LAN or wherever you want or if you have multiple WAN addresses, you can choose which one to bind it to or ports. So you can set up different VPNs on different ports pretty easily. You can have many machines connecting to this one when you specify the network or when you get down to the network settings. So plenty of different options here to go on. And if you need multiple VPN servers for multiple purposes, by default open VPN runs on 1194, you can change that to whichever port you want to do. So here's the next part is the encryption algorithm. AES128CBC is the default. If you say, well, I need something a little more secure, bump it up to AES256CBC. The important thing to remember when you change the encryption algorithm here, the clients have to be using the same encryption algorithm or it won't work. If your machine supports hardware crypto, you can enable it here. IPv4TunnelNetwork. You do have to have with open VPN a tunnel network. What a tunnel network is, is a network where the two VPN servers have to agree on that tunnels the traffic. It's not the same as the actual network. Tunnel networks are a little bit different. So you can pick something that as long as it's not in one of the routable ranges, you can use this tunnel network. And I'm going to choose 192.168. It has to be a non-routable IP as well, or you'll run to other issues, 70.0 slash. But what this is, this is the tunnel ID IP address that will be assigned to each client. So doing a slash 24 essentially kind of like a DHCP server in open VPN for assigning IPs to understand each client that's connecting. So you have the public IP coming in, it's assigned a tunnel network and all the traffic routes through the tunnel network. And back to your standard remote network. Now here is the remote network. We're going to skip IPv6 and jump right to this. This is where we're going to put 192.168.20.0 slash 24. This is the remote network on the other side that's connecting. This is what we need to get the routes back and forth. So it's a bi-directional connection. Now if you're, as a server, you need to know the remote network of each peer that's connecting. Simple enough, I mean, if you're setting this up, you're generally going to know where this gets a problematic just so you know if you have, and we have a client like this, we had to redo their network and we put the VPNs in, they have one server, of course, with five different networks. Well, they were not connected previously, so they all had the same IP ranges. That just won't work. It won't know which way to route. So we had to go each site and redo the IP ranges. And when you have more than one, you can just specify the next ones, whatever the next network is. And you just space them all out here with a comma, a space, the other network slash 24. So if there's two networks, it would be this. You know, then we'll change the range again. Let's say you have a 25 network. You just put a comma and a space, then another network. And you list all the remote networks that will be connecting to this VPN. For demonstration purposes, we only have one network connecting, so we're going to leave this at one concurrent connections, maximum number of clients allowed to concurrently connect to this server. You may have a limitation on this that you only want so many people at a time. There's not licensing with PF sense in terms of this. So you can specify this if you want a maximum in there, you can say, I only need a maximum of clients to be concurrently connected to server to be, you know, 10, 15, whatever, it doesn't really matter. This is just preference and understanding if you need to limit this. Compression, leave it at default. Leave the rest of this at default, unless you have some special use case. This is all you need to do to get the server side set up, as far as the open VPN part. So we're going to click save firewall rules. I already threw this rule in here, but yes, you have to open up the 1194 port. Sometimes I forgot to mention that in previous times, and it's something that should be obvious, but this is definitely important. If you don't open it up, it does not open it up by default, just a fi on there. Also, once you create this, you're going to end up with an open VPN tab in your firewall. For now, we're just going to add another rule here to pass traffic. And then we're just going to throw this to the word any save. And this is where you could apply more rules. What I did here was open VPN also gets its own tab under the firewall rules. Maybe you have restrictions, maybe you just want the VPN to flow freely to all the other networks. But if you put nothing in here for the rules, well, you got a problem, you won't route any traffic over to here. So it's important you put some just an all rule in here, basically wide open rule like you have here to just allow everything over. But filter rules as as you feel or see fit. So by default, I'm going to leave it all open for demonstration purposes. We don't we goal is really get these talking to each other. So now we can go back over to the open VPN. And the reason we're going back to it is we had checked a box that said generate the key. There's our shared key. So we're going to need that. And we're just going to do a control a and a copy. And this is where we copy the shared key. And we're going to paste it into the client side. So we're logged in. We're going to go ahead set up a VPN client now. Go to open VPN, go to client. This is our client side. And for here, we need the IP address of the server. So let me get that real quick. That's the 192 1683.98. We need to change the type peer to peer shared key, local port all that leave that all the same unless you've done something custom. Then we put in this whoops, 3.98. All this can be blank. No, do not automatically generate the shared key. And we just paste this in. So peer to peer, default default default IP address kind of goes somewhere. And now the IP address can be a fully qualified domain name or IP address. In this case, it's just an IP address proxy port proxy authentication description. This is our test VPN, just so it has a name. Now, the encryption algorithm, because we changed it on this side to AES 256 CBC, we just have to match it. I mean, you could just left it at default 128. But like I said, the client and server have to match, or you'll have problems. IPv4 tunnel network. We have to know the tunnel network of the server that was set up here. So we set the tunnel network to be this 192.168.70.24. So there's our green tonal network. But then we also need our remote network. And remote network on the other side was 40 slash zero slash 24. And this is the remote network from this one. So you got to remember, we're going from this side here is 20 slash 24. And because everyone from this way here to get a gateway back in force, they got to crisscross each other. This is how you get back over there. So everything else here can stay the same. Save. And away we go. Let's go here to the home screen of this. And there we go. We've got the VPN working. But this will not allow it to ping back and forth because there's a couple more steps. And some people, this is often where they feel as though they had success, but this is where you get stuck with this because there's one more step you need to do. And what you need to do, because now you don't have a gateway yet from this side of the network, the client side of the network back over. So the devices, and you maybe you can log in the PF sense. And I think the PF sense is able to ping over there because of the way the network is. Yeah. And this is showing up with the VPN. We've got a tunnel network assigned to us, but we don't have a gateway. And it's really easy to do. This is the, this is a really easy step. You go here, interface assignments. Right here, available network ports. And it adds it as another network port. Save. Then now it's added. Then we're going to go over here to interfaces. It called it opt one. We're going to call it open VPN. And we're going to enable the interface. Hit save. Apply. Now what this does, this adds a gateway. So devices on this side, the client side of the network, have a gateway to get out. So now when we go over here to routing, it's in here as a gateway interface, but it still isn't working in one minor detail. Once you've done this, you notice right here, we've got no IP address assigned to this. We set the restart the open VPN service. You could also reboot the whole router, but you know, that sometimes disruptive to people. So we restart the service. All right. Now it has a gateway. Now that it has a gateway attached to it, the two devices should ping to each other as soon as we also add a firewall rule. So now we're going to go over here to our rules, open VPN. Now there's two of them here. And one was the opt one that we renamed open VPN. And then this is the open VPN one. I probably shouldn't have called them the same thing, but I typed all caps with the other one right here. This is the one we have to actually add the rule to. And once again, we have to add a rule to get traffic to pass. I'm just going to say any for now. So we have a wide open rule here. This means all the data can go back and forth through the VPN. Like I said, this is where you can create all kinds of fun firewall rules if you had a lot of details, but a lot of times the goal with, for example, the client, when we just did, there's not any rules needed. We need the networks to completely talk to each other because they have a bunch of services that are moving back and forth. So now let's go over to our devian boxes. And if I did this right, they should work. And we're pinging on this side, it's responding and pinging on this side. That's really it for the VPN setup. It's really not that hard to do. It's pretty straightforward. You just have to remember those couple steps and adding the gateway one is kind of weird. You know, it's not as automated. And let's do something real quick here. Let's take and rename it just to show you, whoops, call it back to opt one apply. So here's where the rules are. And you can see that there's some packets going back and forth because I have them pinging. But we have no rules here. I do find it a little bit odd, at least conceptually, that you think you'd want to put rules against this gateway, but you actually put them apart on the open VPN that's auto created once you created the client side. Now, one other thing on the client side, let's say you have a more in depth network. And for example, we do at our office, and we've got multiple lands. Same thing that you do on the server side, you do on this. So if we're connecting to a server that has a whole bunch of remote networks, we just put inside a notation, a common a space, each of the networks on there. And that's how we get a gateway to that network. So as you if you have a really complicated network with just many lands, you need it, you need a VPN, this site to connect to all the different lands on that side, you just put a common space. So you know all of these because this is what's putting the routing information in there. Now, another side note to you can also add static routing. If you have some need for that as well, you can push static routes across the open VPN ports as well. If that's something needed, so you can say, take this, this is destination gateway. So if this rule pushes over here, and that works, that's also the other reason you added the open VPN interface as an interface gateway. So you can add static routes later. So you have some real custom routing. That's where that's going to go. So hopefully this guide was helpful. It's pretty straightforward for setting up the VPN. If you're wondering what I did here to add this, this is just adding the open VPN option out of here. So you can view that the VPN's up or down pretty straightforward. That's all that was first customization. But that's it. That's VPN done pretty straightforward, not too difficult. Once you have those couple of little steps in there and make sure you add those couple of firewall rules. All right, hopefully this was helpful. I'll do a separate video on how to do like the road warrior VPN on these, where you're going to take your Windows box and do that that was a separate video. So all right, if you like to count here, like, subscribe. If you have questions about this or if I wasn't clear on something and I need to redo this video, let me know. Thanks.