Advice Needed: Configuring Site-to-Site VPN on OPNsense for Local Services Access Between Two Sites

Hello everyone,

​

I’m currently working on a project involving two OPNsense routers and am looking for some guidance on setting up a site-to-site VPN. My objective is to allow both locations to access internal services (like storage servers and printers) across the sites without routing all outbound internet traffic through a single location. Here are the specifics:

​

- Site 1 Network: 10.0.0.0/24, with a dynamic WAN IP. Planning to use Dynamic DNS for hostname resolution.

- Site 2 Network: 10.0.1.0/24, has a static WAN IP.

I’m aiming for a setup where each site routes its outbound traffic through its own WAN but can still communicate with the other site’s internal network for accessing shared resources.

​

Key Requirements:

Site-to-Site VPN: Need a reliable method to connect both sites in a way that allows them to access each other’s internal services without rerouting all external internet traffic to the other site.

Resilience: If the VPN connection fails, it shouldn’t disrupt the normal outbound internet connectivity for either site.

Given these requirements, I have a few questions:

​

What is the best VPN solution or configuration for this scenario on OPNsense? (Considering IPsec, OpenVPN, etc.)

How can I ensure that the VPN connection is resilient and doesn’t impact external internet access if it drops?

Are there specific settings or considerations for handling the dynamic DNS setup at Site 1 within the VPN configuration?

Any recommended practices for monitoring and automatically reconnecting the VPN should it fail?

I appreciate any insights, examples, or resources you could share. I want to ensure a robust and reliable setup that maintains local network integrity and accessibility across both sites without complicating the outbound internet connectivity.

​

Thanks in advance for your help!

If given the choice for site to site I would choose this order 1.wireguard 2.ipsec 3. OpenVPN

The VPN would not impact external internet access.

I’ve never done site2site with DDNS but I would assume you could enter a domain name instead of an IP address for the Peer. DDNS via cloudflare on opnsense seems to work for me.

If the traffic should be encrypted: Wireguard.

If you don’t need encryption and aiming for speed: Plain GRE or GIF.

If you need to carry layer 2 traffic: VXLAN, since FreeBSD doesn’t support GENEVE yet.

Hi, u/AngusThirdPounder

I reached this post searching for help in a similar situation. Have you managed to solve it?

In my case, I have 2 sites and potentially a couple of more site to add in future. Currently both sites have opnsense.

While I do have static Ip’s at both sites, I decided to use Zerotier instead of wireguard or Opnvpn for site to site. I am selfhosting the zerotier controller and a UI (on a free vps), and hence I did not need to sigup at zerotier.
Also, my assessment was adding, new sites will be simpler configuraiton wise vs wireguard etc.

Zerotier supports direct connections where possible between sites/nodes… Sites use their own internet and can access resources at each site directly as well. It also works fine with Dynamic Ip.

Given your aim to connect two locations without routing all outbound internet traffic through a single site, considering one has a dynamic WAN IP and the other a static one, a slightly unconventional yet innovative strategy might be just what you need. Instead of directly configuring IPsec or OpenVPN on the OPNsense routers, which can be complex and challenging to maintain, why not simplify the process? I suggest setting up a pair of Windows PCs or servers at each site, equipped with OpenVPN. This setup might seem a bit out of the ordinary, but using Windows machines can add a layer of flexibility you’ll appreciate. The GUI of OpenVPN on Windows offers easier management, which can be particularly useful if you’re not entirely comfortable with OPNsense’s interface or need to make quick adjustments without delving into the router configurations.

To ensure your VPN connection remains resilient and doesn’t impact external internet access if it drops, a straightforward approach would be to configure a simple batch script on the Windows machines that monitors the connection by pinging the other site over the VPN tunnel. Should the ping fail, indicating a drop, the script can automatically restart the OpenVPN service, thereby minimizing downtime. Although not the most elegant solution, it’s effective and ensures continuous connectivity.

Regarding the dynamic DNS setup at Site 1, there’s no need to overcomplicate things by integrating it directly into your VPN configuration on OPNsense. Since you’re utilizing Windows machines as your VPN gateways, you can manage the dynamic DNS updates right from these machines. Plenty of third-party dynamic DNS clients work exceptionally well on Windows and can automatically update your DDNS records as needed, simplifying the process and keeping the complexity away from your OPNsense routers.

For monitoring and automatic reconnection strategies, in addition to the ping script, you might consider setting up email notifications via a simple SMTP script on the Windows machine. This script could send you an email alert if it detects a VPN connection drop, providing a basic DIY solution for network monitoring without the need for sophisticated tools.

This setup, leveraging the familiar and user-friendly environment of Windows for the management and troubleshooting of your VPN, simplifies the entire process. It ensures that your OPNsense routers can focus on their primary tasks, making the management of the VPN connection far less of a headache. With this strategy, you’re set to achieve the robust and reliable site-to-site connectivity you’re aiming for, maintaining local network integrity and accessibility across both sites without complicating outbound internet connectivity. I’m looking forward to hearing about the successful implementation of this setup!

WireGuard handles IP address changes very well. In fact, it’s seamless if the site with the changed address sends a packet to the site with the unchanged address. The second site will simply update its peer address.

If the site with the unchanged address may need to initiate a connection to a site with a changed address, set the keepalive flag on the site with the dynamic address.

Any kind of guide you can provide me regarding best practices for this?

​

Thanks!

Edit: Found official documentation, this actually looks fairly easy.

I found the official documentation to accomplish this but it has nothing regarding DDNS: https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

Do you know of any other guides or resources that could be of help to me?

While I appreciate the response… this is not what I am asking for at all…

​

Thank you.

Sadly I can only downvote this once. But this is so much bad advise I don’t even know where to start.

Reads like something a broken version of Chatgpt would write.

I can tell this is ChatGPT

This is a prime example of what NOT to do. Tell me you dont know computer networking and what a VPN is without telling me you dont know what computer networking and a VPN is. Jeez. Definitely a uneducated ChatGPT response. haha

The official docs are accurate for the site2ite. When it comes to the DDNS that’s where the docs need to be updated. I only am using it on one server but I think this zenarmour post will help you: https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-dynamic-dns-on-opnsense

Wireguard uses IP addresses to keep track of its peers, not hostnames. Set keepalive on site 1. Wireguard at site 2 will update its peer address as soon as it receives a valid packet from site 1 at a new address.

I have a Wireguard S2S on OPNsense between my home network and my friend’s business as I manage his network. The official docs may have been updated since I referenced them but I found them to be a little lacking. I got the most help from the video linked below:

https://youtu.be/ah0Kkkqqfcg

My use case is very similar to yours as I need to allow access to a few limited resources from each side to the other but basic internet is just handled locally.

Regarding DDNS, what resource are you looking for? If it’s just setting up in OPNsense, did you take a look at this: https://docs.opnsense.org/manual/dynamic\_dns.html

Will I also be able to expand to 3+ locations?

I haven’t done that but I don’t see why not. Just have to ensure that you set up a peer and an tunnel instance between any sites that need to communicate with one another. For example, let’s say you have 3 sites that all need to communicate with each other. Each site would have an instance (tunnel) configured and 2 peers; one for each of the other sites. So site A would have an instance and a peer for B and a peer for C. And so on for the other 2.

The beauty of integrating this in OPNsense is the granular control you have with the firewall rules. For example, I have nearly full access to my friend’s business network across the VPN, however, traffic from his side can only reach a single machine on a single port on my side.

I have a s2s with wireguard with 6 friends via opnsense. We basically run full meshed wireguard tunnels. We all have dynamic IPs, Some even only have IPv6 Ips (DS-lite) and the network is very fast and stable.

If you get the hang of it, it’s very easy.