Scribd
Upload
61 views19 pages

Pfsense Site To Site VPN Tunnel - The Complete Guide

This document is a comprehensive guide on setting up a site-to-site VPN tunnel using pfSense firewalls. It outlines a step-by-step process including creating IPSec phases, configuring firewall rules, and testing the tunnel connection. The tutorial aims to simplify the setup process for users by providing clear instructions and examples.

Uploaded by

juice-enhance-why
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
61 views19 pages

Pfsense Site To Site VPN Tunnel - The Complete Guide

This document is a comprehensive guide on setting up a site-to-site VPN tunnel using pfSense firewalls. It outlines a step-by-step process including creating IPSec phases, configuring firewall rules, and testing the tunnel connection. The tutorial aims to simplify the setup process for users by providing clear instructions and examples.

Uploaded by

juice-enhance-why
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Menu

Ceos3c
Complicated Things – Made Easy

pfSense site to site VPN tunnel – The Complete Guide


July 18, 2022 by Stefan

Many of you asked me to create an easy-to-understand step-by-step tutorial on how


to create a pfSense site-to-site VPN tunnel between two pfSense firewalls. I try to
make it as simple as possible.

Table of Contents
The Scenario: pfSense Site to Site VPN
https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 1/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Step 1 – Creating IPSec Phase 1 on pfSense #1 HQ


Step 2 – Creating IPSec Phase 2 on pfSense #1 HQ
Step 3 – Creating a Firewall Rule on pfSense #1 HQ
Step 4 – Creating IPSec Phase 1 on pfSense #2 Remote Location
Step 5 – Creating IPSec Phase 2 on pfSense #2 Remote Location
Step 6 – Creating a Firewall Rule on pfSense #2 Remote Location
Step 7 – Testing the Tunnel
Conclusion

👀 This Tutorial has some related Articles!


👉 The Complete pfSense Fundamentals Bootcamp
👉 Install pfSense from USB – The Complete Guide
👉 Install pfSense on VirtualBox
👉 The Complete pfSense OpenVPN Guide
👉 The Complete pfSense DMZ Guide
👉 Generate SSL Certificates for HTTPS with pfSense
👉 The Complete pfSense Squid Proxy Guide (with ClamAV!)
👉 pfSense Site-to-Site VPN Guide
👉 pfSense Domain Overrides Made Easy
👉 pfSense Strict NAT (PS4,PS5,Xbox,PC) Solution
👉 The Best pfSense Hardware
👉 Traffic Shaping VOIP with pfSense
👉 pfSense OpenVPN on Linux – Setup Guide
👉 pfSense Firewall Rule Aliases Explained
👉 Email Notifications with pfSense
👉 pfSense DNS Server Guide

The Scenario: pfSense Site to Site VPN


I try to keep this example scenario as simple as possible, therefore I created an easy-
to-understand, self-explaining diagram.

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 2/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Overview

This should give you a pretty good understanding of what we want to achieve. We
simply want to establish a pfSense site-to-site VPN connection between pfSense #1
HQ and pfSense #2 Remote Location. To do this, we need to create IPSec tunnels and
firewall rules on both sides. I kept the subnets simple so you don’t get confused by
too many different IPs. The Gateway in your case would be your WAN IP Address.

Without further ado, let’s get right started.

Step 1 – Creating IPSec Phase 1 on pfSense #1 HQ


To create a pfSense site-to-site VPN, you need to log in to your pfSense #1 HQ and
navigate to VPN / IPsec and click on + Add P1. Set the address of the Remote
Gateway and a Description.

1. IP of your WAN Interface on your pfSense #2 Remote Location


2. Enter a Description

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 3/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

General Information

Scroll down to Phase 1 Proposal (Authentication). Now head to any page you like,
or this one, to create a Pre-Shared Key.

You can also use the tool pwgen on Linux with the following command to create a
key:

pwgen -sy 25

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 4/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Creating a Pre-Shared Key

Copy this key and paste it into the Pre-Shared Key field.

Pasting the Key

Scroll down to the bottom leaving everything else on Default and click Save. Click
Apply Changes after.

Step 2 – Creating IPSec Phase 2 on pfSense #1 HQ

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 5/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Time to create the second Phase. Click on + Show Phase 2 Entries and click on +
Add P2.

Creating Phase 2

Now enter values like in the following example:

1. On Local network choose Network


2. Enter the Subnet of your Local Network (192.168.1.0/24 for pfSense #1 HQ)
3. On Remote Network choose Network
4. Enter the Subnet of your Remote Network (192.168.2.0/24 for pfSense #2
Remote Location)

Enter a description if you want.

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 6/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Configuring

Scroll down to Phase 2 Proposal (SA/Key Exchange). Enter values like in the
following example:

1. Change AES Encryption to 256 bits


2. Change PFS key group to 15 (3072 bit)
3. Enter the pfSense #2 Remote Location’s IP Address to be pinged
automatically (this ensures that the tunnel stays active at all times)
4. Smash that Save button (Sorry, watched too many YouTube videos)
5. Hit Apply Changes

Configuring Phase 2

Almost done with pfSense #1, now we just need to create a Firewall Rule for the IPsec
interface.

Step 3 – Creating a Firewall Rule on pfSense #1 HQ


Navigate to Firewall / Rules / IPsec. Click on Add. Enter values as the following:

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 7/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

1. Change Protocol to Any


2. For Source select Network
3. Enter the Subnet of pfSense #2 Remote Location (192.168.2.0/24)
4. Enter a Description
5. Hit Save & Apply Changes

Creating a Firewall Rule

That’s it. We are done with pfSense #1 HQ, let’s head over to pfSense #2 Remote
Location to create our pfSense site-to-site VPN.

Step 4 – Creating IPSec Phase 1 on pfSense #2 Remote Location


Now we basically need to repeat those exact steps again just with slightly changed
values. I will guide you through every step anyway. Navigate to VPN / IPsec and click
on + Add P1. Enter values as in the following:

1. IP of your WAN Interface on your pfSense #1 HQ


2. Enter a Description

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 8/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Configuring Phase 1

Scroll down to Phase 1 Proposal (Authentication). Enter the same Pre-Shared Key
like in pfSense #1 HQ that we created in Step 1.

Configuring Phase 1

Scroll to the bottom and hit Save & Apply Changes.

⚠️ If you would like to learn more about pfSense, I highly recommend you check
out my pfSense Fundamentals Bootcamp over at Udemy. This is the most up-
to-date as well as the highest-rated pfSense course on Udemy.

Step 5 – Creating IPSec Phase 2 on pfSense #2 Remote Location


Once again, click on +Show Phase 2 Entries and click on + Add P2.
https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 9/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Configuring Phase 2

Now enter values like in the following example:

1. On Local network choose Network


2. Enter the Subnet of your Local Network (192.168.2.0/24 for pfSense #2 Remote
Location)
3. On Remote Network choose Network
4. Enter the Subnet of your Remote Network (192.168.1.0/24 for pfSense #1 HQ)

Enter a description if you want.

Configuring Phase 2

Scroll down to Phase 2 Proposal (SA/Key Exchange) and enter the values like
below.
https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 10/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

1. Change AES Encryption to 256 bits


2. Change PFS key group to 15 (3072 bit)
3. Enter the pfSense #1 HQ’s IP Address to be pinged automatically (this
ensures that the tunnel stays active at all times)
4. Hit Save & Apply Changes.

Configuring Phase 2

Step 6 – Creating a Firewall Rule on pfSense #2 Remote Location


Navigate to Firewall / Rules / IPsec. Click on Add. Enter values as the following:

1. Change Protocol to Any


2. For Source select Network
3. Enter the Subnet of pfSense #1 HQ (192.168.1.0/24)
4. Enter a Description
5. Hit Save & Apply Changes

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 11/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Creating a Firewall Rule

Now, in theory, a tunnel should be established between the two.

Step 7 – Testing the Tunnel


Back on pfSense #1 HQ head to Status / IPsec. You should see, if everything went
well, that a connection is established.

Validating the Tunnel

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 12/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

You will see a similar picture on pfSense #2 Remote Location. We can do two more
things to also validate if the firewall rules are correct: Running a Ping from a Client on
each Firewall’s Subnet.

First I will try to Ping pfSense #1 HQ from a Client connected to pfSense #2 Remote
Location.

Running a Ping from pfSense #2 to pfSense #1

And now I run a Ping from a client connected to pfSense #1 HQ to pfSense #2


Remote Location.

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 13/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Ping from pfSense #1 to pfSense #2

Conclusion
And sure enough, you can see that a connection is established. And that’s it. That
should give a good idea of how to create a pfSense Site to Site Tunnel with pfSense!

👀 This Tutorial has some related Articles!


👉 The Complete pfSense Fundamentals Bootcamp
👉 Install pfSense from USB – The Complete Guide
👉 Install pfSense on VirtualBox
👉 The Complete pfSense OpenVPN Guide
👉 The Complete pfSense DMZ Guide
👉 Generate SSL Certificates for HTTPS with pfSense
👉 The Complete pfSense Squid Proxy Guide (with ClamAV!)
👉 pfSense Site-to-Site VPN Guide
👉 pfSense Domain Overrides Made Easy
👉 pfSense Strict NAT (PS4,PS5,Xbox,PC) Solution
👉 The Best pfSense Hardware
👉 Traffic Shaping VOIP with pfSense
https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 14/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

👉 pfSense OpenVPN on Linux – Setup Guide


👉 pfSense Firewall Rule Aliases Explained
👉 Email Notifications with pfSense
👉 pfSense DNS Server Guide

pfSense
IPsec, pfsense, site to site, tunnel
Install Squid on pfSense including complete ClamAV Setup
JavaScript alert() – Explained

6 thoughts on “pfSense site to site VPN tunnel – The Complete


Guide”

Regis Chapman
October 24, 2022 at 10:06 pm

I want to know how to JOIN an IPsec Site to Site VPN with my PFsense, not
create one. Where do I go to read about that?

Reply

kd Patel
January 7, 2020 at 6:17 am

I tried as you mention above but i am not able to connect with this method.

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 15/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Reply

Alejandro Zavala Trejo


March 27, 2019 at 4:24 pm

Same situation too :c I only see the gateway but i cant see my PC on the other
site, can you resolve this?

Reply

Marcus
August 24, 2018 at 1:50 pm

Hi, greate guide. works nice but i got problem with routing, i can reach the
gateway on both sites but nothing els behind.

Reply

Robert Manzanilla
June 22, 2018 at 1:03 am

Hi! I used to do this with “tunnel gre” protocol, and work so fine… I have 2
clients, with office (Miami-Caracas), but actually I dont know how tu applie
QoS over tunnel gre…

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 16/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

Reply

damasta
June 1, 2018 at 5:57 am

You are awesome thank you for this guide ❤

Reply

Leave a Comment

Name *

Email *

Website

Post Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 17/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

- Free Email Series -


🚀 Tips & Tricks directly to your Inbox

Your email address

Get Tips & Tricks

We take your privacy seriously. Read our Privacy Policy.

🔒 No spam. Unsubscribe any time.

Security

WSL 2

Python

JavaScript

WebDev

Linux

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 18/19
6/3/25, 8:54 AM pfSense site to site VPN tunnel - The Complete Guide

pfSense

SysAdmin

Reviews

Privacy Policy

Impressum (Germany)

Ethical Hacking Disclaimer

© 2025 Ceos3c • Built with GeneratePress

https://www.ceos3c.com/pfsense/pfsense-site-to-site-vpn/ 19/19

You might also like