Messages

thanks for your answer. while it's white convenient to have this functionality by default i think it would be smart to add another block rule that matches your local network range you use on the OPNsense box to avoid duplicate IPs or do i oversee seomthing here?

Hi,
on a fresh 24.7.11_2 install i have the following setup:
ISP-Router with own address 192.168.1.1 and 192.168.1.0/24 Range => WAN Interface on OPNsense set to DHCP. LAN on OPNsense is 192.168.2.0/24

WAN Interface on OPN gets for example 192.168.1.2 from ISP Router and internet connection is working. First strange thing is that this is working although "Block private networks" is checked. Second strange thing is that i can access the ISP Router and it's connected devices on 192.168.1.0/24 without setting up a Outbound NAT Rule manually. Is this intended?

I came across this, because on another OPN i have bridgemodem that bridges me a public IP to WAN when set to DHCP. BUT during boot of this modem until it receives a public IP this modem resides in the same network range (cannot change that) as my OPN which leads to duplicate IP adresses and a network that is completely unresposive/down until the public IP is received and bridged.

thanks

Here's is the guide. I use it for some weeks now and it's working great on iOS and macOS. I will add information on what to do on macOS/iOS to get this working but it is pretty straightforward: Import+Trust CA plus PKCS12 file. Setup VPN on GUI. That's it. You need to export PKCS12 with password. When exporting blank, macOS will not import it.

CHANGES
   - V1.0 Initial

PREPERATION/INFO
   - This guide assumes that you have have a working DNS config (i.e your OPNsense is reachable via DNS). I use freedns.afraid.org for this.
   - This is a guide with only little explanation. However, if you ever followed one of the VPN recipes from the OPNsense wiki with success it will be easy for you to follow this guide.
   - In this guide the local net is 192.168.16.0/21. The tunnel net is 192.168.24.0/27. Adjust to your needs.
   - I use aes256-sha256-ecs256 because this is what recent iOS (18.1+) excepts.

REQUIREMENTS
   - Tested with IOS 18.1+
   - Tested macOS 15.1+. Older macOS versions do not accept the PCKS12 file and will fail with "wrong passwort?". It will probably work if you export with "openssl pkcs12 -export -legacy" but i have not tested it.

BUGS/QUESTIONS I HAVE
   - Distinct pools (Method 2) do not work for some reason.
   - not sure about when to use "Round: 0" or "Round: 1". Both work
   - If i set "Start action" to "Trap" which is recommended in the OPNsense wiki i will get an error message in logs: "11[CFG] installing trap failed, remote address unknown". However it works anyway but if i set it to none it will also work but with no error in the log.
   - What's with "IKE Extensions - Enable IPsec Mobile Client Support" under VPN / IPSec / Mobile Clients. Does this relate to "Tunnel Settings [legacy]" only? It has the "Phase 2 PFS Group" option which is interessting.

CREATE IPSEC IKEV2 VPN
   CREATE CA'S AND SERVER CERTIFICATES FOR IPSEC IKEV2 VPN
      System
         Trust
            Authorities
            "+Add"
               Method: Create an internal Certificate Authority
               Description: myopnsense.a-domain-name.com
               Key
                  Key Type: RSA-2048 (default)
                  Digest Algorithm: SHA256 (default)
                  Issuer: self-signed (default)
                  Lifetime (days): 3650
               General
                  Country Code: YourCountry
                  State or Province: myopnsense
                  City: myopnsense
                  Organization: myopnsense
                  Organizational Unit: myopnsense
                  Email Address: myopnsense
                  Common Name: myopnsense.a-domain-name.com
               => Save

            Certificates
            +Add
               Method: Create an internal certificate
               Description: ipsec_e2s:myopnsense.a-domain-name.com
               Key
                  Type: Server certificate
                  Private key location: Save on this firewall (default)
                  Key Type: RSA-2048 (default)
                  Digest Algorithm: SHA256 (default)
                  Issuer: myopnsense.a-domain-name.com (default)
                  Lifetime (days): 3650
               General
                  Country Code: YourCountry
                  State or Province: myopnsense (default)
                  City: myopnsense (default)
                  Organization: myopnsense (default)
                  Organizational Unit: myopnsense
                  Email Address: myopnsense (default)
                  Common Name: myopnsense.a-domain-name.com
                  Alternative Names:
                     DNS domain names:
                        Value: myopnsense.a-domain-name.com
               => Save

   CREATE CLIENT CERTIFICATES IPSEC IKEV2 EAP-TLS VPN
            Certificates
            +Add
               Method: Create an internal certificate
               Description: john-macbook.myopnsense
               Key
                  Type: Client certificate
                  Private key location: Save on this firewall (default)
                  Key Type: RSA-2048 (default)
                  Digest Algorithm: SHA256 (default)
                  Issuer: myopnsense.a-domain-name.com
                  Lifetime (days): 3650
               General
                  Country Code: YourCountry
                  State or Province: myopnsense (default)
                  City: myopnsense (default)
                  Organization: myopnsense (default)
                  Organizational Unit: myopnsense
                  Email Address: myopnsense (default)
                  Common Name: john-macbook.myopnsense //max. 64 chars. @-sign is not working here. Dots are ok.
                  Alternative Names:
                     DNS domain names:
                        Value: john-macbook.myopnsense
               => Save

   CREATE IP POOLS FOR IPSEC IKEV2 VPN
      CREATE POOLS METHOD 1 //Shared IP pool for all roadwarriors. Don't create both methods (1 and 2) on your OPNsense at the same time, it's a potential security risk. Only create one connection where you use EAP id: %any (Method 1). If you create multiples of these connections, any roadwarrior can connect to any of them.

         VPN
            IPsec
               Connections
                  +Add
                     enabled: checked
                     Name: e2s_eaptlssplittun_sharedpool //as of 20241005 special characters like ":" in this field are accepted but clients cannot connect for some reason.
                     Network: 192.168.24.0/27
                     DNS: 192.168.16.1

   CREATE POOLS METHOD 2 EXAMPLE //Distinct IP address(es) per roadwarrior. For some reason this does not work as of 2024-11-21 with EAP-TLS. It results in only one usable Connection. Skip that for now. Probably works if you create a own CA for every connection/user which is pain
   VPN
      IPsec
         Connections
            +Add
               enabled: checked
               Name: john-macbook_eaptlssplittun_distinctpool //as of 20241005 special characters like ":" in this field are accepted but clients cannot connect for some reason.
               Network: 192.168.24.97/32
               DNS: 192.168.16.1

CREATE IKEV2/EAP-TLS VPN FOR MOBILE CLIENTS (VIA CONNECTIONS/NEW METHOD)
   VPN
      IPsec
         Connections (Method 1/Sharedpool)
            Connections
            Enable IPsec: checked //this enables the whole strongswan daemon. the checkbox is rather hidden in the lower corner
            +Add
            => advanced mode
               Proposals: aes256-sha256-ecs256 [DH19, NIST EC] //CAUTION: uncheck "Default"
               Unique: Replace
               Aggressive: unchecked
               Version: IKEv2
               MOBIKE: checked
               Local adresses: (leave empty) (default)
               Remote adresses: (leave empty) (default)
               UDP encapsulation: checked
               Rekey time (s): 2400
               DPD delay (s): 30
               Pools: e2s_eaptlssplittun_sharedpool
               Send cert req: checked (default)
               Send certificate: Always: selected
               Keyingtries: 0
               Description: myopnsense:e2s:splittun:eaptls:p1
               =>Save (it will reveal new options)

            Local Authentication
            +Add
               enabled: checked
               Connection: myopnsense:e2s:splittun:eaptls:p1
               Round: 0
               Authentication: Public Key: selected
               Id: myopnsense.a-domain-name.com //It's crucial to set this to FQDN
               Certificates: ipsec_e2s:myopnsense.a-domain-name.com
               Public Keys: Nothing selected (default)
               Description: localauth:myopnsense.a-domain-name.com

            Remote Authentication
            +Add
               enabled: checked
               Connection: myopnsense:e2s:splittun:eaptls:p1
               Round: 1
               Authentication: EAP TLS: selected
               Id: (empty) (default) //It's crucial to leave this emtpy
               EAP Id: %any
               Certificates: Nothing selected (default): selected
               Description: remoteauth:myopnsense:eaptls

            Children
            +Add
            => advanced mode
               enabled: checked
               Connection: myopnsense:e2s:splittun:eaptls:p1
               Mode: Tunnel (default): selected
               Start action: None: selected
               ESP proposals: aes256-sha256-ecs256 [DH19, NIST EC] //CAUTION: uncheck "Default"
               Local:    192.168.16.0/21
               Remote: (leave empty)
               Rekey time (s): 600
               Description: child:myopnsense:splittun:p2
            => Save => Apply

      Firewall
         Rules
            IPsec
            "+Add"
               Interface: IPsec: selected
               Direction: in: selected
               TCP/IP Version: IPv4: selected
               Protocol: any: selected
               Source: any: selected
               Destination: LAN net: selected
            => Save => Apply changes

            WAN
            "+Add"
               Interface: WAN: selected
               Direction: in: selected
               TCP/IP Version: IPv4: selected
               Protocol: UDP: selected
               Source: any: selected
               Destination: WAN address: selected
               Destination port range: From: ISAKMP To: ISAKMP //=500
            => Save

            "+Add"
               Interface: WAN: selected
               Direction: in: selected
               TCP/IP Version: IPv4: selected
               Protocol: UDP: selected
               Source: any: selected
               Destination: WAN address: selected
               Destination port range: From: IPsec NAT-T To: IPsec NAT-T //=4500
            => Save => Apply changes

Just for the record:
To fix the iOS 18.1 Problem you need to set "Send certificate" under p1 settings to "Always" as described here:
https://github.com/opnsense/docs/issues/639
Other method is to use Apple configurator which i already found out ealier in this post but is also mentioned here: https://docs.strongswan.org/docs/5.9/interop/ios.html#_ikev2_on_ios_9_and_macos_10_11

//edit:

I got it working. :)

One part of the problem was that i still had to install and trust the CA separately. I thought that this is kind of bundled with the PKCS#12 file.

I will modify my post soon when i tested everything extensively. thanks for pointing me into reading the apple logs more in detail.

thanks for your answer but acutally not, because i use this on iOS also and i don't want to use apps because they cannot be integrated into to system as good as the native stuff and become unmaintained from time to time.

Hi, i try to get IPsec VPN with certificates working with the new "Connections method". However i have no success. i tried to make sense of the following guides:

//Original question deleted as i fixed it by myself. I posted a HowTo in this post. Just scroll down

thanks for your answer. i'm on mac os / ios and a big fan of the built-in system clients as they don't give me a headache on OS updates most of the time but actually they lack this functionality.
is it possible to configure a completely new (secondary) tunnel on the OPNsense side with a different DNS name including a new certificate to distinguish by that?
thanks

Hi,
i'm using https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html with "shared pool" to connect into my home OPNsense with a split tunnel setting. Works good. Now i would like to have a full tunnel mode alongside when i'm in public unencrypted WiFis. How can i achieve this in a smart way? The decisive setting is in the "Child" config, so it's probaby not possible to filter this by login username.
Thanks

yes you're right. when setting it to pre-shared key no login is possible. what made me curious was that with "Public Key" selected the list of selected "Public Keys" is completely empty.

I think there are two aspects here
1: is probably an iOS problem where it won't work on the GUI but with the same details entered in Apple Configurator it will work. This started with iOS18.1 - on 18.01 it worked the on-device-GUI (or wizard) way. This is why i believe that this is an apple related problem or change.

2: is that it doesn't make a difference if i install a self signed certificate or not. That applies to both iOS and macOS. I can login with both methods and i diffed the logs. there's absoluty no difference. I know that with older pfSense or OPNsense configurations using the older legacy method guide it was impossible to log in if you didn't trust the CA certificate on iOS or macOS. i don't know if that is a possible security issue

I configured the VPN using Apple Configurator and boom it works (using the same details as on the GUI but anyway). While playing around i created a profile which did *not* include the CA Certificate. It is also not installed on the iOS device from previous configurations. This made me think and i tried to configure a VPN connection on a macOS sequoia 15.1 mac that has never seen the self signed CA certificate and i can perfectly log in. Now is that intended behaviour?
I know for sure that on previous OPNsense installations using the legacy methond https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html i could never login before manually trusting the self signed certificate in macOS keychain storage.

//Update: Is it possible that this is wrong in the documentation https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html where it says:

Local Authentication
Authentication: "Public Key"

Doesn't this have to be "Pre-Shared Key" instead of "Public Key" ?

True. I overlooked that. This can be fixed by setting proposals to aes256/sha256/ecp256 [DH19, NIST EC]. I can comfirm that with ecp256 instead of modp2048 macOS Sequoia 15.1 is still perfectly able to connect, so ecp256 seems to be the new way to go on newer apple devices/OSes.
however on iOS it will still not proceed after "sending packet: from IP[4500] to IP[21501] (400 bytes)"

Hi,
i am strictly following this guide using "Method 1 - Shared IP pool for all roadwarriors"

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

While this worked on iOS 18.01 on iPhones and iPads it stopped working on 18.1 somehow. As usual for iOS devices there is no error message at all.

log looks like this:

06[NET] <5c5afb18-9f41-4e90-8a2b-2a7534266587|18> sending packet: from IP[4500] to IP[21501] (400 bytes)
06[ENC] <5c5afb18-9f41-4e90-8a2b-2a7534266587|18> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
06[IKE] <5c5afb18-9f41-4e90-8a2b-2a7534266587|18> authentication of 'location.MYHOST.com' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
06[IKE] <5c5afb18-9f41-4e90-8a2b-2a7534266587|18> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
06[IKE] <5c5afb18-9f41-4e90-8a2b-2a7534266587|18> peer supports MOBIKE
06[IKE] <5c5afb18-9f41-4e90-8a2b-2a7534266587|18> initiating EAP_IDENTITY method (id 0x00)
06[CFG] <5c5afb18-9f41-4e90-8a2b-2a7534266587|18> selected peer config '5c5afb18-9f41-4e90-8a2b-2a7534266587'
06[CFG] <18> looking for peer configs matching IP[location.MYHOST.com]...IP[IP]
06[ENC] <18> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
06[ENC] <18> unknown attribute type INTERNAL_DNS_DOMAIN
06[NET] <18> received packet: from IP[21501] to IP[4500] (400 bytes)
06[NET] <18> sending packet: from IP[500] to IP[500] (497 bytes)
06[ENC] <18> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
06[IKE] <18> sending cert request for "C=DE, ST=MYHOST-opnsense, L=MYHOST-opnsense, O=MYHOST-opnsense, OU=MYHOST-opnsense, E=MYHOST-opnsense, CN=location.MYHOST.com"
06[IKE] <18> remote host is behind NAT
06[CFG] <18> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
06[IKE] <18> IP is initiating an IKE_SA
06[ENC] <18> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
06[NET] <18> received packet: from IP[500] to IP[500] (562 bytes)
06[NET] <17> sending packet: from IP[500] to IP[500] (38 bytes)
06[ENC] <17> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
06[IKE] <17> DH group ECP_256 unacceptable, requesting MODP_2048
06[IKE] <17> remote host is behind NAT
06[CFG] <17> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
06[IKE] <17> IP is initiating an IKE_SA
06[ENC] <17> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
06[NET] <17> received packet: from IP[500] to IP[500] (370 bytes)

actually the log looks ok to me because on a working iOS 18.01 device it looks exactly the same up to the point "sending packet: from IP[4500] to IP[21501] (400 bytes)" and continues with "received packet: from IP[41260] to IP[4500] (112 bytes)"
it simply does not go on for some reason. this is likely not an OPNsense problem but an apple bug or apple has changed something that is incompatible since 18.1 like self signed certificates that are valid too long or something that i am not aware of.

does anybody know a workaround?

thanks

//Update: When connecting the iOS device to Apple Configurator Utility there's a possibility to log things. the relevant error messages seem to be:

NEIKEv2Provider(NetworkExtension)[1483] <Error>: [IKE_SA_INIT R resp0 FA8B49559B813784-0000000000000000] Initiator init received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=17 "InvalidKEPayload" UserInfo={NSDebugDescription=InvalidKEPayload}

NEIKEv2Provider(NetworkExtension)[1483] <Error>: [IKE_AUTH R resp1 FA8B49559B813784-B1C5080634BCCCFD] No certificate payload received

NEIKEv2Provider(NetworkExtension)[1483] <Notice>: IKEv2IKESA[1.1, FA8B49559B813784-B1C5080634BCCCFD] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: No certificate payload received" UserInfo={NSLocalizedDescription=Authentication: No certificate payload received}

OK, you are a genius. One site is DSL (1492) and one Cable (1500). I've changed MTU in OpenVPN settings and boom it works.
This should be mentioned in guides as it will save you from a headache.

I did set MTU in my older pfSense configs but there it was under "Advanced configuration" which now in OPNsense "will be removed in the future due to being insecure by nature". This was the reason i cancelled that setting. Good that this is now a regular option in OPNsense.

[Server site certs setup]

Hello,
i am migrating all my routers from pfSense to OPNsense. So far i am quite happy with it but OpenVPN S2S with Certificates does not work. It is a setup i've been using for many years and basically follows this guide:

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
I also read this guide:
https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html
and also tried the new "Instances" feature following this guide:
https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html

Essentially these guides follow the same logic. "Instances" has a bit less options.

I have two sites. One server and one client. OPNsense version is OPNsense 23.7.6-amd64 on both sites. Connection can be established. Everything looks good. Routes seem correct to me. I can ping machines from client site located at server site but cannot reach webinterfaces in browser or anything else located at server site.

I call the server site "headquarter" and the client site "warehouse" in this example.
headquarter local net is 10.0.16.0/21 and warehouse local net is 10.0.48.0/21

This is the config:

Server site certs setup

System
   Trust
      Certificates
      "+Add"
         Method: Create an internal certificate
         Descriptive name: openvpn_s2s_routesubnet:headquarter-opnsense.allmysites.de
         Internal Certificate
            Certificate authority: headquarter-opnsense.allmysites.de
            Certificate Type: Server certificate
            Key type: RSA
            Key length: 2048 (default)
            Digest Algorithm: sha256 (default)
            Lifetime (days): 3650
            Private key location: Save on this firewall (default)
         Distinguished name
            Country Code: DE
            State or Province: headquarter-opnsense
            City: headquarter-opnsense
            Organization: headquarter-opnsense
            Email Address: headquarter-opnsense
            Common Name: headquarter-opnsense.allmysites.de
            Alternative Names:
               Type: DNS
               Value: headquarter-opnsense.allmysites.de
      => Save

      Certificates
      +Add/Sign
         Method: Create an internal certificate
         Descriptive name: openvpn_s2s_routesubnet:headquarter-opnsense.allmysites.de:warehouse.allmysites.de
         Internal Certificate
            Certificate authority: headquarter-opnsense.allmysites.de
            Certificate Type: Client certificate
            Key type: RSA
            Key length: 2048 (default)
            Digest Algorithm: sha256 (default)
            Lifetime (days): 3650
            Private key location: Save on this firewall (default)
         Distinguished name
            Country Code: DE
            State or Province: headquarter-opnsense
            City: headquarter-opnsense
            Organization: headquarter-opnsense
            Email Address: headquarter-opnsense
            Common Name: warehouse.allmysites.de
            Alternative Names:
               Type: DNS
               Value: warehouse.allmysites.de
      => Save

OpenVPN Server config

VPN
   OpenVPN
      Servers
      "+Add"
         General Information
            Disabled: unchecked
            Description: headquarter-opnsense.mysites.de (OpenVPN, Site-to-Site, Route only Subnet)
            Server mode: Peer to Peer (SSL/TLS): selected (default)
            Protocol: UDP4: selected (default)
            Device mode: tun:selected (default)
            Interface: any: selected (default)
            Local port: 12345
         Cryptographic Settings
            TLS Authentication: Enabled - Authentication only: selected (default)
            Automatically generate a TLS Key: checked (default)
            Peer Certificate Authority: headquarter-opnsense.mysites.de
            Peer Certificate Revocation List: None: selected (default)
            Server certificate: openvpn_s2s_routesubnet:headquarter-opnsense.mysites.de: selected
            Encryption algorithm (deprecated): AES-256-CBC (256 bit key, 128-bit block): selected
            Auth Digest Algorithm: SHA256 (256-bit): selected
            Certificate Depth: One (Client+Server) (default)
         Tunnel Settings
            IPv4 Tunnel Network: 10.0.25.0/24
            IPv6 Tunnel Network: empty (default)
            Redirect Gateway: unchecked (default)
            IPv4 Local network: 10.0.16.0/21
            IPv6 Local network:
            IPv4 Remote network: 10.0.48.0/21
            IPv6 Remote network: empty (default)
            Concurrent connections - empty (default)
            Compression: Legacy - Disabled LZO algorithm (--comp lzo no): selected
            Type-of-Service: unchecked (default)
            Duplicate Connections: unchecked (default)
         Client Settings
            Dynamic IP: unchecked (default)
            Topology: unchecked (default)
            Client Management Port: unchecked (default)
         Advanced Configuration
            Verbosity level: 3 (recommended): selected
            Force CSO Login Matching: unchecked (default)

      Client Specific Overrides
      "+Add"
         General Information
            Disabled: unchecked (default)
            Servers: Description: headquarter-opnsense.mysites.de (OpenVPN, Site-to-Site, Route only Subnet) (12345 / UDP4)
            Description: empty (default)
            Common name: warehouse-opnsense.mysites.de
            Connection blocking: unchecked (default)
         Tunnel Settings
            IPv4 Tunnel Network: empty (default)
            IPv6 Tunnel Network: empty (default)
            IPv4 Local Network: 10.0.16.0/21
            IPv4 Remote Network: 10.0.48.0/21
            Redirect Gateway: Nothing selected (default): selected
            => Save

Firewall
   Rules
      WAN
      "+Add"
         Interface: WAN: selected
         Direction: in: selected
         TCP/IP Version: IPv4: selected
         Protocol: UDP: selected
         Source: any: selected
         Destination: WAN address: selected
         Destination port range
            From: other: Selected
               Custom: 12345
            To: other: Selected
               Custom: 12345
         Description: OpenVPN
      => Save => Apply changes

      OpenVPN
      "+Add"
         Interface: OpenVPN: selected
         Direction: in: selected
         TCP/IP Version: IPv4: selected
         Protocol: any: selected
         Source: any: selected
         Destination: any: selected
         Description: OpenVPN
      => Save => Apply changes

Client site certs setup

System
   Trust
      Authorities
      "+Add"
         Descriptive name: headquarter-opnsense.mysites.de
         Method: Import an existing Certificate Authority
         Existing Certificate Authority
            Certificate data: Paste a certificate in X.509 PEM format here. (Export the data from headquarter-opnsense and open it in a texteditor for copypaste)
            Certificate Private Key (optional): empty (default)
            Serial for next certificate: empty (default)
      => Save

      Certificates
      +Add
         Method: Import an existing Certificate
         Descriptive name: openvpn_s2s_routesubnet:headquarter-opnsense.mysites.de:warehouse-opnsense.mysites.de
         Import Certificate
            Certificate data: Paste a certificate in X.509 PEM format here. (Export the data from headquarter-opnsense and open it in a texteditor for copypaste)
            Private key data: Paste a certificate in X.509 PEM format here. (Export the data from headquarter-opnsense and open it in a texteditor for copypaste)
      => Save

OpenVPN Client config

VPN
   OpenVPN
      Clients
      +Add
         General information
            Disabled: unchecked
            Description: headquarter-opnsense.mysites.de (OpenVPN, Site-to-Site, Route only Subnet)
            Server mode: Peer to Peer (SSL/TLS): selected (default)
            Protocol: UDP4: selected (default)
            Device mode: tun: selected (default)
            Interface: any: selected (default)
            Remote server
               Server host or address: headquarter-opnsense.mysites.de
               Port: 12345
               Select remote server at random: unchecked (default)
            Retry DNS resolution - Infinitely resolve server: checked
            Proxy host or address: empty (default)
            Proxy port: empty (default)
            Proxy authentication extra options: none: selected (default)
            Local port: 0

         User Authentication Settings
            Username: empty (default)
            Password: empty (default)
            Renegotiate time: empty (default)
         Cryptographic Settings
            TLS authentication: Enabled - Authentication only: selected (default)
            Automatically generate a shared TLS authentication key: unchecked
               Key: Paste the shared key here (copypaste from headquarter-opnsense OpenVPN Server config page)
            Peer Certificate Authority: headquarter-opnsense.mysites.de: selected
            Client certificate: openvpn_s2s_routesubnet:headquarter-opnsense.mysites.de:warehouse-opnsense.mysites.de (CA: headquarter-opnsense.mysites.de): selected
            Encryption Algorithm: AES-256-CBC (256bit, 128bit block): selected
            Auth digest algorithm: SHA256 (256bit): selected
         Tunnel Settings
            IPv4 Tunnel Network: 10.0.25.0/24
            IPv6 Tunnel Network: empty (default)
            IPv4 Remote network(s): 10.0.16.0/21
            IPv6 Remote network(s): empty (default)
            Limit outgoing bandwidth: empty (default)
            Compression: Compression: Legacy - Disabled LZO algorithm (--comp lzo no): selected
            Type-of-Service: unchecked (default)
            Don't pull routes: unchecked (default)
            Don't add/remove routes: unchecked (default)
         Advanced Configuration
            Advanced: empty
            Verbosity level: 3 (recommended): selected
      => Save

Firewall
   Rules
      OpenVPN
      "+Add"
         Interface: OpenVPN: selected
         Direction: in: selected
         TCP/IP Version: IPv4: selected
         Protocol: any: selected
         Source: any: selected
         Destination: any: selected
         Description: OpenVPN
      => Save => Apply changes