How to Build a Site-to-Site VPN Between Beijing and Shanghai Using OPNsense OpenVPN

Introduction

OPNsense is a powerful open-source firewall and routing platform. This article explains how to use its built-in OpenVPN module to create a cross-region site-to-site network, allowing LANs in different locations to communicate through a tunnel.

Network Architecture

The company’s data centers are located in Beijing and Shanghai. An OPNsense OpenVPN tunnel will interconnect the two LANs, enabling IP communication between them.

<code>Tunnel address 10.0.10.0/24
Beijing DC
LAN: 172.18.30.0/24
WAN: ***.**.*.**/24
Shanghai DC
LAN: 192.168.99.0/24
WAN: ***.**.*.**/24</code>

OpenVPN Server

<code>描述：site-to-site network server
服务器模式：点对点（共享密钥）
协议：UDP
设备模式：tun
接口：WAN
本地端口：1199
加密设置：共享密钥：服务器自动产生，该密钥也将用于客户端
加密算法：AES-128-CBC
认证摘要算法：SHA1（160-bit）
硬件加密：无
隧道设置：IPv4隧道网络：10.0.10.0/24
IPv4本地网络：172.18.30.0/24
IPv4远程网络：192.168.99.0/24
压缩：启用自适应压缩
禁用IPv6：是
客户端设置：动态IP：是
地址池：是</code>

OPNsense Firewall Configuration

WAN port allow UDP 1199

OpenVPN port allow any‑to‑any

Note: Production environments require strict access rules

Edge Firewall Port Mapping

<code>nat server 1 protocol udp global current-interface 1199 inside 172.41.129.249 1199</code>

OpenVPN Client

<code>描述：site-to-site network client
服务器模式：点对点（共享密钥）
协议：UDP
设备模式：tun
接口：WAN
远程服务器 主机或IP 端口 ***.**.*.** 1199
加密设置：共享密钥：将服务器端的共享密钥复制然后贴在此处
加密算法：AES-128-CBC
认证摘要算法：SHA1（160-bit）
硬件加密：无
隧道设置：IPv4隧道网络：10.0.10.0/24
IPv4远程网络：172.18.30.0/24
禁用IPv6：是</code>

OpenVPN Connection Status

Network Test

Testing steps to verify normal bi‑directional communication between the two data‑center networks are omitted for brevity.