As with IPsec, it is possible to create a site-to-site connection between two pfSense firewalls, although the process is somewhat different than it is with IPsec. The steps in setting up a site-to-site OpenVPN connection are as follows:

• Create a Certificate Authority and Certificates for authentication
• Configure the OpenVPN server on the first firewall
• Create firewall rules to pass OpenVPN traffic on the first firewall
• Import the certificates into the second firewall
• Configure the OpenVPN server on the second firewall
• Create firewall rules to pass OpenVPN traffic on the second firewall

We begin by creating the certificates we will use for authentication. Navigate to System | Certificate Manager. On the CAs tab, click on the Add button. At the Methods drop-down box, select Create an internal Certificate Authority. Fill out the required fields and click on the Save button. We will need the newly-created CA on the server end, so click on the Export CA icon under the Actions column and save the CA somewhere so it can be copied to the server. 

Now click on the Certificates tab so we can create the certificates. Click on the Add/Sign button. For Method, select Create an internal Certificate in the drop-down box. Fill out the required fields, and be sure to select Server Certificate as the Certificate Type. Click on Save to generate this certificate. We still need to create the user certificate, so click on the Add/Sign button again and once again select Create an internal Certificate as the Method. This time, select User Certificate as the Certificate Type and fill out the required fields. Click on Save to generate the certificate. We are going to need the user certificate on the client side, so click on the Export Certificate icon for this certificate and save the certificate. We will also need the key, so click on the Export Key icon and save the key.

Now we can configure the OpenVPN server. Navigate to VPN | OpenVPN, and on the Servers tab click Add. In the General Information section, we can keep all the default settings, although if you plan on setting up more than one OpenVPN tunnel, you may want to change Local port from the default port of 1194. You can also add a brief Description (for example, "OpenVPN server on Firewall #1"). 

In the Cryptographic Settings section, we have to make some changes. In the Peer Certificate Authority drop-down box, select the CA we created earlier, if it isn't already selected. In the Server Certificate drop-down box, select the server certificate we created earlier. All other settings can remain the same, unless you want to select more secure settings for such parameters as DH Parameter Length and Encryption Algorithm. 

In the Tunnel Settings section, we will also have to make some changes. IPv4 Tunnel Network is where we specify the virtual network used for private communications between the server and client. You can specify any private network you want, but it is customary to use 30 bits for the subnet, so the CIDR is usually /30. You can also set an IPv6 Tunnel Network if you are using IPv6. IPv4 Local network(s) is where we specify local networks that will be accessible from the remote endpoint, and IPv4 Remote network(s) is where we specify the remote LAN. Both of these settings have corresponding IPv6 settings that we can set if necessary. 

All settings in the Client Settings and Advanced Configuration sections can remain unchanged. If you anticipate using this server with OpenVPN clients that require a /30 network for each client, you may want to change Topology from Subnet to net30. Click on Save when you are done. This will return you to the Server page, where you should now click on the Edit icon for the newly-created server entry, scroll down to the TLS Key textbox, and copy and paste the TLS key into a file - we are going to have to copy this on the client side.

The server configuration is complete, but we still need firewall rules to allow OpenVPN traffic to pass. Navigate to Firewall | Rules and on the WAN tab, click one of the Add buttons. For the Protocol, select UDP (the default protocol used by OpenVPN), and for Source, select WAN address. All other settings can remain the same. As with the firewall rules created for IPsec, you can make them as restrictive as you want, as long as they don't block traffic that needs to pass. Click on Save when you are done making changes. Next, click on the OpenVPN tab and click on one of the Add buttons. For the Protocol, select UDP, TCP/UDP, or Any; all other settings can remain the same. Click on Save when you are done.

Server-side configuration is now done, so we can go to the other firewall and begin client-side configuration. On the client side, navigate to System | Certificate Manager and on the CAs tab, click on the Add button. Keep the Method set to Import an existing Certificate Authority, and paste the CA certificate you created on the server into the Certificate data textbox. Enter a Descriptive name in the appropriate edit box and click on the Save button when done. Next, click on the Certificates tab and click on the Add button so we can add the user certificate. Keep the Method set to Import an existing Certificate, and paste both the user certificate and the private key into the appropriate textboxes. Click on the Save button when done.

Now we can begin OpenVPN client configuration. Navigate to VPN | OpenVPN, click on the Client tab, and click on the Add button. Settings under the General Information section can remain unchanged, unless you changed Local Port in the server configuration, in which case you will want to change Server port so they match. You can also enter a brief Description in the corresponding edit box. 

In the Cryptographic Settings section, leave Use a TLS Key enabled, but disable Automatically generate a TLS key. An TLS key edit box will appear; here you must paste the TLS key from the server. Set the Peer certificate authority to the Certificate Authority previously imported. Set Client certificate to the user certificate previously imported. The rest of the settings in this section can remain the same, unless you altered the cryptographic options on the server side, in which case the client side settings must match. 

In the Tunnel Settings section, set IPv4 Tunnel Network to match the IPv4 Tunnel Network setting on the server. Also, set IPv6 Tunnel Network if you are using IPv6. IPv4 Remote networks should match IPv4 Local network(s) on the server. Set IPv6 Remote network(s) if necessary. Again, all other settings in this section can remain the same unless you made changes to them on the server side; for example, if you changed Topology, make sure it matches on both sides. Click on the Save button when you are done.

Now, all that remains to be done on the client is to create the firewall rules. They are essentially the same rules as we created on the server, so I won't go into detail on their creation here. The first rule must allow UDP traffic to pass through the WAN interface, and the second rule must be created on the OpenVPN tab to allow traffic to pass.

Unlike with IPsec configuration, the OpenVPN tunnel should be up as soon as we have finished configuration. To confirm that the tunnel is up, navigate to Status | OpenVPN on either firewall; it should show that the newly-created OpenVPN tunnel is up, along with statistics such as the time the connection was established, the local IP address and port, the remote address and port, and the number of bytes sent and received. If the tunnel isn't up, try clicking on either the Start or Restart icon for the connection. If this does not work, it's time to start troubleshooting; for starters, make sure that the settings match on both sides and that you imported the correct certificates and keys.