HOWTO configure openvpn and pfsense

From Chaos

Jump to: navigation, search
This article is part of the HOWTO series.

Contents

Summary

This howto is designed to quickly show you how to setup OpenVPN on pfSense, and establish 2 tunnels (Windows and Linux). This is not meant to be a complete how-to, it should only be used to give you a general idea of the functionality and what you can do. OpenVPN is much more advanced than the setup we are going to do here.

Caveats

For some reason, the rules in pfSense appear to be broken for any clients connecting in to your network. They pretty much have full access to anything, even with a block any->any on the TUN0 interface. If anybody has a workaround for this, let me know!

Details

Setup Easy-RSA

You will need to download the OpenVPN source (unless you already have the easy-rsa scripts somewhere on your system. This script can be run from any system, except windows.)

1. First, edit the file 'vars'. On Gentoo, the default directory for easy-rsa is /usr/share/openvpn/easy-rsa. I copied mine from /usr/share/openvpn/easy-rsa to /etc/openvpn/, so during subsequent upgrades/modifications, my certificates wouldn't get nuked.:

root@localhost:~# cd /usr/share/openvpn
root@localhost:/usr/share/openvpn# cp easy-rsa /etc/openvpn/
root@localhost:/usr/share/openvpn# cd /etc/openvpn/easy-rsa/
root@localhost:/etc/openvpn/easy-rsa/# vi vars

2. Scroll to the bottom, fill out the 5 values (export KEY_{COUNTRY,PROVINCE,CITY,ORG,EMAIL) so they're relevant for you. Save and exit the file.

Generate Certs with Easy-RSA

1. We need to source the vars file:

root@localhost:/etc/openvpn/easy-rsa/# source ./vars

2. Then we clean everything out:

root@localhost:/etc/openvpn/easy-rsa/# ./clean-all

3. Then we build the CA. Make sure and fill out your information appropriately.

root@localhost:/etc/openvpn/easy-rsa/# ./build-ca

4. Now, we need to generate the certificate and private key for the server. Make sure and fill out your information appropriately. When it asks for the CN, enter server.

root@localhost:/etc/openvpn/easy-rsa/# ./build-key-server server

5. Build the Diffie-Hellman parameters. Make sure and fill out your information appropriately:

root@localhost:/etc/openvpn/easy-rsa/# ./build-dh

6. Generate the certificates for your client(s). Please note that you must have a unique certificate per client. Make sure and fill out your information appropriately. In the example below, I used client1 and client2 since I am using them as an example. Note: If you would like to password-protect your client keys, substitute the build-key-pass script:

root@localhost:/etc/openvpn/easy-rsa/# ./build-key client1
root@localhost:/etc/openvpn/easy-rsa/# ./build-key client2

Certificates on pfSense

  1. Login to the pfSense WebGUI, and go to the OpenVPN config page. Click on the + to add a new OpenVPN rule.
    1. Dynamic IP: If it applies to your users, enable this option. More than likely, you will want this enabled.
    2. Address pool: This should be a unique subnet, no other interfaces or networks should share this subnet!
    3. Local network: In most cases, this should be your LAN subnet. If you have other subnets that vpn users will need to access we will have to push routes via custom options, push "route n.n.n.n 255.255.255.0";, where n.n.n.n is the subnet address of another interface on your pfSense.
    4. Authentication Method: PKI (Public Key Infrastructure)
    5. Image:Openvpn_01.jpg
    6. Go back to the certificates we generated, and get the contents of keys/ca.crt. Paste that in the field CA certificate (you must include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).
    7. Grab the contents of keys/server.crt (only from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----), and paste that into Server certificate.
    8. Do the same for keys/server.key. This goes in Server key.
    9. And last (but definately not least), copy keys/dh1024.pem to the field DH parameters.
    10. Image:Openvpn_02.jpg
    11. Enable LZO compression if you want. The client must match this setting.
    12. Hit Save.
    13. Image:Openvpn_03.jpg
  2. Go to the firewall rules for the WAN interface, and open up the TCP (or UDP) port you defined for your OpenVPN instance.
  3. Apply changes.

Setup Windows Clients

  1. Download/install the OpenVPN GUI client for Windows.
  2. For some weird reason, the installer picks some random name for our tunnel adapter. We need to change the name.
    1. Go to the Network Connections control panel, and right-click on our new VPN adapter (should say something about Tap-win32). Click on Rename.
    2. Give it a useful name, I called mine ovpn-tun0.
  3. Go to the OpenVPN config directory. Create a new .ovpn file with the following settings. Make sure and chose the correct dev-node, hostname, and ports. Don't forget to update your certificate filenames if needed (you will need to copy them [ca.crt, client1.crt, client1.key] over to the same directory the .ovpn config file is in): 
port 443
dev tun
dev-node ovpn-tun0
proto tcp-client
remote n.n.n.n 443
ping 30

persist-tun
persist-key

tls-client
ca ca.crt
cert client1.crt
key client.key

ns-cert-type server
comp-lzo
pull

Setup Linux Clients

1. Download/compile/install the OpenVPN source.

2. The majority of the config files are in /etc/openvpn/clients on Gentoo.

root@localhost:~# cd /etc/openvpn/clients

3. We need to create a new config file, I called mine ren-bgw-01.conf:

root@localhost:/etc/openvpn/clients# vi ren-bgw-01.conf

4. Put the following information in the config file, where n.n.n.n is the IP of your pfSense box: 

port 443
dev tun
proto tcp-client
remote n.n.n.n 443
ping 30

persist-tun
persist-key

tls-client
ca /etc/openvpn/clients/keys/ren-bgw-01/ca.crt
cert /etc/openvpn/clients/keys/ren-bgw-01/client2.crt
key /etc/openvpn/clients/keys/ren-bgw-01/client2.key

ns-cert-type server
comp-lzo
pull

5. Now, I put all of my keys in /etc/openvpn/clients/keys/<server>/. Make that directory, and copy ca.crt, client2.crt, and client2.key to there:

root@localhost:/etc/openvpn/clients# mkdir -p keys/<server>
root@localhost:/etc/openvpn/clients# cd /etc/openvpn/clients/keys/<server>
root@localhost:/etc/openvpn/clients/keys/<server>/# cp /etc/openvpn/easy-rsa/keys/ca.crt .
root@localhost:/etc/openvpn/clients/keys/<server>/# cp /etc/openvpn/easy-rsa/keys/client2.crt .
root@localhost:/etc/openvpn/clients/keys/<server>/# cp /etc/openvpn/easy-rsa/keys/client2.key .

6. The last thing is to create the ren-bgw-01 startup script. This must match the config file name (minus the .conf) in order for it to work on Gentoo!. And then we start up the tunnel!

root@localhost:/etc/openvpn/clients/keys/<server>/# cd /etc/init.d/
root@localhost:/etc/init.d/# ln -s openvpn ren-bgw-01
root@localhost:/etc/init.d/# ./ren-bgw-01 start

7. If the tunnel doesn't come up, and/or you want to do testing/debugging, simply start openvpn with the --config option to see what it's doing while it parses your config and attempts to establish the tunnel:

root@localhost:/etc/init.d/# openvpn --config /etc/openvpn/clients/ren-bgw-01.conf

References

Retrieved from "http://chaos.untouchable.net/index.php/HOWTO_configure_openvpn_and_pfsense"
Personal tools
Sponsored Links