Simple VPN Server
-
@bert-0 Nope. You need the Open VPN professional license to configure the server.
Unlike PPTP where its plug and play and fast as hell on top.
When using PPTP and running HTTPS traffic inside the tunnel its more than safe....
I hate OpenVPN. Its unstable and it sucks configuring....
-
@cool_corona Crap :-( That really isn't what I wanted to hear :-(
Bert
-
@bert-0
pfSense provide a wizard to set up an OpenVPN access server. It's quite easy to go through it.
It requires that pfSense get the OpenVPN packets on its WAN interface naturally.And OpenVPN is very stable. We use it for 9 years in production setup.
However, configuring a site-to-site presumes some routing knowledge.
-
@viragomann I have to admit that I don't know what "It requires that pfSense get the OpenVPN packets on its WAN interface naturally" means :-(
As for the routing knowledge, that is the part that bothers me about this whole thing. I have set up many site to site VPN connections in the past and, while I do have routing knowledge, I have never needed it to set up the VPNs. Specify the FQDN of the two endpoints and provide the cert or pre-shared key and you're done.
sigh :-(
Bert
-
@bert-0 Exactly.... this is over engineered.
Pfsense 2.2.4 had PPTP built in. It worked like a charm and was very fast.
-
@cool_corona Unfortunately, I bought the pfSense box specifically because I need a VPN server in my office so I can connect from home. :-(
Bert
-
@bert-0 Replace it with 2.2.6 firmware....
https://gnuacademy.org/pfsense/
-
@cool_corona Thanks but I'm concerned about how much of a can of worms that would open. I guess I am back in the market for a firewall :-(
Bert
-
@bert-0 said in Simple VPN Server:
I have to admit that I don't know what "It requires that pfSense get the OpenVPN packets on its WAN interface naturally" means :-(
This means primarily that you're lost if you are in a CGN or your provider is blocking access to your WAN. But this is applied to all VPNs.
So simply run the OpenVPN wizard. If you need a client for Windows install the client export utility package, so you can easily get a client installer out of pfSense directly.
@cool_corona said in Simple VPN Server:
Replace it with 2.2.6 firmware....
https://gnuacademy.org/pfsense/This is a quite unreliable suggestion. This version is 8 years old and should protect your network?
There is a very good reason for dropping PPTP VPN in pfSense. It is known as insecure for 15 years yet. Hence it's pretty useless as "virtual private network" today.
-
@viragomann Thanks for the explanation. I have removed my NetGate from my network for now but I may try your suggestion another time. I thought I had run the wizard already, though.
Bert
-
Adding an OpenVPN server using the Wizard is really not that hard at all.
The only prerequisite is that you have a public IP on the WAN interface. And I'm pretty sure you do have that since you said you were port forwarding stuff currently.
See: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html
There's even a video walk through: https://www.youtube.com/watch?v=jQHqPq7ftz4
And, yeah, nobody should be using PPTP on anything in 2022!
Steve
-
@stephenw10 Thanks again, Steve.
As I mentioned above, I have removed the device from my network. I won't be in my office tomorrow but sometime over the next couple of days I will go through the setup of my OpenVPN again.
Thanks for the links.
Bert
-
@stephenw10 It depends on what you want from it...
A basic and very easy tunnel to somewhere else not handling any defcon 5 stuff.
I use to watch danish TV from Switzerland. Its easy and much faster than OpenVPN.
Much easier to setup and get running and its running via the router itself so no intervention from any clients.
So its maybe insecure, but so are your frontdoor to the house if I drive a bulldozer straight through it.
Only the strongest doors will survive hense my comments about defcon 5.
And a PPTP running straight HTTPS surfing traffic is more secure than straight and open internet HTTPS traffic.
So I just dont get that PPTP is insecure.... its theoretical and needs some things in place to be hacked....
-
If you want OpenVPN with TAP/Bridging follow this https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/
-
DO NOT USE OR RECOMMEND PPTP UNDER ANY CIRCUMSTANCES IN 2022
It's been completely broken and proven to be broken for 10 years
https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807
Not theoretically. Practically. There are utilities to decrypt captures. All an attacker needs to do is capture the packets, nothing special.
Stop the insanity.
OpenVPN is easy with the wizard. If you need speed, use WireGuard, which is also not difficult. If you don't care about encryption and only about circumventing geographical blocks then you can still use OpenVPN without encryption.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp I hear you....
A tool for parsing and decrypting MS-CHAPv2 network handshakes.
The first thing you'll need to do is obtain the network traffic for the MS-CHAPv2 handshake you'd like to crack. For PPTP VPN connections, simply use a tool such as tcpdump or wireshark in order to obtain a network capture. For WPA2 Enterprise wireless handshakes, simply use a tool like FreeRADIUS-WPE in order to obtain 'challenge' and 'response' parameters. Next you'll use chapcrack in order to parse and extract the MS-CHAPv2 handshake from your packet capture or FreeRADIUS interception. For a PPTP handshake, run: chapcrack.py parse -i /path/to/capture.cap For a WPA2 handshake, run chapcrack.py radius -C <challenge> -R <response>, where challenge and response are what you intercepted with FreeRADIUS-WPE Submit the CloudCracker token chapcrack gives you to https://www.cloudcracker.com When you get your results, you can decrypt a PPTP packet capture: chapcrack.py decrypt -i </path/to/capture.cap> -o output.cap -n <result>Wouldnt you need to be on the same network and GW to do that?
You cant do it in the wild...on somebody elses internet connection.
-
Well, I setup the server and tried to connect a client but I get the error:
Fri May 06 12:25:32 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri May 06 12:25:32 2022 TLS Error: TLS handshake failedI get this on two different windows 10 boxes - one on my internal network and on I created in the cloud to test connectivity.
Ant suggestions? I find the client to be less than intuitive :-(
Bert
-
@bert-0
This error mostly indicates that the client cannot reach the server.
You can sniff the packets on WAN interface using Diagnostic > Packet capture to investigate if the packets arrive properly on the WAN interface of pfSense. -
@viragomann That's what I thought but a tracert from the machine on my office network reaches the outside of my firewall in a single hop.
Bert
-
@cool_corona said in Simple VPN Server:
Wouldnt you need to be on the same network and GW to do that?
You cant do it in the wild...on somebody elses internet connection.The entire purpose of a VPN (and other encrypted protocols) is to protect against someone else being able to decode traffic intercepted between you and a peer.
You have no idea if you can trust every single hop between you and your VPN peer(s). Once the traffic leaves your premises any link and router is untrustable from a security standpoint. Routers could be hacked, redirected or inspected by state actors, data mined, etc. Good luck telling anyone that owns those links or hacks them "you can't do that".
If you aren't worried about someone intercepting your traffic then go back to using HTTP and telnet.
