OpenVPN pfSense 2 - Installation guide for (Windows) Dummies :-) (road-warrior)

damascene

Hello, Here I'm trying to update OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior)  to work with pfSense 2 Release

I give no warranty that this will work for you or that it will not ruin your setup. So please BACKUP FIRST. Note that I tried to mark my updates in Green. I hope I didn't break that guide. I think a wiki would be the best place to but it, if I had access to pfsense wiki

–-----

A guide of how to connect a PC on the internet, to LAN behind a pfSense firewall using OpenVPN also known as a Road-Warrior setup

This guide is NOT detailed regarding different configurations, and may not be the best security practices - so use it at your own risk...

---

First of all you need to have keys and certificates generated in order to configure the pfSense OpenVPN service;

1. Download and install the most recent software from http://openvpn.net/download.html
   If you plan to connect from a PC with Windows Vista you should get version 2.1 or newer.

Use the default options

2. Start a command prompt with administrator-rights!
   This is done in Vista & Seven by clicking on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select 'Run as Administrator'

3. Change directory to c:\programfiles\openvpn\easy-rsa

4. run the "init-config.bat" file

5. Edit 'vars.bat' file.
   I suggest using 'Wordpad' and to be able to save the file again, you need to start Wordpad in the same manner as the command-prompt (see #2)
   The following things need to be edited:

"set KEY_COUNTRY=DK"
2 Letters country ID - I use DK for Denmark

"set KEY_PROVINCE=na"
2 Letters Province ID - I use na as in 'Not Applicable'

"set KEY_CITY=Copenhagen"
Name of city

set KEY_ORG=Frewald
Name of your company

set KEY_EMAIL=youremail@address.com
Put an email-address here. Dont use you private address, since this is the common address for the Certificate Authority (or something...)

Save the file

6. Run "vars.bat"

7. Run "clean-all.bat"

Cool Run "build-ca.bat"
Then you are prompted for some different things; Leave them at default, except "Common Name" - put something like "pfSense-CA"

9. Run "build-key-server.bat server"
   Again you are prompted; leave them on default except "Common Name" - use "server"  ,(Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]". you might also see that while creating client keys)

10. Run build-dh.bat not required, see Importing OpenVPN DH Parameters - PFSenseDocs

–-
Now its time to generate keys and certificates for the client(s)

11. Run "build-key.bat ovpn_client1"
    Again you are prompted; leave them on default except "Common Name" - here you should put in "ovpn_client1" (or whatever you have called it)
    The ovpn_client1 will be the name of the keys, certificate and the name you identify the connection on later. You can use whatever name you like, and generate as many as you want (with different names).

12. The following files should now be copied from c:\programfiles\openvpn
    easy-rsa\keys to c:\programfiles\openvpn\config
    ca.crt
    ovpn_client1.key
    ovpn_client1.crt (if you dont see a .crt file but only a .csr file, chances are that you dont have admin priviligies. Worst case generate the keys and certificates on a NON-Vista machine)

13. Make a file in the c:\programfiles\openvpn\config
    called "ovpn_client1.ovpn" and the file should contain (leave out the hashes):

client
dev tun
proto udp
remote 64.233.167.99 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ovpn_client1.crt
key ovpn_client1.key
ns-cert-type server
comp-lzo
pull
verb 3

Please put in your own public IP address of you pfSense-box in the 'remote' line
If you have chosen another name than 'ovpn_client1' then change it in the lines beginning with 'cert' and 'key'
If you have more than one VPN client, you make one .ovpn-file per client (with the corresponding .key and .crt name)

---

Now its time to configure pfSense

21. Log into the web-gui of pfSense

22. Now you need to have access to some of the files created in c:\programfiles\openvpn\easy-rsa\keys (mentioned in #12) ,

23. Log into the web-gui of pfSense then system >> cert manager

24. add new certificate in CAs tab, name it (ex, CA), and Copy the WHOLE content of ca.crt into the "Certificate data" field

25. add new certificate in Certificates tab, name it (ex, servercrt), and Copy the WHOLE content of server.crt into the "Certificate data" field and the WHOLE content of server.key into the "Private key data" field

26. Copy the WHOLE content of dh1024.pem into the "DH parameters" window not required, see Importing OpenVPN DH Parameters - PFSenseDocs

27. Select VPN/OpenVPN and add an entry in the 'server' page, Use the following settings:

Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
TLS Authentication: unchecked (maybe that is unsafe)
Peer Certificate Authority: CA (or what ever you named it in step 23)
Peer Certificate Revocation List: (not required)
Server Certificate: servercrt (or what ever you named it in step 24)
DH Parameters Length: 1024
Encryption algorithm: BF-CBC (128-bit)
Hardware Crypto: (I didn't set any - No hardware crypto acceleration)
Tunnel Network: 192.168.200.0/24 the client will be on that subnet
Redirect Gateway: unchecked
Local Network: 192.168.1.0/24 the network which the client should reach
Remote Network: blank
Concurrent connections: blank
Compression: checked
Type-of-Service: unchecked
Duplicate Connections: unchecked
Advanced: nothing

–-
Now we need a few simple rules in the firewall

27. On the WAN interface you should make a rule that;
    PASS
    WAN
    Protocol: UDP
    source: any
    OS type: any
    Destination: any
    Destination port range from: OpenVPN
    Destination port range to: OpenVPN
    Tick in the LOG
    Leave the rest at default.

28. and another rule on the interface called openvpn

PASS
Any protocol
Source: Any
Any destination

Remember to apply the new rules.

Now you should be able to connect from OpenVPN (rightlick on the icon in the try and select Connect).
But remember to start OpenVPN with ADMIN RIGHTS!

A small trick; If you want a specific client to be able to access more than one subnet, you can add a 'Client Specific Configuration' in pfSense;
Find it in the "WebGui/VPN/OpenVPN/Client-Specific configuration", use the Common Name given in #11 (ovpn_client1) and in custom options add the following line
push "route 192.168.2.0 255.255.255.0"
if thats the subnet that you want to have connection to.

Hope this small guide provides some help to those of us who isn't much into *nix and OpenVPN.

There is problably a bunch of typ'O's - please write a comment when you see one that needs to be corrected…

This setup is working on my current setup:
pfSense 2 Release

Please visit http://openvpn.net/howto.htm for much more indepth info Smiley

Best regards,
Frewald

Small update:
If you later would like to add new clients, run point 2,3,6, and continue from point 11! - dont run point 7-8-9-10!!!!
Also note you need to do this on the machine that was orignally used to issue the certificates.

damascene

Here is some additional infos:

in CAs tab it will look like:

Name 	Internal 	Issuer 		Certificates 	Distinguished Name 	
CA	NO  		self-signed  	1  		name=ovpnca, emailAddress=your@mail.com, ST=RY, OU=Internet, O=Organization, L=Riyadh, CN=pfSense-CA, C=SA

in Certificates page:

Name 			Issuer 		Distinguished Name 																	In Use 	
webConfigurator default	self-signed  	emailAddress=Email Address, ST=Somewhere, OU=Organizational Unit Name (eg, section), O=CompanyName, L=Somecity, CN=Common Name (eg, YOUR name), C=US	webConfigurator
servercrt		CA  		name=ovpnserver, emailAddress=your@mail.com, ST=RY, OU=Internet, O=Organization, L=Riyadh, CN=server, C=SA  						OpenVPN Server

glanderson

I followed these instructions, but the client wouldn't connect.  Deleted the comp-lzo line in the .ovpn file and now the client connects.  I get an IP address of 291.168.200.6, and a DHCP server address of 102.168.200.5.  No gateway is specified on my XP client machine when I do an ipconfig.

I also cannot ping servers inside the protected subnet.

I have re-checked the firewall rules and they are implemented as you specified.

Can someone help with additional suggestions?  I am trying to allow an external client to run applications from both a Windows and a Linux server on my protected subnet.  If additional info or logs are required, please let me know.

Thanks,
Gary

damascene

Hi, I'm just a beginner here, but I'll try to help.

I've had similar problem that I was unable to ping inside. My problem was that ping can reach the target machine inside LAN behind pfSense but it was not able to respond because it needed to specify the route to the VPN gateway. I confirmed the ping reaching the target by using Wireshark on the target.

the following link contain helpful information about fixing the issue:
http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/

if your problem is different, it would be much helpful if you provided logs from client and openvpn server.

Best wishes

glanderson

I have finally been able to make XP clients connect and run an application from my Windows server.  I can also ping both the Windows and Linux servers from XP client machine.  I still have the following problem:

I can't map a network drive to a samba share from my Linux server.

I installed the OpenVPN client on a Win 7 machine.  This client won't ping anything.  I thought perhaps it was a Windows firewall issue, but turning the firewall off didn't solve the problem.  Just for grins, I added the following route to my Windows server:  route -p 192.168.250.0 MASK 255.255.255.0 192.168.1.1, but it appeared to make no difference.

Again, can anyone provide suggestions on the next steps to solve both my samba issue and my Windows 7 connection problem?

Thanks

Gary

Nadrek

Thank you for this guide; with your help I got things working on pfSense 2.0.1 with a few minor alterations, some of which are cryptodev/security/regulatory requirements based, some of which are specifically to require all OPT1 (wifi) traffic to flow over AES/SHA256 VPN (no exceptions), DNS included, and I deliberate use a ta_auth.key to increase security.

Setting up your pfSense firewall - match the parms in the config files (*.ovpn)
  *** DO ENTER the interface for OpenVPN to LISTEN on
  *** DO NOT UNCHECK "Enable authentication of TLS packets.
  *** DO UNCHECK "Automatically generate a shared TLS authentication key" and instead paste in the contents of
        the file that build-ta.bat created
  *** DO CHECK "Redirect Gateway"
  *** DO LEAVE "Remote Network" blank - we're not doing a site-to-site VPN
  *** DO ENTER the maximum number of Concurrent Connections, if known
  *** DO NOT CHECK "Compression" unless you know you're going to be sending compressible data
          Note that remote desktop use is typically encrypted in and of itself, and is thus not compressible.
  *** ADD 'auth SHA256;push "redirect-gateway def1";push "dhcp-option DNS <openvpn listening="" ip="" addr="">"' without the outer single quotes to the Advanced configuration, Advanced section at the bottom.
  ??? the redirect gateway may not be required if the checkbox is checked.

Sample initial client1.ovpn (I'm still working on this - in particular, I'd like to get away from DHE entirely):

client
dev tun
proto udp

remote YourListeningInterfaceIPAddr 1194
#ns-cert-type is a pre-2.0 way of making sure we're not being spoofed by a client acting as a server

keepalive 5 60
resolv-retry infinite
nobind
persist-key
persist-tun

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

ca ca.crt
cert client1.crt
key client1.key
cipher AES-128-CBC
auth SHA256
tls-cipher DHE-RSA-AES128-SHA
tls-auth ta_auth.key 1

pull
verb 3

# run "client.up" to add necessary
# DNS entries to resolv.conf
#;up /home/user/openvpnclient/sample-config-files/client.up

# run "client.down" to remove
# resolv.conf entries when VPN
# is disconnected
#;plugin "/usr/lib/openvpn/openvpn-down-root.so" "/home/user/openvpnclient/sample-config-files/client.down"

CopyClientConfigs.bat (select the files each client needs):

md keys\client1
del /q keys\client1\*
copy keys\ca.crt keys\client1
copy keys\EyeWearHausta.key keys\client1
copy keys\client1.crt keys\client1
copy keys\client1.key keys\client1
copy OpenVPNConfigFiles\client1.ovpn keys\client1

build-ta.bat

openvpn --genkey --secret keys\ta_auth.key

build-key-pass.bat

@echo off
cd %HOME%
rem build a request for a cert that will be valid for ten years
openssl req -days 9000 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
rem sign the cert request with our ca, creating a cert/key pair
openssl ca -days 9000 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
rem delete any .old files created in this process, to avoid future file creation errors
del /q %KEY_DIR%\*.old

And the simple RunAll.bat

call vars.bat
call build-ca.bat
call build-key-server.bat server
call build-key-pass.bat client1
call build-ta.bat
call CopyClientConfigs.bat

```</openvpn>