VPS/cloud - restore VPN config during install to securely manage installation process



  • I'm installing Pfsense on a VPS via custom iso load, this is hosted on a VPS provider and will have a single WAN device only.
    Management will happen via a VPN tunnel only, so I don't ever want management console accessible via WAN.

    Installation will happen via VNC, and I never want the management console or any login server with the default root pwd being available on WAN at any time.

    I haven't started checking this yet but it should be possible to do it during install, correct? can it be done via web (scp/ssh/wget/etc. etc.) or do I have to use a usb device or a config.xml already present on disk to do this?

    Edit:
    Sorry for the noise guys, I have just started playing with this on a VM.
    I can launch the installer and install pfsense to disk from the iso, at the end before rebooting it asks you if you want to run a shell, say yes, dhclient the network device that will be WAN when pfsense start and the I can use fetch to get the config.xml from an http url.
    I then copy that config to /cf/conf/config.xml and reboot, correct?

    Where should I create the config.xml, I mean if I do it on a local VM the network device will be different, but the system is gonna ask me how to reassing them, correct?
    so when will exactly my ovpns/LAN device be created/assigned? I mean

    1. I start the VPN with the pfsese iso
    2. via VNC I follow install process and load a config.xml fetching it from the internet somewhere as per edit above
    3. reboot
    4. still on vnc follow the boot process
    5. interfaces are found different from config.xml and vps and I will be prompted to assign them

    when will the openvn server config (including CA and certs) be restored so that the LAN device is available?
    if at that point I only assign a WAN the console management will still be run on WAN if the ovpns/LAN device hasn't been restored yet.

    secondary question: are CA and certs restored to the server? I'm assuming they do, correct?



  • I did it and aswered a couple of questions I had so I'm leaving it here.

    1. yes backup/restoring config.xml backups CA and all certificates, noticeably tho if you use the passwd command from shell at anytime be weary the user password you just changed will be reverted back to the one in config.xml at every reboot, you need to change a user password from the webgui to make it stick

    2. yes it is obviously possible to restore a confix.xml just after the install process before reboot, the installer asks you at the end if you want a shell before rebooting and you should say yes, then dhclient your network device (I'm using a vps with only one network device vtnet0) and then use fetch/scp to get the config.xml on the box, put it into /cf/conf/confix.xml and reboot, that's basically it.

    Noticeably the fetch available in this environment cannot open https links without installing root certificates, which I didn't wanted to do because I don't know if it's a security risk (I believe so), so I opted to scp the file from another server I have, scp did not add the ssh key and would fail miserably, you need to ssh into the box to add the key to your know hosts (or add it manually) and then you can scp files from it.

    So I've created the basic setup (one WAN device on vtnet0 with DHCP and one LAN device on ovpns0) on a VM on my laptop, issued all the certificates and set-up the main admin user and created a firewall rule to allow the OpenVPN port (UDP 1194) from WAN Net to This Firewall, got the ovpn config file from the box and then I exported the config.xml.
    that's the config.xml I restored to the box just after install having access to it via VNC.

    1. device name and assignation during first boot, which was my main question here. the device name is gonna be checked against what's in the config.xml BEFORE starting OpenVPN and creating ovpns device, that introduces a complication here if the device name do not coincide.

    if the WAN network device name is the same (vtnet0, em0, etc.) in your VM/config.xml file and on your VPS it's all good, the box just starts without complaining, OpenVPN starts it's ovpns device assigned on LAN and you can connect to it just by changing the server IP address on you ovpn file and you got the GUI on the vpn address and at no time the default login has been exposed to the internet.

    if the device name is not the same it's a bit tricky, because during boot up it's gonna ask you to assign devices BEFORE the Openvpn device (ovpns0) has been started, so you can reassign your WAN but you're gonna loose your assigned LAN because of this.
    you can obviously fix this via shell (probably haven't looked into it, I'm just learning my way around pfsense) but the easiest way is to just use the same device name in your VM as you're gonna find on your VPS, in my case on my VPS the device name is vtnet0 and you can get that same device on virtualbox using the paravirt driver for your virtual NIC.

    I believe you can also just change the device name in the config.xml file but I haven't tried it.

    that's all folks, I hope this can help somebody in need of understanding how to do this.

    Building a VPN aggregator this way on pfsense gives yo, bandwidth control for each VPN, firewall, IDS, etc.


Log in to reply