Setting up OpenVPN to access work



  • The IT guy at work gave me all the certs, password, addresses, etc to setup a openvpn connection from my home to our work.

    Is there a tutorial on setting this type of connection up and then assigning it to a unused ether port on my pf box?

    Thanks


  • LAYER 8 Global Moderator

    You would set it up via client connection in pfsense. Pretty much like any guide on connecting to any vpn service.



  • @johnpoz Thanks. It looks like the guide 'Configuring a Site-to-Site Static Key OpenVPN Instance' is probably the guide I need. After I get that going, I just need to assign it to one of the unused ether ports on my router box, right?



  • As a client device you need to assign yourself neither a port nor any firewall rules other than the local default rules you already have on your LAN.


  • LAYER 8 Global Moderator

    Your work wants you to setup a site to site vpn, or you can be a client?? I would check with your IT guy on that.



  • @johnpoz I would be a client. Is there a 'how-to' on the OpenVPN netgate docs on setting this up?


  • LAYER 8 Global Moderator

    That is a bit more complicated that you would think to be honest, since each server could be setup different.. Did your IT guy give you the .ovpn file? This file would tell you how to connect - then you just need to put that info into the pfsense gui..

    Like I said there are a bajillion guides on connecting to vpn services. You just need the details from your IT guy.. Whats the IP or FQDN, what port tcp or udp?

    Are you using tls for auth and encryption or just auth. What encryption, what auth digest algo, etc..



  • @johnpoz Yes, he did include a 'client.ovpn' along with ca.crt, client.crt, and client.key


  • LAYER 8 Global Moderator

    Well if you open up the client.ovpn file it will give you all the details (its just text file).. Just transpose that to the client gui..

    If you post it - hiding the public IP of your server we can walk through it. Or if you don't want to post it - PM me the details.



  • @johnpoz Just sent you a PM with .ovpn details


  • LAYER 8 Global Moderator

    auth SHA1

    Yeah that should be updated ;) sha1 has been deprecated.

    So your tcp over 1194, seems really ODD as well..

    You understand his redirect command in there is going to send all traffic to him, even your internet.. Doesn't make a lot of sense. Are you trying to setup this pfsense client actually at work, the autolocal in that cmd doesn't make a lot of sense unless you share a common network.



  • @johnpoz said in Setting up OpenVPN to access work:

    auth SHA1

    Yeah that should be updated ;) sha1 has been deprecated.

    So your tcp over 1194, seems really ODD as well..

    You understand his redirect command in there is going to send all traffic to him, even your internet.. Doesn't make a lot of sense. Are you trying to setup this pfsense client actually at work, the autolocal in that cmd doesn't make a lot of sense unless you share a common network.

    The network that I will be connecting to is the one at my small business. The 'IT guy' is offsite, we are not big enough to have an IT dept... so we have used his company's services for about 10 years now. In his opinion it was safer to have a tunnel to my business network, where I can then RDP into a couple of PCs and also login to some various network devices without having ports open left and right.

    He did mention that 'routes' could be setup to keep all of my traffic from going though to my business network. What would you recommend in place of sha1? Also, what is odd about the tcp over 1194?

    Thanks



  • From memory,
    With regards to SHA1 being broken, this is not the case in OpenVPN.
    This is because of the way it is used (HMAC-SHA1).
    Add to that the key that changes hourly by default (--reneg-sec).
    If one would be able to break through OpenVPN's layered security (if setup that way) one could get one hour of data.


Log in to reply