Pfsense OpenVPN Road Warrior Setup Via HTTPS
I made this Post to help people with OpenVPN road Warrior setup that were not working and to help people with the previous post that were left unanswered
This a guide I modified with fixes for the issue I had which was routing all network Traffic Via the VPN I wanted everything to go thru the VPN for security purposes. Also I modified the guide to make this work Via HTTPS because most hotspots and schools now block VPN ports this will fully bypass there block.
For Pfsense Version 1.2.3-RELEASE
Setting Up An OpenVPN Client On Windows XP/Vista/Win7
This Guide is on, how to connect a PC on the internet, to LAN behind a pfSense firewall using OpenVPN to work over HTTPS because most remote sites now block standard VPN ports(This is also known as a Road-Warrior setup). Also this will make your client fully route thru the VPN meaning you can get thru block site or hide network traffic from being seen on unsecured public networks. Windows Vista/Windows 7 requires administrative priviledges to run and properly configure OpenVPN.
1. Download and install the most recent software from OpenVPN Downloads. If you plan to connect from a PC with Windows Vista or 7 you should get version 2.2 or newer. Windows XP works well with 2.1 as well. Use the default options when installing.
2. Start a command prompt with administrator-rights!
This is done in Vista by clicking on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select ‘Run as Administrator’.
If your account has administrative-rights, XP’s command prompt automatically runs with them.
3. Change directory to c:\programfiles\openvpn\easy-rsa
4. Run the “init-config.bat” file
5. Edit ‘vars.bat’ file. ‘Worpad’ is suggested but Notepad will be fine. For Vista, you need to start Wordpad/Notepad with administrative-rights. (Click on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select ‘Run as Administrator’.) The following things need to be edited:
Your 2 Letter country ID Goes Here
2 Letters Province ID - Or use NA as in 'Not Applicable'
Name of Your City
Name of your company
Put a email-address here. Dont use your private address. since this is the common address for the Certificate Authority
Save the file
6. Run “vars.bat”
7. Run “clean-all.bat”
8. Run “build-ca.bat”. Then you are prompted for some different things; Leave them at default, except “Common Name” – put something like “pfSense-CA”
9. Run “build-key-server.bat server”. Again you are prompted; leave them on default except “Common Name” – use “server”
10. Run build-dh.bat
Now its time to generate keys and certificates for the client(s)
11. Run “build-key.bat ovpn_client1″. Again you are prompted; leave them on default except “Common Name” – here you should put in “ovpn_client1″ (or whatever you have called it). The ovpn_client1 will be the name of the keys, certificate and the name you identify the connection on later. You can use whatever name you like, and generate as many as you want (with different names).
12. The following files should now be copied from c:\programfiles\openvpn\easy-rsa\keys to c:\programfiles\openvpn\config
ovpn_client1.crt (if you don’t see a .crt file but only a .csr file, chances are that you don’t have admin privileges. Worst case generate the keys and certificates on a NON-Vista machine)
13. Make a file in the “C:\programfiles\openvpn\config” called “ovpn_client1.ovpn” and the file should contain (leave out the hashes):
remote xxx.xxx.xxx.xxx 443
nobind persist-key NOT persist-tun
Replace the XXX’s in the “remote” line with the public IP address of your pfSense-box. If you don’t know what that is, check ithere. If you have chosen another name than ‘ovpn_client1′ then change it in the lines beginning with ‘cert’ and ‘key’ If you have more than one VPN client, you make one .ovpn-file per client (with the corresponding .key and .crt name) Also make sure you put your keys in the right directory in the client or the config file will not find them these keys are in C:\keys\ as shown in the example above
Now its time to configure pfSense
14. Log into the web-gui of pfSense
15. Select VPN/OpenVPN and add an entry in the ‘server’ page. Use the following settings:
Local port: 443
Address pool: 192.168.200.0/24 (It should be an address range that you ''DONT'' currently use.)
Local Network: 192.168.1.0/24 (Whatever the network is that you want the VPN client to connect to)
Remote Network: blank
Cryptography: AES-128 (128 bit) - or use what you want
Authentication Method: PKI
16. Now you need to have access to some of the files created in c:\programfiles\openvpn\easy-rsa\keys (mentioned in 12.)
Copy the WHOLE content of ca.crt into the “CA certificate” window
Copy the WHOLE content of server.crt into the “Server Certificate” window
Copy the WHOLE content of server.key into the “Server Key” window
Copy the WHOLE content of dh1024.pem into the “DH parameters” window
17. DHCP-Opt.: WINS-Server: Put your DNS server Ip address
18. Tick DHCP-Opt: Disable NetBIOS (I dont use it anyway)
19. Tick LZO Compression
20. In Custom Options add the following with quotes. Also type your router ip address in the X’s if you want to use your router to be the DNS server if you have your own DNS server type the ip where the X’s are.
push “redirect-gateway def1″;push “dhcp-option DNS xxx.xxx.xxx.xxx”;verb 1;mute-replay-warnings
Now we need a few simple rules in the firewall
21. On the WAN interface you should make a rule that;
OS type: any
Destination port range from: HTTPS
Destination port range to: HTTPS
Tick in the LOG
Leave the rest at default.
Remember to apply the new rules.
22. Add another rule on the LAN interface (or whatever the name of the net defined in 15. ‘address pool’ is);
Source: LAN (or whatever the name of the net defined in 15. 'address pool' is)
Remember to apply the new rules.
Now you should be able to connect from OpenVPN (right click on the icon in the try and select Connect). But remember to start OpenVPN with ADMIN RIGHTS!
This Guide was original from http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN I have modified it with some more up to date knowledge.