Pfsense OpenVPN Road Warrior Setup Via HTTPS



  • I made this Post to help people with OpenVPN road Warrior setup that were not working and to help people with the previous post that were left unanswered
    This a guide I modified with fixes for the issue I had which was routing all network Traffic Via the VPN I wanted everything to go thru the VPN for security purposes. Also I modified the guide to make this work Via HTTPS because most hotspots and schools now block VPN ports this will fully bypass there block.

    For Pfsense Version 1.2.3-RELEASE

    Setting Up An OpenVPN Client On Windows XP/Vista/Win7

    This Guide is on, how to connect a PC on the internet, to LAN behind a pfSense firewall using OpenVPN to work over HTTPS because most remote sites now block standard VPN ports(This is also known as a Road-Warrior setup). Also this will make your client fully route thru the VPN meaning you can get thru block site or hide network traffic from being seen  on unsecured public networks. Windows Vista/Windows 7 requires administrative priviledges to run and properly configure OpenVPN.

    1. Download and install the most recent software from OpenVPN Downloads. If you plan to connect from a PC with Windows Vista or 7 you should get version 2.2 or newer. Windows XP works well with 2.1 as well. Use the default options when installing.

    2. Start a command prompt with administrator-rights!
    This is done in Vista by clicking on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select ‘Run as Administrator’.
    If your account has administrative-rights, XP’s command prompt automatically runs with them.

    3. Change directory to c:\programfiles\openvpn\easy-rsa

    4. Run the “init-config.bat” file

    5. Edit ‘vars.bat’ file. ‘Worpad’ is suggested but Notepad will be fine. For Vista, you need to start Wordpad/Notepad with administrative-rights. (Click on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select ‘Run as Administrator’.) The following things need to be edited:
    "set KEY_COUNTRY=US"
    Your 2 Letter country ID Goes Here

    "set KEY_PROVINCE=NA"
    2 Letters Province ID - Or use NA as in 'Not Applicable'

    "set KEY_CITY=Copenhagen"
    Name of Your City

    "set KEY_ORG=pfSense"
    Name of your company

    "set KEY_EMAIL=youremail@address.com"
    Put a email-address here. Dont use your private address. since this is the common address for the Certificate Authority
    Save the file

    6. Run “vars.bat”

    7. Run “clean-all.bat”

    8. Run “build-ca.bat”. Then you are prompted for some different things; Leave them at default, except “Common Name” – put something like “pfSense-CA”

    9. Run “build-key-server.bat server”. Again you are prompted; leave them on default except “Common Name” – use “server”

    10. Run build-dh.bat
    Now its time to generate keys and certificates for the client(s)

    11. Run “build-key.bat ovpn_client1″. Again you are prompted; leave them on default except “Common Name” – here you should put in “ovpn_client1″ (or whatever you have called it). The ovpn_client1 will be the name of the keys, certificate and the name you identify the connection on later. You can use whatever name you like, and generate as many as you want (with different names).

    12. The following files should now be copied from c:\programfiles\openvpn\easy-rsa\keys to c:\programfiles\openvpn\config
    ca.crt
    ovpn_client1.key
    ovpn_client1.crt (if you don’t see a .crt file but only a .csr file, chances are that you don’t have admin privileges. Worst case generate the keys and certificates on a NON-Vista machine)

    13. Make a file in the “C:\programfiles\openvpn\config” called “ovpn_client1.ovpn” and the file should contain (leave out the hashes):
    client
    dev tun
    persist-tun
    persist-key
    proto tcp
    cipher AES-128-CBC
    remote xxx.xxx.xxx.xxx 443
    ping 10
    resolv-retry infinite
    nobind persist-key NOT persist-tun
    ca C:\keys\ca.crt
    cert C:\keys\client1.crt
    key C:\keys\client1.key
    ns-cert-type servercomp-lzo
    Replace the XXX’s in the “remote” line with the public IP address of your pfSense-box. If you don’t know what that is, check ithere. If you have chosen another name than ‘ovpn_client1′ then change it in the lines beginning with ‘cert’ and ‘key’ If you have more than one VPN client, you make one .ovpn-file per client (with the corresponding .key and .crt name) Also make sure you put your keys in the right directory in the client or the config file will not find them these keys are in C:\keys\ as shown in the example above
    Now its time to configure pfSense

    14. Log into the web-gui of pfSense

    15. Select VPN/OpenVPN and add an entry in the ‘server’ page. Use the following settings:
    Protocol: TCP
    Local port: 443
    Address pool: 192.168.200.0/24 (It should be an address range that you ''DONT'' currently use.)
    Local Network: 192.168.1.0/24 (Whatever the network is that you want the VPN client to connect to)
    Remote Network: blank
    Cryptography: AES-128 (128 bit) - or use what you want
    Authentication Method: PKI

    16. Now you need to have access to some of the files created in c:\programfiles\openvpn\easy-rsa\keys (mentioned in 12.)
    Copy the WHOLE content of ca.crt into the “CA certificate” window
    Copy the WHOLE content of server.crt into the “Server Certificate” window
    Copy the WHOLE content of server.key into the “Server Key” window
    Copy the WHOLE content of dh1024.pem into the “DH parameters” window

    17. DHCP-Opt.: WINS-Server: Put your DNS server Ip address

    18. Tick DHCP-Opt: Disable NetBIOS (I dont use it anyway)

    19. Tick LZO Compression

    20. In Custom Options  add the following with quotes. Also type your router ip address in the X’s if you want to use your router to be the DNS server if you have your own DNS server type the ip where the X’s are.
    push “redirect-gateway def1″;push “dhcp-option DNS xxx.xxx.xxx.xxx”;verb 1;mute-replay-warnings
    Now we need a few simple rules in the firewall

    21. On the WAN interface you should make a rule that;
    PASS
    WAN
    Protocol: TCP
    source: any
    OS type: any
    Destination: any
    Destination port range from: HTTPS
    Destination port range to: HTTPS
    Tick in the LOG
    Leave the rest at default.
    Remember to apply the new rules.

    22. Add another rule on the LAN interface (or whatever the name of the net defined in 15. ‘address pool’ is);
    PASS
    Any protocol
    Source: LAN (or whatever the name of the net defined in 15. 'address pool' is)
    Any destination
    Remember to apply the new rules.
    Now you should be able to connect from OpenVPN (right click on the icon in the try and select Connect). But remember to start OpenVPN with ADMIN RIGHTS!

    This Guide was original from http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN I have modified it with some more up to date knowledge.


Locked