Pfsense OpenVPN Road Warrior Setup Via HTTPS
-
I made this Post to help people with OpenVPN road Warrior setup that were not working and to help people with the previous post that were left unanswered
This a guide I modified with fixes for the issue I had which was routing all network Traffic Via the VPN I wanted everything to go thru the VPN for security purposes. Also I modified the guide to make this work Via HTTPS because most hotspots and schools now block VPN ports this will fully bypass there block.For Pfsense Version 1.2.3-RELEASE
Setting Up An OpenVPN Client On Windows XP/Vista/Win7
This Guide is on, how to connect a PC on the internet, to LAN behind a pfSense firewall using OpenVPN to work over HTTPS because most remote sites now block standard VPN ports(This is also known as a Road-Warrior setup). Also this will make your client fully route thru the VPN meaning you can get thru block site or hide network traffic from being seen on unsecured public networks. Windows Vista/Windows 7 requires administrative priviledges to run and properly configure OpenVPN.
1. Download and install the most recent software from OpenVPN Downloads. If you plan to connect from a PC with Windows Vista or 7 you should get version 2.2 or newer. Windows XP works well with 2.1 as well. Use the default options when installing.
2. Start a command prompt with administrator-rights!
This is done in Vista by clicking on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select ‘Run as Administrator’.
If your account has administrative-rights, XP’s command prompt automatically runs with them.3. Change directory to c:\programfiles\openvpn\easy-rsa
4. Run the “init-config.bat” file
5. Edit ‘vars.bat’ file. ‘Worpad’ is suggested but Notepad will be fine. For Vista, you need to start Wordpad/Notepad with administrative-rights. (Click on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select ‘Run as Administrator’.) The following things need to be edited:
"set KEY_COUNTRY=US"
Your 2 Letter country ID Goes Here"set KEY_PROVINCE=NA"
2 Letters Province ID - Or use NA as in 'Not Applicable'"set KEY_CITY=Copenhagen"
Name of Your City"set KEY_ORG=pfSense"
Name of your company"set KEY_EMAIL=youremail@address.com"
Put a email-address here. Dont use your private address. since this is the common address for the Certificate Authority
Save the file6. Run “vars.bat”
7. Run “clean-all.bat”
8. Run “build-ca.bat”. Then you are prompted for some different things; Leave them at default, except “Common Name” – put something like “pfSense-CA”
9. Run “build-key-server.bat server”. Again you are prompted; leave them on default except “Common Name” – use “server”
10. Run build-dh.bat
Now its time to generate keys and certificates for the client(s)11. Run “build-key.bat ovpn_client1″. Again you are prompted; leave them on default except “Common Name” – here you should put in “ovpn_client1″ (or whatever you have called it). The ovpn_client1 will be the name of the keys, certificate and the name you identify the connection on later. You can use whatever name you like, and generate as many as you want (with different names).
12. The following files should now be copied from c:\programfiles\openvpn\easy-rsa\keys to c:\programfiles\openvpn\config
ca.crt
ovpn_client1.key
ovpn_client1.crt (if you don’t see a .crt file but only a .csr file, chances are that you don’t have admin privileges. Worst case generate the keys and certificates on a NON-Vista machine)13. Make a file in the “C:\programfiles\openvpn\config” called “ovpn_client1.ovpn” and the file should contain (leave out the hashes):
client
dev tun
persist-tun
persist-key
proto tcp
cipher AES-128-CBC
remote xxx.xxx.xxx.xxx 443
ping 10
resolv-retry infinite
nobind persist-key NOT persist-tun
ca C:\keys\ca.crt
cert C:\keys\client1.crt
key C:\keys\client1.key
ns-cert-type servercomp-lzo
Replace the XXX’s in the “remote” line with the public IP address of your pfSense-box. If you don’t know what that is, check ithere. If you have chosen another name than ‘ovpn_client1′ then change it in the lines beginning with ‘cert’ and ‘key’ If you have more than one VPN client, you make one .ovpn-file per client (with the corresponding .key and .crt name) Also make sure you put your keys in the right directory in the client or the config file will not find them these keys are in C:\keys\ as shown in the example above
Now its time to configure pfSense14. Log into the web-gui of pfSense
15. Select VPN/OpenVPN and add an entry in the ‘server’ page. Use the following settings:
Protocol: TCP
Local port: 443
Address pool: 192.168.200.0/24 (It should be an address range that you ''DONT'' currently use.)
Local Network: 192.168.1.0/24 (Whatever the network is that you want the VPN client to connect to)
Remote Network: blank
Cryptography: AES-128 (128 bit) - or use what you want
Authentication Method: PKI16. Now you need to have access to some of the files created in c:\programfiles\openvpn\easy-rsa\keys (mentioned in 12.)
Copy the WHOLE content of ca.crt into the “CA certificate” window
Copy the WHOLE content of server.crt into the “Server Certificate” window
Copy the WHOLE content of server.key into the “Server Key” window
Copy the WHOLE content of dh1024.pem into the “DH parameters” window17. DHCP-Opt.: WINS-Server: Put your DNS server Ip address
18. Tick DHCP-Opt: Disable NetBIOS (I dont use it anyway)
19. Tick LZO Compression
20. In Custom Options add the following with quotes. Also type your router ip address in the X’s if you want to use your router to be the DNS server if you have your own DNS server type the ip where the X’s are.
push “redirect-gateway def1″;push “dhcp-option DNS xxx.xxx.xxx.xxx”;verb 1;mute-replay-warnings
Now we need a few simple rules in the firewall21. On the WAN interface you should make a rule that;
PASS
WAN
Protocol: TCP
source: any
OS type: any
Destination: any
Destination port range from: HTTPS
Destination port range to: HTTPS
Tick in the LOG
Leave the rest at default.
Remember to apply the new rules.22. Add another rule on the LAN interface (or whatever the name of the net defined in 15. ‘address pool’ is);
PASS
Any protocol
Source: LAN (or whatever the name of the net defined in 15. 'address pool' is)
Any destination
Remember to apply the new rules.
Now you should be able to connect from OpenVPN (right click on the icon in the try and select Connect). But remember to start OpenVPN with ADMIN RIGHTS!This Guide was original from http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN I have modified it with some more up to date knowledge.