OpenVPN pfSense 2 - Installation guide for (Windows) Dummies :-) (road-warrior)
-
Hello, Here I'm trying to update OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior) to work with pfSense 2 Release
I give no warranty that this will work for you or that it will not ruin your setup. So please BACKUP FIRST. Note that I tried to mark my updates in Green. I hope I didn't break that guide. I think a wiki would be the best place to but it, if I had access to pfsense wiki
–-----
A guide of how to connect a PC on the internet, to LAN behind a pfSense firewall using OpenVPN also known as a Road-Warrior setup
This guide is NOT detailed regarding different configurations, and may not be the best security practices - so use it at your own risk...
First of all you need to have keys and certificates generated in order to configure the pfSense OpenVPN service;
- Download and install the most recent software from http://openvpn.net/download.html
If you plan to connect from a PC with Windows Vista you should get version 2.1 or newer.
Use the default options
-
Start a command prompt with administrator-rights!
This is done in Vista & Seven by clicking on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select 'Run as Administrator' -
Change directory to c:\programfiles\openvpn\easy-rsa
-
run the "init-config.bat" file
-
Edit 'vars.bat' file.
I suggest using 'Wordpad' and to be able to save the file again, you need to start Wordpad in the same manner as the command-prompt (see #2)
The following things need to be edited:
"set KEY_COUNTRY=DK"
2 Letters country ID - I use DK for Denmark"set KEY_PROVINCE=na"
2 Letters Province ID - I use na as in 'Not Applicable'"set KEY_CITY=Copenhagen"
Name of cityset KEY_ORG=Frewald
Name of your companyset KEY_EMAIL=youremail@address.com
Put an email-address here. Dont use you private address, since this is the common address for the Certificate Authority (or something...)Save the file
-
Run "vars.bat"
-
Run "clean-all.bat"
Cool Run "build-ca.bat"
Then you are prompted for some different things; Leave them at default, except "Common Name" - put something like "pfSense-CA"-
Run "build-key-server.bat server"
Again you are prompted; leave them on default except "Common Name" - use "server" ,(Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]". you might also see that while creating client keys) -
Run build-dh.batnot required, see Importing OpenVPN DH Parameters - PFSenseDocs
–-
Now its time to generate keys and certificates for the client(s)-
Run "build-key.bat ovpn_client1"
Again you are prompted; leave them on default except "Common Name" - here you should put in "ovpn_client1" (or whatever you have called it)
The ovpn_client1 will be the name of the keys, certificate and the name you identify the connection on later. You can use whatever name you like, and generate as many as you want (with different names). -
The following files should now be copied from c:\programfiles\openvpn
easy-rsa\keys to c:\programfiles\openvpn\config
ca.crt
ovpn_client1.key
ovpn_client1.crt (if you dont see a .crt file but only a .csr file, chances are that you dont have admin priviligies. Worst case generate the keys and certificates on a NON-Vista machine) -
Make a file in the c:\programfiles\openvpn\config
called "ovpn_client1.ovpn" and the file should contain (leave out the hashes):
client
dev tun
proto udp
remote 64.233.167.99 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ovpn_client1.crt
key ovpn_client1.key
ns-cert-type server
comp-lzo
pull
verb 3Please put in your own public IP address of you pfSense-box in the 'remote' line
If you have chosen another name than 'ovpn_client1' then change it in the lines beginning with 'cert' and 'key'
If you have more than one VPN client, you make one .ovpn-file per client (with the corresponding .key and .crt name)
Now its time to configure pfSense
-
Log into the web-gui of pfSense
-
Now you need to have access to some of the files created in c:\programfiles\openvpn\easy-rsa\keys (mentioned in #12) ,
-
Log into the web-gui of pfSense then system >> cert manager
-
add new certificate in CAs tab, name it (ex, CA), and Copy the WHOLE content of ca.crt into the "Certificate data" field
-
add new certificate in Certificates tab, name it (ex, servercrt), and Copy the WHOLE content of server.crt into the "Certificate data" field and the WHOLE content of server.key into the "Private key data" field
-
Copy the WHOLE content of dh1024.pem into the "DH parameters" windownot required, see Importing OpenVPN DH Parameters - PFSenseDocs -
Select VPN/OpenVPN and add an entry in the 'server' page, Use the following settings:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
TLS Authentication: unchecked (maybe that is unsafe)
Peer Certificate Authority: CA (or what ever you named it in step 23)
Peer Certificate Revocation List: (not required)
Server Certificate: servercrt (or what ever you named it in step 24)
DH Parameters Length: 1024
Encryption algorithm: BF-CBC (128-bit)
Hardware Crypto: (I didn't set any - No hardware crypto acceleration)
Tunnel Network: 192.168.200.0/24 the client will be on that subnet
Redirect Gateway: unchecked
Local Network: 192.168.1.0/24 the network which the client should reach
Remote Network: blank
Concurrent connections: blank
Compression: checked
Type-of-Service: unchecked
Duplicate Connections: unchecked
Advanced: nothing–-
Now we need a few simple rules in the firewall-
On the WAN interface you should make a rule that;
PASS
WAN
Protocol: UDP
source: any
OS type: any
Destination: any
Destination port range from: OpenVPN
Destination port range to: OpenVPN
Tick in the LOG
Leave the rest at default. -
and another rule on the interface called openvpn
PASS
Any protocol
Source: Any
Any destinationRemember to apply the new rules.
Now you should be able to connect from OpenVPN (rightlick on the icon in the try and select Connect).
But remember to start OpenVPN with ADMIN RIGHTS!A small trick; If you want a specific client to be able to access more than one subnet, you can add a 'Client Specific Configuration' in pfSense;
Find it in the "WebGui/VPN/OpenVPN/Client-Specific configuration", use the Common Name given in #11 (ovpn_client1) and in custom options add the following line
push "route 192.168.2.0 255.255.255.0"
if thats the subnet that you want to have connection to.Hope this small guide provides some help to those of us who isn't much into *nix and OpenVPN.
There is problably a bunch of typ'O's - please write a comment when you see one that needs to be corrected…
This setup is working on my current setup:
pfSense 2 ReleasePlease visit http://openvpn.net/howto.htm for much more indepth info Smiley
Best regards,
FrewaldSmall update:
If you later would like to add new clients, run point 2,3,6, and continue from point 11! - dont run point 7-8-9-10!!!!
Also note you need to do this on the machine that was orignally used to issue the certificates.
![pfsense.localdomain - OpenVPN: Server_1324456085300.png](/public/imported_attachments/1/pfsense.localdomain - OpenVPN: Server_1324456085300.png)
![pfsense.localdomain - OpenVPN: Server_1324456085300.png_thumb](/public/imported_attachments/1/pfsense.localdomain - OpenVPN: Server_1324456085300.png_thumb) - Download and install the most recent software from http://openvpn.net/download.html
-
Here is some additional infos:
in CAs tab it will look like:
Name Internal Issuer Certificates Distinguished Name CA NO self-signed 1 name=ovpnca, emailAddress=your@mail.com, ST=RY, OU=Internet, O=Organization, L=Riyadh, CN=pfSense-CA, C=SA
in Certificates page:
Name Issuer Distinguished Name In Use webConfigurator default self-signed emailAddress=Email Address, ST=Somewhere, OU=Organizational Unit Name (eg, section), O=CompanyName, L=Somecity, CN=Common Name (eg, YOUR name), C=US webConfigurator servercrt CA name=ovpnserver, emailAddress=your@mail.com, ST=RY, OU=Internet, O=Organization, L=Riyadh, CN=server, C=SA OpenVPN Server
-
I followed these instructions, but the client wouldn't connect. Deleted the comp-lzo line in the .ovpn file and now the client connects. I get an IP address of 291.168.200.6, and a DHCP server address of 102.168.200.5. No gateway is specified on my XP client machine when I do an ipconfig.
I also cannot ping servers inside the protected subnet.
I have re-checked the firewall rules and they are implemented as you specified.
Can someone help with additional suggestions? I am trying to allow an external client to run applications from both a Windows and a Linux server on my protected subnet. If additional info or logs are required, please let me know.
Thanks,
Gary -
Hi, I'm just a beginner here, but I'll try to help.
I've had similar problem that I was unable to ping inside. My problem was that ping can reach the target machine inside LAN behind pfSense but it was not able to respond because it needed to specify the route to the VPN gateway. I confirmed the ping reaching the target by using Wireshark on the target.
the following link contain helpful information about fixing the issue:
http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/if your problem is different, it would be much helpful if you provided logs from client and openvpn server.
Best wishes
-
I have finally been able to make XP clients connect and run an application from my Windows server. I can also ping both the Windows and Linux servers from XP client machine. I still have the following problem:
I can't map a network drive to a samba share from my Linux server.
I installed the OpenVPN client on a Win 7 machine. This client won't ping anything. I thought perhaps it was a Windows firewall issue, but turning the firewall off didn't solve the problem. Just for grins, I added the following route to my Windows server: route -p 192.168.250.0 MASK 255.255.255.0 192.168.1.1, but it appeared to make no difference.
Again, can anyone provide suggestions on the next steps to solve both my samba issue and my Windows 7 connection problem?
Thanks
Gary
-
Thank you for this guide; with your help I got things working on pfSense 2.0.1 with a few minor alterations, some of which are cryptodev/security/regulatory requirements based, some of which are specifically to require all OPT1 (wifi) traffic to flow over AES/SHA256 VPN (no exceptions), DNS included, and I deliberate use a ta_auth.key to increase security.
Setting up your pfSense firewall - match the parms in the config files (*.ovpn)
*** DO ENTER the interface for OpenVPN to LISTEN on
*** DO NOT UNCHECK "Enable authentication of TLS packets.
*** DO UNCHECK "Automatically generate a shared TLS authentication key" and instead paste in the contents of
the file that build-ta.bat created
*** DO CHECK "Redirect Gateway"
*** DO LEAVE "Remote Network" blank - we're not doing a site-to-site VPN
*** DO ENTER the maximum number of Concurrent Connections, if known
*** DO NOT CHECK "Compression" unless you know you're going to be sending compressible data
Note that remote desktop use is typically encrypted in and of itself, and is thus not compressible.
*** ADD 'auth SHA256;push "redirect-gateway def1";push "dhcp-option DNS <openvpn listening="" ip="" addr="">"' without the outer single quotes to the Advanced configuration, Advanced section at the bottom.
??? the redirect gateway may not be required if the checkbox is checked.Sample initial client1.ovpn (I'm still working on this - in particular, I'd like to get away from DHE entirely):
client dev tun proto udp remote YourListeningInterfaceIPAddr 1194 #ns-cert-type is a pre-2.0 way of making sure we're not being spoofed by a client acting as a server keepalive 5 60 resolv-retry infinite nobind persist-key persist-tun # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server ca ca.crt cert client1.crt key client1.key cipher AES-128-CBC auth SHA256 tls-cipher DHE-RSA-AES128-SHA tls-auth ta_auth.key 1 pull verb 3 # run "client.up" to add necessary # DNS entries to resolv.conf #;up /home/user/openvpnclient/sample-config-files/client.up # run "client.down" to remove # resolv.conf entries when VPN # is disconnected #;plugin "/usr/lib/openvpn/openvpn-down-root.so" "/home/user/openvpnclient/sample-config-files/client.down"
CopyClientConfigs.bat (select the files each client needs):
md keys\client1 del /q keys\client1\* copy keys\ca.crt keys\client1 copy keys\EyeWearHausta.key keys\client1 copy keys\client1.crt keys\client1 copy keys\client1.key keys\client1 copy OpenVPNConfigFiles\client1.ovpn keys\client1
build-ta.bat
openvpn --genkey --secret keys\ta_auth.key
build-key-pass.bat
@echo off cd %HOME% rem build a request for a cert that will be valid for ten years openssl req -days 9000 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% rem sign the cert request with our ca, creating a cert/key pair openssl ca -days 9000 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% rem delete any .old files created in this process, to avoid future file creation errors del /q %KEY_DIR%\*.old
And the simple RunAll.bat
call vars.bat call build-ca.bat call build-key-server.bat server call build-key-pass.bat client1 call build-ta.bat call CopyClientConfigs.bat ```</openvpn>