HOWTO: Pfsense 2.0.1 - OpenVPN Site 2 MultiSite PKI



  • Pfsense 2.0.1 - OpenVPN Site 2 MultiSite PKI

    Here is a simple  howto for a PKI Site 2 MultiSite setup.

    Server: Private Subnet 192.168.1.0/24
    Client1: Private Subnet 192.168.2.0/24

    SERVER SIDE: 192.168.1.0/24 <========> 10.0.8.0/24 <========> CLIENT SIDE: 192.168.2.0/24

    SERVER: ++First step Create Certificates (CA, Server Certificate, User Certificate)++

    System/Cert Mananger

    Tab CAs
    Create an Certificate Authorithy (+ sign)

    Descriptive name: internal-ca
    Method: Create an internal Certificate Authority
    Key length: 2048
    Lifetime: 3650 days
    Country Code: {xx}
    State of Province: {xx}
    City: {xx}
    Organisation: {xx}
    Email Address: {xx@xx.xx}
    Common Name: internal-ca

    click save.

    Tab Certificates
    Create an Server Certificate (+ sign)

    Method: Create an internal Certificate
    Descriptive name: internal-server
    Certificate authority: internal-ca
    Key length: 2048 bits
    Certificate Type: Server Certificate
    Lifetime: 3650 days
    Country Code: {xx}
    State of Province: {xx}
    City: {xx}
    Organisation: {xx}
    Email Address: {xx@xx.xx}
    Common Name: internal-server

    Tab Certificates
    Create an User "client" Certificate (+ sign)

    Method: Create an internal Certificate
    Descriptive name: client1
    Certificate authority: client1
    Key length: 2048 bits
    Certificate Type: User Certificate
    Lifetime: 3650 days
    Country Code: {xx}
    State of Province: {xx}
    City: {xx}
    Organisation: {xx}
    Email Address: {xx@xx.xx}
    Common Name: client1

    You can repeat "the create user certificate" step for more then one client ;)

    SERVER: ++Second step Export Certificates (CA, User Certificate)++

    System/Cert Mananger

    Tab CAs
    "export CA cert" of internal-ca
    do not export the private key!

    Tab Certificate
    "export cert" and "export key" of client1

    SERVER: ++Third step Setup OpenVPN Server.++

    VPN/OpenVPN

    Tab Server
    create an Server (+ sign)

    Disabled: empty
    Server Mode: Peer to Peer (SSL/TLS)
    Protocol: UDP
    Device Mode: tun
    Interface: WAN
    Local port: 1194
    Description: Site 2 Site PKI
    TLS Authentication: Enable authentication of TLS packets
    Automatically generate a shared TLS authentication key.
    Peer Certificate Authority: internal-ca
    Peer Certificate Revocation List:
    Server Certificate: internal-server
    DH Parameters Length: 1024 bits
    Encryption algorithm: AES-256-CBC (256-bit)
    Hardware Crypto:
    Certificate Depth: One (Client+Server)
    Tunnel Network: 10.0.8.0/24
    Redirect Gateway:empty
    Local Network:empty
    Remote Network:empty
    Concurrent connections:empty
    Compression:empty
    Type-of-Service:empty
    Duplicate Connections:empty
    Advanced: push "route 192.168.1.0 255.255.255.0";route 192.168.2.0 255.255.255.0;

    Click Save

    Tab Client Specific Override
    create an Client Specific Override (+ sign)
    Disabled:empty
    Common name: client1
    Description: CSO client1
    Connection blocking:empty
    Tunnel Network:empty
    Redirect Gateway:empty
    Server Definitions:empty
    DNS Default Domain:empty
    DNS Servers:empty
    NTP Servers:empty
    NetBIOS Options:empty
    Advanced: iroute 192.168.2.0 255.255.255.0

    Click Save

    CLIENT: ++Step Four Import Certificates (CA, User Certificate)++

    System/Cert Mananger

    Tab CAs
    Import an Certificate Authorithy (+ sign)
    Descriptive name: internal-ca
    Method: Importing an existing Certificate Authorithy
    Certificate data: copy/paste this from the exported internal-ca.crt (open with notepad)

    Click Save.

    Tab Certificates
    Import an User Certificate (+ sign)
    Method: Importing an existing Certificate
    Descriptive name: client1
    Certificate data: copy/paste this from the exported client.crt (open with notepad)
    Private key data: copy/paste this from the exported client.key (open with notepad)

    Click Save.

    CLIENT: ++Step Five Setup OpenVPN Client.++

    VPN/OpenVPN

    Tab Client
    Create a Client connection (+ sign)

    Disabled:empty
    Server Mode: Peer to Peer (SSL/TLS)
    Protocol: UDP
    Device Mode: tun
    Interface: WAN
    Local port: empty
    Server host or address: WAN address of server.
    Server port: 1194
    Proxy host or address: empty
    Proxy port: empty
    Proxy authentication extra options: none
    Server host name resolution: empty
    Description: Site 2 Site PKI
    TLS Authentication: Enable authentication of TLS packets.
    Automatically generate a shared TLS authentication key: empty
    Copy/paste shared key (from server connection) here.
    Peer Certificate Authority:internal-ca
    Client Certificate: client1
    Encryption algorithm: AES-256-CBC (256-bit)
    Hardware Crypto: empty
    Tunnel Network: 10.0.8.0/24
    Remote Network: empty
    Limit outgoing bandwidth: empty
    Compression: empty
    Type-of-Service: empty
    Advanced: empty

    Click Save.

    Remember to open the client/server firewall.
    Firewall/Rules
    Tab OpenVPN
    Create rule: pass, any, any, any

    open udp port 1194 on the server firewall on the wan interface.

    All done ;)


  • Rebel Alliance Developer Netgate

    We've already got a doc for this on the wiki:

    http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

    The main difference though the one on the wiki doesn't spell out each and every setting like this does, though most of those depend on the user's network or preferences so it's hard to really document what those "should" be.



  • I followed this to the T and it doesn't work… the only section that was a bit unclear was the following...

    Tab Certificates
    Create an User "client" Certificate (+ sign)

    Method: Create an internal Certificate
    Descriptive name: client1
    Certificate authority: client1
    Key length: 2048 bits
    Certificate Type: User Certificate
    Lifetime: 3650 days
    Country Code: {xx}
    State of Province: {xx}
    City: {xx}
    Organisation: {xx}
    Email Address: {xx@xx.xx}
    Common Name: client1

    it does not give me an option to edit the cert auth. it only defaults to internal-ca.

    please advise.

    thanks for your help!



  • i found the problem… it was my friewall rules. i forgot to change them to UDP.



  • ok… so the server is issuing a private ip from the tunnel and the client shows that it's connect. but i can't ping either side from either device. what am i missing?



  • started the detailed process you specify

    swap tcp/ip addresses as follows:

    SERVER SIDE: 192.168.1.0/24 <========> 10.0.8.0/24 <========> CLIENT SIDE: 192.168.2.0/24
    –-----------------------------------------------------------------------------------------
    SERVER SIDE:    10.1.1.0/24 <========> 10.0.8.0/24 <========> CLIENT SIDE: 10.1.12.0/24

    replaced the user name from client1 to tassos

    Tab Certificates
    Create an User "client" Certificate (+ sign)

    run into the previously mentioned by tweezy619 problem:

    Method: Create an internal Certificate
    Descriptive name: client1
    Certificate authority: client1
    Key length: 2048 bits
    Certificate Type: User Certificate
    Lifetime: 3650 days
    Country Code: {xx}
    State of Province: {xx}
    City: {xx}
    Organisation: {xx}
    Email Address: {xx@xx.xx}
    Common Name: client1

    it does not give me an option to edit the cert auth. it only defaults to internal-ca.

    and finally stuck in step

    CLIENT: ++Step Four Import Certificates (CA, User Certificate)++

    System/Cert Mananger

    Tab CAs
    Import an Certificate Authorithy (+ sign)
    Descriptive name: internal-ca
    Method: Importing an existing Certificate Authorithy
    Certificate data: copy/paste this from the exported internal-ca.crt (open with notepad)

    Click Save.

    by clicking Save I get "This certificate does not appear to be valid."

    user tweezy619 found the solution in Firewall Rules that needed to turn to UDP

    how to do that ? any suggestion would be really helpful.



  • Quick question: if behind client1 is windows network with it's own dns server (not pfsense box), is it possible to push dns server ip to server1  and enable NetBIOS over TCP/IP, so that people from sever1 network could browse computers on client1 windows network.



  • Hello

    I followed this and i have my Site2Site running, but have a problem i'm unable to resolve.

    I can access from the client side the server side, but from server side to client computers (not even ping).

    I've checked the rules, etc… and don't find the solution.

    If i ssh from server side to client side OpenVPN IP (10.0.10.6) i get an ssh session from a server's side computer into client side pfSense box, so it's working but can't access LAN.

    Anyone knows what i am missing?

    TIA

    Best



  • On the server side, does pfSense have a route to the client LAN (Diagnostics->Routes)?
    What happens when you traceroute to a client LAN device? Where do the responses stop?
    Is the client-end pfSense the main router for the client LAN? (If yes, then the clients should have it as their default gateway and should work. If no, then the clients need to know the route back, or the main client router needs to know the route to the pfSense.}
    Does the client pfSense have firewall rule/s on OpenVPN allowing the incoming traffic?
    Do the LAN clients have a firewall preventing ping/traceroute?
    If you are really stuck finding the error, post OpenVPN configs and rules and details of what the client machines are. Someone can spot the missing piece of the puzzle…



  • Hello Phil, thanks for your answer, below are the replies
    @phil.davis:

    On the server side, does pfSense have a route to the client LAN (Diagnostics->Routes)?

    ~~No, i don't see it in the server side, but yes in the client side, i think is the one that says:

    Dest: 172.16.0.0/21 - Gw: 10.0.10.5 - UGS - 0 - 320 - 1500 - Netif: ovpnc1

    Really? How i get the one in the server side?~~

    UPDATE:

    I got the route in the server side by changing the Advanced configuration to this format:

    route 192.168.235.0 255.255.255.0;push "route 172.16.0.0 255.255.248.0";

    As i found in: http://forum.pfsense.org/index.php/topic,12888.0.html

    I have

    Dest: 192.168.235.0/24 - Gw: 10.0.10.2 - UGS - 0 - 0 - 1500 - Netif: ovpns1

    But still no ping or connectivity from server to client side.

    What happens when you traceroute to a client LAN device? Where do the responses stop?

    This: it goes nowhere…

    traceroute 192.168.235.150

    traceroute to 192.168.235.150 (192.168.235.150), 30 hops max, 60 byte packets
    1  * * *
    2  * * *
    [Trimmed….]
    29  * * *
    30  * * *

    Is the client-end pfSense the main router for the client LAN? (If yes, then the clients should have it as their default gateway and should work. If no, then the clients need to know the route back, or the main client router needs to know the route to the pfSense.}

    Yes, it is

    Does the client pfSense have firewall rule/s on OpenVPN allowing the incoming traffic?

    Yes on OpenVPN Tab an accept rule:

    Pass / Not disabled /OpenVPN / Proto: Any / Source: Any / Dest: Any

    Do the LAN clients have a firewall preventing ping/traceroute?

    I think no because i can ping them from the client's side pfSense shell, also i ran a network scan from the server side to the client subnet with Nmap and found nothing. Also i know there are some computers with services opened (MySQL, RDP, etc…) that are not accesible from server side.

    If you are really stuck finding the error, post OpenVPN configs and rules and details of what the client machines are. Someone can spot the missing piece of the puzzle…

    If you think it's necesary with the info i wrote before i can collect it, of course…

    Thanks again,

    Best,



  • The traceroute should at least get a 1st hop reply from its local (server-side) pfSense.
    Can you traceroute to 10.0.10.2 (client end of OpenVPN link)?
    Maybe there is a firewall rule on the server-side pfSense LAN that is blocking traffic to the client-side LAN (192.168.235.0/24)?



  • @phil.davis:

    The traceroute should at least get a 1st hop reply from its local (server-side) pfSense.
    Can you traceroute to 10.0.10.2 (client end of OpenVPN link)?
    Maybe there is a firewall rule on the server-side pfSense LAN that is blocking traffic to the client-side LAN (192.168.235.0/24)?

    Hello

    Thanks to your post i've solved it. I explain how and perhaps it helps some one or you can tell me the right solution if i am wrong.

    I reviewed my LAN rules and "noted" the last is the one that permits traffic (before there are some limiters, etc…), BUT i have a failover balancer (3 providers, WAN, OPT1 and OPT2).

    Proto: * / Src: LAN / Port: * / Dst: * / GW: FailoverWANOPT1OPT2

    I Guessed this was a problem, so i created a rule at the very top that says:

    Proto: * / Src: LAN / Port: * / Dst: 192.168.235.0/24 / GW: *

    After this, it works!

    Is this the right solution or there is another one?



  • Yes, the policy routing to a gateway group was explicitly directing general traffic to the WAN links in the gateway group. The ping to the OpenVPN tunnel remote end worked because it is seen as a locally-connected subnet, and so can is delivered directly without the policy-routing rule getting a chance to have effect.
    I like to make an alias for all my internal intranet address space (e.g. if I have all my internal addresses broken up within 10.42.0.0/16 then make an alias "Company-Intranet" for that whole "super-net"). Then on OpenVPN I can pass all with source "Company-Intranet", destination "Company-Intranet" if I just want to let all internal traffic flow. On policy routing to the external internet I can use source LANnet destination !"Company-Intranet" - that avoids accidentally pushing internal network packets out to the external internet.



  • @phil.davis:

    Yes, the policy routing to a gateway group was explicitly directing general traffic to the WAN links in the gateway group. The ping to the OpenVPN tunnel remote end worked because it is seen as a locally-connected subnet, and so can is delivered directly without the policy-routing rule getting a chance to have effect.
    I like to make an alias for all my internal intranet address space (e.g. if I have all my internal addresses broken up within 10.42.0.0/16 then make an alias "Company-Intranet" for that whole "super-net"). Then on OpenVPN I can pass all with source "Company-Intranet", destination "Company-Intranet" if I just want to let all internal traffic flow. On policy routing to the external internet I can use source LANnet destination !"Company-Intranet" - that avoids accidentally pushing internal network packets out to the external internet.

    Very good idea, i'll implement it.

    Thanks again

    Best,



  • I have more than one dc.  i'm just giving a basic map of what i'm trying to do.  forget about what the internal network is doing and if i should need more equipment

    i just need to be able to extend the lan as explained but so that all locations can communicate with each other and still be on the same lan network.  as i said i had it setup and each one can communicate with the main which is the open vpn server and the main can talk to all but the others need to talk to each other as well


  • Banned

    @dynamite1982:

    I have more than one dc.  i'm just giving a basic map of what i'm trying to do.  forget about what the internal network is doing and if i should need more equipment

    i just need to be able to extend the lan as explained but so that all locations can communicate with each other and still be on the same lan network.  as i said i had it setup and each one can communicate with the main which is the open vpn server and the main can talk to all but the others need to talk to each other as well

    Wrong thread, dude. Plus, you will break everything with overlapping nets on multiple sites. Drop this horrible idea.



  • Hello,

    I follow the step, everything is clear and working thank you verry much!!
    I have just problem, the intra client communication is possible?
    Client 192.168.2.1 –---> communication ok with Server 192.168.1.1
    Client 192.168.3.1 -----> communication ok with Server 192.168.1.1
    Client 192.168.2.1 -----> communication not ok with client 192.168.3.1

    Thank you


Log in to reply