HOWTO: Pfsense 2.0.1 - OpenVPN Site 2 MultiSite PKI
-
Pfsense 2.0.1 - OpenVPN Site 2 MultiSite PKI
Here is a simple howto for a PKI Site 2 MultiSite setup.
Server: Private Subnet 192.168.1.0/24
Client1: Private Subnet 192.168.2.0/24SERVER SIDE: 192.168.1.0/24 <========> 10.0.8.0/24 <========> CLIENT SIDE: 192.168.2.0/24
SERVER: ++First step Create Certificates (CA, Server Certificate, User Certificate)++
System/Cert Mananger
Tab CAs
Create an Certificate Authorithy (+ sign)Descriptive name: internal-ca
Method: Create an internal Certificate Authority
Key length: 2048
Lifetime: 3650 days
Country Code: {xx}
State of Province: {xx}
City: {xx}
Organisation: {xx}
Email Address: {xx@xx.xx}
Common Name: internal-caclick save.
Tab Certificates
Create an Server Certificate (+ sign)Method: Create an internal Certificate
Descriptive name: internal-server
Certificate authority: internal-ca
Key length: 2048 bits
Certificate Type: Server Certificate
Lifetime: 3650 days
Country Code: {xx}
State of Province: {xx}
City: {xx}
Organisation: {xx}
Email Address: {xx@xx.xx}
Common Name: internal-serverTab Certificates
Create an User "client" Certificate (+ sign)Method: Create an internal Certificate
Descriptive name: client1
Certificate authority: client1
Key length: 2048 bits
Certificate Type: User Certificate
Lifetime: 3650 days
Country Code: {xx}
State of Province: {xx}
City: {xx}
Organisation: {xx}
Email Address: {xx@xx.xx}
Common Name: client1You can repeat "the create user certificate" step for more then one client ;)
SERVER: ++Second step Export Certificates (CA, User Certificate)++
System/Cert Mananger
Tab CAs
"export CA cert" of internal-ca
do not export the private key!Tab Certificate
"export cert" and "export key" of client1SERVER: ++Third step Setup OpenVPN Server.++
VPN/OpenVPN
Tab Server
create an Server (+ sign)Disabled: empty
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
Description: Site 2 Site PKI
TLS Authentication: Enable authentication of TLS packets
Automatically generate a shared TLS authentication key.
Peer Certificate Authority: internal-ca
Peer Certificate Revocation List:
Server Certificate: internal-server
DH Parameters Length: 1024 bits
Encryption algorithm: AES-256-CBC (256-bit)
Hardware Crypto:
Certificate Depth: One (Client+Server)
Tunnel Network: 10.0.8.0/24
Redirect Gateway:empty
Local Network:empty
Remote Network:empty
Concurrent connections:empty
Compression:empty
Type-of-Service:empty
Duplicate Connections:empty
Advanced: push "route 192.168.1.0 255.255.255.0";route 192.168.2.0 255.255.255.0;Click Save
Tab Client Specific Override
create an Client Specific Override (+ sign)
Disabled:empty
Common name: client1
Description: CSO client1
Connection blocking:empty
Tunnel Network:empty
Redirect Gateway:empty
Server Definitions:empty
DNS Default Domain:empty
DNS Servers:empty
NTP Servers:empty
NetBIOS Options:empty
Advanced: iroute 192.168.2.0 255.255.255.0Click Save
CLIENT: ++Step Four Import Certificates (CA, User Certificate)++
System/Cert Mananger
Tab CAs
Import an Certificate Authorithy (+ sign)
Descriptive name: internal-ca
Method: Importing an existing Certificate Authorithy
Certificate data: copy/paste this from the exported internal-ca.crt (open with notepad)Click Save.
Tab Certificates
Import an User Certificate (+ sign)
Method: Importing an existing Certificate
Descriptive name: client1
Certificate data: copy/paste this from the exported client.crt (open with notepad)
Private key data: copy/paste this from the exported client.key (open with notepad)Click Save.
CLIENT: ++Step Five Setup OpenVPN Client.++
VPN/OpenVPN
Tab Client
Create a Client connection (+ sign)Disabled:empty
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: empty
Server host or address: WAN address of server.
Server port: 1194
Proxy host or address: empty
Proxy port: empty
Proxy authentication extra options: none
Server host name resolution: empty
Description: Site 2 Site PKI
TLS Authentication: Enable authentication of TLS packets.
Automatically generate a shared TLS authentication key: empty
Copy/paste shared key (from server connection) here.
Peer Certificate Authority:internal-ca
Client Certificate: client1
Encryption algorithm: AES-256-CBC (256-bit)
Hardware Crypto: empty
Tunnel Network: 10.0.8.0/24
Remote Network: empty
Limit outgoing bandwidth: empty
Compression: empty
Type-of-Service: empty
Advanced: emptyClick Save.
Remember to open the client/server firewall.
Firewall/Rules
Tab OpenVPN
Create rule: pass, any, any, anyopen udp port 1194 on the server firewall on the wan interface.
All done ;)
-
We've already got a doc for this on the wiki:
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29
The main difference though the one on the wiki doesn't spell out each and every setting like this does, though most of those depend on the user's network or preferences so it's hard to really document what those "should" be.
-
I followed this to the T and it doesn't work… the only section that was a bit unclear was the following...
Tab Certificates
Create an User "client" Certificate (+ sign)Method: Create an internal Certificate
Descriptive name: client1
Certificate authority: client1
Key length: 2048 bits
Certificate Type: User Certificate
Lifetime: 3650 days
Country Code: {xx}
State of Province: {xx}
City: {xx}
Organisation: {xx}
Email Address: {xx@xx.xx}
Common Name: client1it does not give me an option to edit the cert auth. it only defaults to internal-ca.
please advise.
thanks for your help!
-
i found the problem… it was my friewall rules. i forgot to change them to UDP.
-
ok… so the server is issuing a private ip from the tunnel and the client shows that it's connect. but i can't ping either side from either device. what am i missing?
-
started the detailed process you specify
swap tcp/ip addresses as follows:
SERVER SIDE: 192.168.1.0/24 <========> 10.0.8.0/24 <========> CLIENT SIDE: 192.168.2.0/24
–-----------------------------------------------------------------------------------------
SERVER SIDE: 10.1.1.0/24 <========> 10.0.8.0/24 <========> CLIENT SIDE: 10.1.12.0/24replaced the user name from client1 to tassos
Tab Certificates
Create an User "client" Certificate (+ sign)run into the previously mentioned by tweezy619 problem:
Method: Create an internal Certificate
Descriptive name: client1
Certificate authority: client1
Key length: 2048 bits
Certificate Type: User Certificate
Lifetime: 3650 days
Country Code: {xx}
State of Province: {xx}
City: {xx}
Organisation: {xx}
Email Address: {xx@xx.xx}
Common Name: client1it does not give me an option to edit the cert auth. it only defaults to internal-ca.
and finally stuck in step
CLIENT: ++Step Four Import Certificates (CA, User Certificate)++
System/Cert Mananger
Tab CAs
Import an Certificate Authorithy (+ sign)
Descriptive name: internal-ca
Method: Importing an existing Certificate Authorithy
Certificate data: copy/paste this from the exported internal-ca.crt (open with notepad)Click Save.
by clicking Save I get "This certificate does not appear to be valid."
user tweezy619 found the solution in Firewall Rules that needed to turn to UDP
how to do that ? any suggestion would be really helpful.
-
Quick question: if behind client1 is windows network with it's own dns server (not pfsense box), is it possible to push dns server ip to server1 and enable NetBIOS over TCP/IP, so that people from sever1 network could browse computers on client1 windows network.
-
Hello
I followed this and i have my Site2Site running, but have a problem i'm unable to resolve.
I can access from the client side the server side, but from server side to client computers (not even ping).
I've checked the rules, etc… and don't find the solution.
If i ssh from server side to client side OpenVPN IP (10.0.10.6) i get an ssh session from a server's side computer into client side pfSense box, so it's working but can't access LAN.
Anyone knows what i am missing?
TIA
Best
-
On the server side, does pfSense have a route to the client LAN (Diagnostics->Routes)?
What happens when you traceroute to a client LAN device? Where do the responses stop?
Is the client-end pfSense the main router for the client LAN? (If yes, then the clients should have it as their default gateway and should work. If no, then the clients need to know the route back, or the main client router needs to know the route to the pfSense.}
Does the client pfSense have firewall rule/s on OpenVPN allowing the incoming traffic?
Do the LAN clients have a firewall preventing ping/traceroute?
If you are really stuck finding the error, post OpenVPN configs and rules and details of what the client machines are. Someone can spot the missing piece of the puzzle… -
Hello Phil, thanks for your answer, below are the replies
@phil.davis:On the server side, does pfSense have a route to the client LAN (Diagnostics->Routes)?
~~No, i don't see it in the server side, but yes in the client side, i think is the one that says:
Dest: 172.16.0.0/21 - Gw: 10.0.10.5 - UGS - 0 - 320 - 1500 - Netif: ovpnc1
Really? How i get the one in the server side?~~
UPDATE:
I got the route in the server side by changing the Advanced configuration to this format:
route 192.168.235.0 255.255.255.0;push "route 172.16.0.0 255.255.248.0";
As i found in: http://forum.pfsense.org/index.php/topic,12888.0.html
I have
Dest: 192.168.235.0/24 - Gw: 10.0.10.2 - UGS - 0 - 0 - 1500 - Netif: ovpns1
But still no ping or connectivity from server to client side.
What happens when you traceroute to a client LAN device? Where do the responses stop?
This: it goes nowhere…
traceroute 192.168.235.150
traceroute to 192.168.235.150 (192.168.235.150), 30 hops max, 60 byte packets
1 * * *
2 * * *
[Trimmed….]
29 * * *
30 * * *Is the client-end pfSense the main router for the client LAN? (If yes, then the clients should have it as their default gateway and should work. If no, then the clients need to know the route back, or the main client router needs to know the route to the pfSense.}
Yes, it is
Does the client pfSense have firewall rule/s on OpenVPN allowing the incoming traffic?
Yes on OpenVPN Tab an accept rule:
Pass / Not disabled /OpenVPN / Proto: Any / Source: Any / Dest: Any
Do the LAN clients have a firewall preventing ping/traceroute?
I think no because i can ping them from the client's side pfSense shell, also i ran a network scan from the server side to the client subnet with Nmap and found nothing. Also i know there are some computers with services opened (MySQL, RDP, etc…) that are not accesible from server side.
If you are really stuck finding the error, post OpenVPN configs and rules and details of what the client machines are. Someone can spot the missing piece of the puzzle…
If you think it's necesary with the info i wrote before i can collect it, of course…
Thanks again,
Best,
-
The traceroute should at least get a 1st hop reply from its local (server-side) pfSense.
Can you traceroute to 10.0.10.2 (client end of OpenVPN link)?
Maybe there is a firewall rule on the server-side pfSense LAN that is blocking traffic to the client-side LAN (192.168.235.0/24)? -
The traceroute should at least get a 1st hop reply from its local (server-side) pfSense.
Can you traceroute to 10.0.10.2 (client end of OpenVPN link)?
Maybe there is a firewall rule on the server-side pfSense LAN that is blocking traffic to the client-side LAN (192.168.235.0/24)?Hello
Thanks to your post i've solved it. I explain how and perhaps it helps some one or you can tell me the right solution if i am wrong.
I reviewed my LAN rules and "noted" the last is the one that permits traffic (before there are some limiters, etc…), BUT i have a failover balancer (3 providers, WAN, OPT1 and OPT2).
Proto: * / Src: LAN / Port: * / Dst: * / GW: FailoverWANOPT1OPT2
I Guessed this was a problem, so i created a rule at the very top that says:
Proto: * / Src: LAN / Port: * / Dst: 192.168.235.0/24 / GW: *
After this, it works!
Is this the right solution or there is another one?
-
Yes, the policy routing to a gateway group was explicitly directing general traffic to the WAN links in the gateway group. The ping to the OpenVPN tunnel remote end worked because it is seen as a locally-connected subnet, and so can is delivered directly without the policy-routing rule getting a chance to have effect.
I like to make an alias for all my internal intranet address space (e.g. if I have all my internal addresses broken up within 10.42.0.0/16 then make an alias "Company-Intranet" for that whole "super-net"). Then on OpenVPN I can pass all with source "Company-Intranet", destination "Company-Intranet" if I just want to let all internal traffic flow. On policy routing to the external internet I can use source LANnet destination !"Company-Intranet" - that avoids accidentally pushing internal network packets out to the external internet. -
Yes, the policy routing to a gateway group was explicitly directing general traffic to the WAN links in the gateway group. The ping to the OpenVPN tunnel remote end worked because it is seen as a locally-connected subnet, and so can is delivered directly without the policy-routing rule getting a chance to have effect.
I like to make an alias for all my internal intranet address space (e.g. if I have all my internal addresses broken up within 10.42.0.0/16 then make an alias "Company-Intranet" for that whole "super-net"). Then on OpenVPN I can pass all with source "Company-Intranet", destination "Company-Intranet" if I just want to let all internal traffic flow. On policy routing to the external internet I can use source LANnet destination !"Company-Intranet" - that avoids accidentally pushing internal network packets out to the external internet.Very good idea, i'll implement it.
Thanks again
Best,
-
I have more than one dc. i'm just giving a basic map of what i'm trying to do. forget about what the internal network is doing and if i should need more equipment
i just need to be able to extend the lan as explained but so that all locations can communicate with each other and still be on the same lan network. as i said i had it setup and each one can communicate with the main which is the open vpn server and the main can talk to all but the others need to talk to each other as well
-
I have more than one dc. i'm just giving a basic map of what i'm trying to do. forget about what the internal network is doing and if i should need more equipment
i just need to be able to extend the lan as explained but so that all locations can communicate with each other and still be on the same lan network. as i said i had it setup and each one can communicate with the main which is the open vpn server and the main can talk to all but the others need to talk to each other as well
Wrong thread, dude. Plus, you will break everything with overlapping nets on multiple sites. Drop this horrible idea.
-
Hello,
I follow the step, everything is clear and working thank you verry much!!
I have just problem, the intra client communication is possible?
Client 192.168.2.1 –---> communication ok with Server 192.168.1.1
Client 192.168.3.1 -----> communication ok with Server 192.168.1.1
Client 192.168.2.1 -----> communication not ok with client 192.168.3.1Thank you
