Search

Welcome! If you're new here, perhaps you'll be interested in the RSS feed to be informed of the publication of a new article?

pfsense and OpenVPN for road warriors

Posted by: Seb

seven

It is relatively simple to create a VPN connection with pfsense, for example using OpenVPN which is built into the software. Once the installation is complete and validated pfsense must follow several steps which are detailed later in this article. This VPN is configured to allow access to mobile users such as sales people have laptops and want to connect remotely to the company's internal network securely.

The first thing to do is download OpenVPN GUI and install (the following describes an installation on Windows XP). Installation can be performed using the default options (note that it must be a local administrator). In addition to installing the software itself, an additional network connection is created and it will rename it, eg VPN.

Open a DOS console and go to C: \ Program Files \ OpenVPN \ easy-rsa then type init-config. This will create (or replace the files already exist) and vars.bat openssl.cnf files located in that directory.

Edit the file vars.bat that contains default settings that will be used when creating the different encryption keys. Define parameters KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, and KEY_ORG KEY_EMAIL (do not leave blank).

In the DOS window, run commands vars, then clean-all build-ca. This has the effect of loading the default settings, delete all files in the \ OpenVPN \ easy-rsa \ keys and create the CA certificate (certificate authority) ca.key. Most requested parameters will already be filled through the file and it will vars.bat just fill in the Common Name, for example with VPN_CA.

Once created CA must generate the encryption keys associated with the server itself. To do this, still in the DOS console, type the command build-key-server server and leave the defaults. For the Common Name parameter, enter server. Answer two questions in there "Sign the certificate? "And" 1 out of 1 Certificate Requests certified, commit? "This creates the files server.crt, server.key and server.csr in the \ OpenVPN \ easy-rsa \ keys.

To complete the key generation system are necessary, then type build-dh, dh1024.pem file is created.

It remains to create encryption keys for customers. Type the command build-key and enter FirstNameLastName example FirstNameLastName as Common Name. Be careful to type exactly the same name as the command build-key and use a unique name for each customer. PrenomNom.crt files, and PrenomNom.csr PrenomNom.key are created, always in \ OpenVPN \ easy-rsa \ keys.

Attention of all these files are certain to keep confidential: ca.key, server.key, PrenomNom.key, Prenom2Nom2.key, etc..

In the interface of pfsense, click VPN> OpenVPN then click the "+" icon to add a VPN tunnel. Here are the parameters to enter:

select UDP
Dynamic IP check box to enable the client to connect from anywhere in the world
define a local port (eg 1284)
define a pool of different local IPs of all local subnets (eg 192.168.192.0/24 )
indicate the local network that is accessible to the client workstations connected in VPN (eg 192.168.1.0/24 )
select BF-CBC (128 bit) encryption method as
select PKI as an authentication method
copy and paste the contents of the file ca.crt between - BEGIN CERTIFICATE - and - END CERTIFICATE - CA certificate in the field
copy and paste the contents of the file server.crt between - BEGIN CERTIFICATE - and - END CERTIFICATE - in the Server Certificate
copy and paste the contents of the file server.key between - BEGIN CERTIFICATE - and - END CERTIFICATE - key in the Server
copy and paste the file contents dh1024.pem between - BEGIN CERTIFICATE - and - END CERTIFICATE - DH parameters in the field
check the LZO compression
Custom options in the box to enter the options to be passed to the customers during the connection example

push "dhcp-option DOMAIN corp.com" push "dhcp-option DNS 192.168.1.1"; push "dhcp-option WINS 192.168.1.1"

This has the effect of defining the local domain, the DNS server and WINS server by default. You can also add a routing entry to another subnet with the command "route 192.168.2.0 255.255.255.0" for example.

In the Firewall menu> Rules of pfsense, select the WAN tab and click the "+" icon to add a new rule and enter the following parameters:

Action: Pass
Interface: WAN
Protocol: UDP
Source: Type: any
Destination: Type: any
Destination port range: from (other) 1284 to (other) 1284 (careful to enter the port number defined above)
Gateway: default
Description: VPN

Then click Save and then Apply.

Create a file in VPN.ovpn \ OpenVPN \ easy-rsa \ keys that will contain the connection parameters for the client, especially the router's IP and port to use. Here is a sample file ovpn:

float
port 1284
dev tun
dev-node VPN
proto udp
remote IP_du_Routeur 1284
ping 10
persist-tun
persist-key
tls-client
ca ca.crt
cert PrenomNom.crt
key PrenomNom.key
ns-cert-type server
sweater
comp-lzo
verb 4

Change the port setting according to the port to use, dev-node based on the name of the network connection, remote depending on the router's external IP and port to use and the cert and key lines depending on the user .
The installation on the client is extremely simple and can be performed by users without special training. Simply install the OpenVPN client GUI downloaded at the beginning of this article, install with all default options and then rename the connection created by the VPN installation. It should then provide four files to the client to be deposited in the C: \ Program Files \ OpenVPN \ config: ca.crt NomPrenom.crt, and NomPrenom.key VPN.ovpn. We must of course provide namePrénom files corresponding to the user on an individual basis.

To connect the customer will only have to right click on the OpenVPN icon in the notification bar, then click Connect. A window opens then recording the various ongoing operations and allowing debuguage. The client can then access the local network of the company securely.

11 comment (s) on this topic

Track this topic: Comments RSS or TrackBack URL

raptor45 wrote at 25-8-2009 8:56:04

Hello,

I look at your site from time to time. And there, I need the tutorial that you've done to set up a VPN server with pfsense to put OpenVPN. But I have problems (I'm BTS IG network option so I started). So first I managed to follow the steps on your tutorial to the end against by, unable to connect. I could not find the solution. So I uninstall and reinstall but impossible to pass this command: build-ca.bat! I am your tutorial to the letter, but once I get to this command, I get this error:

"Error on line 117 of openssl.cnf
340: error: 0E065068: configuration file routines: STR_COPY: Variable Has No value:. Cryptoconfconf_def.c: 629: line 117 "

-> So I understand that there is no value for the variable STR_COPY but I do not understand why and especially I do not know how to make it work!
-> Note that the first time I installed OpenVPN-2.0.9-gui-1.0.3-install.exe, it went without worries.

That is, could you help me please? This is important because it is a subject that I will present the day of my exam. Thank you in advance.

Really thank you in advance.

Seb wrote at 25-8-2009 12:26:16

Strange, I never encountered any problems with this installation method. While trying to cleanly uninstall (delete all files in the installation directory if the uninstall OpenVPN leaves files) and install openvpn-2.0.7-gui-1.0.3-install.exe which is the version that I have used in case it would be a bug in your version. Then resume all the installation steps.

Once this is done and if you meet always the error, copy / paste here the section of openssl.conf which is to the line indicated by the error.

raptor45 wrote at 26-8-2009 8:51:04

Thank you for your answer anyway. Listens I just downloaded the version you gave me indicated. I will install it. Would you like us to discuss with MSN please? It would help me very much.

Thank you in advance.

raptor45 wrote at 26-8-2009 9:09:18

So I just reinstall the version shown, I followed the tutorial as follows:

- Init-config
- Change to put the clues vars.bat variables KEY_COUNTRY etc. ...
- Vars.bat
- Clean-all.bat
- Build-ca.bat

-> Same error

Here is the configuration file openssl.cnf line 117:

stateOrProvinceName_default = $ ENV :: KEY_PROVINCE

Variables vars.bat, I have defined like this:
KEY_COUNTRY = EN
KEY_PROVINCE = SO
KEY_CITY OR =
KEY_ORG = ST
KEY_EMAIL = monadressemail

Thank you in advance. Since I just posted the top one you'll read maybe not, so I put this: Would you discuss that with MSN please? It would help me very much.

Thank you in advance.

raptor45 wrote on 26-8-2009 at 1:09:08 p.m.

Re,

I finally find out why it gave me this error. Indeed the tutorial, it is said this "vars.bat Edit the file that contains default settings that will be used when creating the different encryption keys. Define parameters KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, and KEY_ORG KEY_EMAIL (do not leave blank). "So what I did is that I was editing the file directly vars.bat hand to change the variables (as shown in fact!), Then I recorded the file and then I executed the following commands to know : vars.bat, clean-all.bat and build-ca.bat. Then it was just after I had it all the time the error. I realized that we should not touch the file but vars.bat information ... KEY variables that when running the build command-ca.bat.

What do you think?

On MSN, I still hold if you do not mind? Thank you in advance for MSN because it really help me a lot. I ask you not to be my "guide" 24h/24 course! It would really help me anyway because I have a tutor training course! But this one, although nice, does not care too much for me this kind of work so I'm all alone then to spend on things that I'm stuck, it's not easy. I know it's not your problem but there is not the issue. This is just a request for MSN, that is all.

I await your response. Thank you in advance.

raptor45.

raptor45 wrote on 26-8-2009 at 1:30:03 p.m.

So I continue to follow the tutorial, and I still have another error! At the command build-key-server server I did not have to worry. Although I wonder whether to leave or put the server name to hers? For example: build-key-server pfsense.local?

Then the error that I do when I'm following the tutorial, namely:
build-key client1 (I already know are not sure what all the controls so I have a little trouble, I mean I understand that it generates keys, certificates ... but I understand why client1, client2, client3; this is so we want to attach 3 VPN clients is that all?). So by build-key client1, I filled the information requested and just after completing "a challenge password" and "an optional company name" and "sign the certificate" (So there I put 'y'), but I do not know not sure what it is unfortunately (if you could tell me it would be nice), I always error saying it can not do it and tells me this:
"Failed to update database
TXT_DB error number 2
Can not find C: \ Program Files \ OpenVPN \ easy-rsa \ keys \ *. Old "

I then re-tested by putting an email address different from that generated with the server and it passed. Is it because of that?

Thank you in advance for your answers to my various posts. Sorry to post so much!

A while ago I hope and thank you in advance.

raptor45.

raptor45 wrote on 26-8-2009 at 1:34:34 p.m.

I also see the following tutorial on Common Name and that it must be unique for each client, I thought it was Common Name for the server name so I'm not too much there! Because when I do build-key-server server at a location that also demand it so I put pfsense.local (this is the name of my pfsense machine, but it does not fit it in fact?)

Thank you.

raptor45 wrote on 26-8-2009 at 2:13:23 p.m.

Decidedly, I sing and I answer! lol.
So I managed to connect! Finally! lol By cons I'll be grateful to kindly consider my various positions since this morning to kindly answer some questions of my stp.

So another concern, I connect it agree. But then what? After I tried to take my remote PC on the LAN side from the WAN side PC but it does not. It should perhaps be something to set aside FireWall, right? I think so, but I do not know what? I tried to take the remote PC through remote desktop connection, knowing that it works when I am not connected to VPN, so it is for this reason that I gather he must surely I put a rule in the firewall pfsense but I've already put the tcp (this may be on the desktop to the udp disance? I do not know).

Then I want to see that the data transmitted through this tunnel are encrypted. I guess you have to use wireshark? But I do not know how to use it and how to "dissect" the results I have to know that this is indeed well encrypted. Can you help me please? I want to see if it is encrypted on the one hand to tell me what is good and it works the other hand to demonstrate to the jury on the day of my exam (ie in 10 months).

I await your answers.

@ Just now I hope.

raptor45.

raptor45 wrote on 28-8-2009 at 1:27:26 p.m.

hello,

I expect from you, really.

thank you.

raptor45.

raptor45 wrote on 2-9-2009 at 6:39:28 p.m.

hello,

can you remove my msn address this in the first post please?

thank you in advance.

raptor45.

Create a VPN connection on a line other than pfSense WAN | Network Admin - Blog wrote on 27-5-2010 at 1:33:43 p.m.

[...] VPN on a secondary line of a pfSense router. The creation itself is detailed here and here depending on whether you want to create a connection for mobile users or tunnel [...]