VPN Capability OpenVPN

From PFSenseDocs

This article is part of the HOWTO series.

Previous page

Contents

Next Page

Contents 1 Summary 2 Caveats 3 Details 3.1 Setup Easy-RSA 3.2 Generate Certs with Easy-RSA 3.3 Certificates on pfSense 3.4 Setup Windows Clients 3.5 Setup Linux Clients 4 Advanced Hackery 4.1 OpenVPN Client Bridging

Summary

This howto is designed to quickly show you how to setup OpenVPN on pfSense, and establish 2 tunnels (Windows and Linux). This is not meant to be a complete how-to, it should only be used to give you a general idea of the functionality and what you can do. OpenVPN is much more advanced than the setup we are going to do here.

Caveats

Incoming OpenVPN traffic cannot be filtered, it is all permitted and there is no way to change that (yet).

Details

Setup Easy-RSA

You will need to download the OpenVPN source (unless you already have the easy-rsa scripts somewhere on your system. This script can be run from any system, except windows.)

1. First, edit the file 'vars'. On Gentoo, the default directory for easy-rsa is /usr/share/openvpn/easy-rsa. I copied mine from /usr/share/openvpn/easy-rsa to /etc/openvpn/, so during subsequent upgrades/modifications, my certificates wouldn't get nuked.:

root@localhost:~# cd /usr/share/openvpn

root@localhost:/usr/share/openvpn# cp easy-rsa /etc/openvpn/

root@localhost:/usr/share/openvpn# cd /etc/openvpn/easy-rsa/

root@localhost:/etc/openvpn/easy-rsa/# vi vars

2. Scroll to the bottom, fill out the 5 values (export KEY_{COUNTRY,PROVINCE,CITY,ORG,EMAIL) so they're relevant for you. Save and exit the file.

Generate Certs with Easy-RSA

1. We need to source the vars file:

root@localhost:/etc/openvpn/easy-rsa/# source ./vars

2. Then we clean everything out:

root@localhost:/etc/openvpn/easy-rsa/# ./clean-all

3. Then we build the CA. Make sure and fill out your information appropriately.

root@localhost:/etc/openvpn/easy-rsa/# ./build-ca

4. Now, we need to generate the certificate and private key for the server. Make sure and fill out your information appropriately. When it asks for the CN, enter server.

root@localhost:/etc/openvpn/easy-rsa/# ./build-key-server server

5. Build the Diffie-Hellman parameters. Make sure and fill out your information appropriately:

root@localhost:/etc/openvpn/easy-rsa/# ./build-dh

6. Generate the certificates for your client(s). Please note that you must have a unique certificate per client. Make sure and fill out your information appropriately. In the example below, I used client1 and client2 since I am using them as an example. Note: If you would like to password-protect your client keys, substitute the build-key-pass script:

root@localhost:/etc/openvpn/easy-rsa/# ./build-key client1

root@localhost:/etc/openvpn/easy-rsa/# ./build-key client2

Certificates on pfSense

1. Login to the pfSense WebGUI, and go to the OpenVPN config page. Click on the + to add a new OpenVPN rule.
   1. Dynamic IP: If it applies to your users, enable this option. More than likely, you will want this enabled.
   2. Address pool: This should be a unique subnet, no other interfaces or networks should share this subnet!
   3. Local network: In most cases, this should be your LAN subnet. If you have other subnets that vpn users will need to access we will have to push routes via custom options, push "route n.n.n.n 255.255.255.0";, where n.n.n.n is the subnet address of another interface on your pfSense.
   4. Authentication Method: PKI (Public Key Infrastructure)
   5. 
   6. Go back to the certificates we generated, and get the contents of keys/ca.crt. Paste that in the field CA certificate (you must include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).
   7. Grab the contents of keys/server.crt (only from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----), and paste that into Server certificate.
   8. Do the same for keys/server.key. This goes in Server key.
   9. And last (but definately not least), copy keys/dh1024.pem to the field DH parameters.
   10. 
   11. Enable LZO compression if you want. The client must match this setting.
   12. Hit Save.
   13. 
2. Go to the firewall rules for the WAN interface, and open up the TCP (or UDP) port you defined for your OpenVPN instance.
3. Apply changes.

Setup Windows Clients

1. Download/install the OpenVPN GUI client for Windows.
2. For some weird reason, the installer picks some random name for our tunnel adapter. We need to change the name.
   1. Go to the Network Connections control panel, and right-click on our new VPN adapter (should say something about Tap-win32). Click on Rename.
   2. Give it a useful name, I called mine ovpn-tun0.
3. Go to the OpenVPN config directory. Create a new .ovpn file with the following settings. Make sure and chose the correct dev-node, hostname, and ports. Don't forget to update your certificate filenames if needed (you will need to copy them [ca.crt, client1.crt, client1.key] over to the same directory the .ovpn config file is in):

port 443
dev tun
dev-node ovpn-tun0
proto tcp-client
remote n.n.n.n 443
ping 30

persist-tun
persist-key

cipher bf-cbc [this should be the same as what you set in the Cryptography setting in the server GUI.]

tls-client
ca ca.crt
cert client1.crt
key client.key

ns-cert-type server
comp-lzo
pull

Setup Linux Clients

1. Download/compile/install the OpenVPN source.

2. The majority of the config files are in /etc/openvpn/clients on Gentoo.

root@localhost:~# cd /etc/openvpn/clients

3. We need to create a new config file, I called mine ren-bgw-01.conf:

root@localhost:/etc/openvpn/clients# vi ren-bgw-01.conf

4. Put the following information in the config file, where n.n.n.n is the IP of your pfSense box:

port 443
dev tun
proto tcp-client
remote n.n.n.n 443
ping 30

persist-tun
persist-key

cipher bf-cbc [this should be the same as what you set in the Cryptography setting in the server GUI.

tls-client
ca /etc/openvpn/clients/keys/ren-bgw-01/ca.crt
cert /etc/openvpn/clients/keys/ren-bgw-01/client2.crt
key /etc/openvpn/clients/keys/ren-bgw-01/client2.key

ns-cert-type server
comp-lzo
pull

5. Now, I put all of my keys in /etc/openvpn/clients/keys/<server>/. Make that directory, and copy ca.crt, client2.crt, and client2.key to there:

root@localhost:/etc/openvpn/clients# mkdir -p keys/<server>

root@localhost:/etc/openvpn/clients# cd /etc/openvpn/clients/keys/<server>

root@localhost:/etc/openvpn/clients/keys/<server>/# cp /etc/openvpn/easy-rsa/keys/ca.crt .

root@localhost:/etc/openvpn/clients/keys/<server>/# cp /etc/openvpn/easy-rsa/keys/client2.crt .

root@localhost:/etc/openvpn/clients/keys/<server>/# cp /etc/openvpn/easy-rsa/keys/client2.key .

6. The last thing is to create the ren-bgw-01 startup script. This must match the config file name (minus the .conf) in order for it to work on Gentoo!. And then we start up the tunnel!

root@localhost:/etc/openvpn/clients/keys/<server>/# cd /etc/init.d/

root@localhost:/etc/init.d/# ln -s openvpn ren-bgw-01

root@localhost:/etc/init.d/# ./ren-bgw-01 start

7. If the tunnel doesn't come up, and/or you want to do testing/debugging, simply start openvpn with the --config option to see what it's doing while it parses your config and attempts to establish the tunnel:

root@localhost:/etc/init.d/# openvpn --config /etc/openvpn/clients/ren-bgw-01.conf

Advanced Hackery

OpenVPN Client Bridging

If you want layer 2 and broadcast traffic from your clients to be bridged into your LAN (or one of your opts) so that the remote client functions as though they are on the local network, you will need to create a bridge for that traffic to pass. Please note that not only is this unsupported, it appears to cause a kernel hang condition about once every 24 hours. If you want to test and contribute to this functionality, I strongly suggest you install a kernel with watchdog capabilities. The embedded pfSense kernel already has this for certain pieces of hardware. If you don't have watchdog capability, you can use FreeBSD's SW_WATCHDOG. I've compiled on and placed it up for download at http://www.numbski.net.nyud.net:8080/downloads/pfSense/kernel-with-sw_watchdog.tar.gz . Place it in /boot and do the following:

root@mypfsense:~# cp -pr /boot/kernel /boot/kernel-old

root@mypfsense:~# cd /boot

root@mypfsense:/boot/# tar -xvzf kernel-with-sw_watchdog.tar.gz

Then go to /conf and modify config.xml in the system section with the following:

 <shellcmd>/usr/sbin/watchdogd</shellcmd>

At next reboot, the watchdog will take effect. If a non-responsive kernel results, the system will automatically reboot itself.

Now, onto the actual bridging.

First, you should follow the instructions above to get a normal OpenVPN client/server system going where your clients are on a different subnet. Once you have that working, make the following changes to your OpenVPN server page:

1. Check off "Use Static IPs". This seems like a misnomer, but we're working around the way pfSense is currently coded. Don't worry, you'll still assign IP's from the server.
2. If you want layer 2 traffic to be bridged, add "dev tapx" to your Custom Options, where x is a known and available tap interface that you are certain you won't use elsewhere. For the rest of these instructions, I presume you are using tap0.
3. Add the following to Custom Options: server-bridge (LAN IP) (LAN netmask) (openvpn vpn client range start) (openvpn client range end)

So in mine, I have the following as my pfSense box's LAN IP is 172.16.11.1/24, and my clients will get .128-150.

 server-bridge 172.16.11.1 255.255.255.0 172.16.11.128 172.16.11.150

If you wish, you can use CARP IP's. IE, duplicate this setup, and if your LAN CARP IP is 172.16.11.1, use that. If you want to make sure you connect to whatever box currently has your WAN carp, add local (WAN CARP IP) to your custom options.

Save the changes to this page, and then go edit /conf/config.xml. Add the following to your system section. I'm presuming your LAN interface is em2, use your real LAN interface:

 <earlyshellcmd>ifconfig bridge0 create</earlyshellcmd>
 <earlyshellcmd>ifconfig bridge0 addm em2 up</earlyshellcmd>
 <shellcmd>ifconfig bridge0 addm tap0</shellcmd>

What you are doing is creating your bridge interface early in the boot process. You have to wait for openvpn to get launched before you can add tap0 to the bridge, so you use a normal shellcmd to bring that interface into the bridge.

Now, you'll probably want to reboot to make sure your changes take effect. After the system comes back up, you should be able to do "ifconfig bridge0" and see both em2 and tap0 status. If you go to Status -> Interfaces in the webui, your bridge status should read "Learning" on your LAN interface.