Contents |
This howto is designed to quickly show you how to setup OpenVPN on pfSense, and establish 2 tunnels (Windows and Linux). This is not meant to be a complete how-to, it should only be used to give you a general idea of the functionality and what you can do. OpenVPN is much more advanced than the setup we are going to do here.
WARNING: This guide is brief, and omits important considerations. You should read the OpenVPN chapter in the pfSense book rather than relying on this.
This is a guide on how to connect a PC on the internet, to LAN behind a pfSense firewall using OpenVPN. This is also known as a Road-Warrior setup. Windows Vista requires administrative priviledges to run and properly configure OpenVPN.
1. Download and install the most recent software from OpenVPN Downloads. If you plan to connect from a PC with Windows Vista or 7 you should get version 2.1 or newer. Windows XP works well with 2.1 as well. Use the default options when installing.
2. Start a command prompt with administrator-rights!
3. Change directory to c:\programfiles\openvpn\easy-rsa
4. Run the "init-config.bat" file
5. Edit 'vars.bat' file. 'Worpad' is suggested but Notepad will be fine. For Vista, you need to start Wordpad/Notepad with administrative-rights. (Click on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select 'Run as Administrator'.) The following things need to be edited:
"set KEY_COUNTRY=US" Your 2 Letter country ID Goes Here "set KEY_PROVINCE=NA" 2 Letters Province ID - Or use NA as in 'Not Applicable' "set KEY_CITY=Copenhagen" Name of Your City "set KEY_ORG=pfSense" Name of your company "set KEY_EMAIL=youremail@address.com" Put a email-address here. Dont use your private address. since this is the common address for the Certificate Authority Save the file
6. Run "vars.bat"
7. Run "clean-all.bat"
8. Run "build-ca.bat". Then you are prompted for some different things; Leave them at default, except "Common Name" - put something like "pfSense-CA"
9. Run "build-key-server.bat server". Again you are prompted; leave them on default except "Common Name" - use "server"
10. Run build-dh.bat
Now its time to generate keys and certificates for the client(s)
11. Run "build-key.bat ovpn_client1". Again you are prompted; leave them on default except "Common Name" - here you should put in "ovpn_client1" (or whatever you have called it). The ovpn_client1 will be the name of the keys, certificate and the name you identify the connection on later. You can use whatever name you like, and generate as many as you want (with different names).
12. The following files should now be copied from c:\programfiles\openvpn\easy-rsa\keys to c:\programfiles\openvpn\config
13. Make a file in the "C:\programfiles\openvpn\config" called "ovpn_client1.ovpn" and the file should contain (leave out the hashes):
client dev tun proto udp remote XXX.XXX.XXX.XXX 1194 ping 10 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert ovpn_client1.crt key ovpn_client1.key ns-cert-type server comp-lzo pull verb 3
Replace the XXX's in the "remote" line with the public IP address of your pfSense-box. If you don't know what that is, check it here. If you have chosen another name than 'ovpn_client1' then change it in the lines beginning with 'cert' and 'key' If you have more than one VPN client, you make one .ovpn-file per client (with the corresponding .key and .crt name)
Now its time to configure pfSense
14. Log into the web-gui of pfSense
15. Select VPN/OpenVPN and add an entry in the 'server' page. Use the following settings:
Protocol: UDP Local port: 1194 Address pool: 192.168.200.0/24 (It should be an address range that you ''DONT'' currently use.) Local Network: 192.168.1.0/24 (Whatever the network is that you want the VPN client to connect to) Remote Network: blank Cryptography: BF-CBC (128 bit) - or use what you want Authentication Method: PKI
16. Now you need to have access to some of the files created in c:\programfiles\openvpn\easy-rsa\keys (mentioned in 12.)
17. Tick DHCP-Opt: Disable NetBIOS (I dont use it anyway)
18. Tick LZO Compression
Now we need a few simple rules in the firewall
19. On the WAN interface you should make a rule that;
PASS WAN Protocol: UDP source: any OS type: any Destination: any Destination port range from: OpenVPN Destination port range to: OpenVPN Tick in the LOG Leave the rest at default.
Remember to apply the new rules.
20. Add another rule on the LAN interface (or whatever the name of the net defined in 15. 'address pool' is);
PASS Any protocol Source: LAN (or whatever the name of the net defined in 15. 'address pool' is) Any destination
Remember to apply the new rules.
Now you should be able to connect from OpenVPN (right click on the icon in the try and select Connect). But remember to start OpenVPN with ADMIN RIGHTS!
You will need to download the OpenVPN source (unless you already have the easy-rsa scripts somewhere on your system. This script can be run from any system, except windows.)
1. First, edit the file 'vars'. On Gentoo, the default directory for easy-rsa is /usr/share/openvpn/easy-rsa. I copied mine from /usr/share/openvpn/easy-rsa to /etc/openvpn/, so during subsequent upgrades/modifications, my certificates wouldn't get nuked.:
| root@localhost:~# cd /usr/share/openvpn |
| root@localhost:/usr/share/openvpn# cp easy-rsa /etc/openvpn/ |
| root@localhost:/usr/share/openvpn# cd /etc/openvpn/easy-rsa/ |
| root@localhost:/etc/openvpn/easy-rsa/# vi vars |
2. Scroll to the bottom, fill out the 5 values (export KEY_{COUNTRY,PROVINCE,CITY,ORG,EMAIL) so they're relevant for you. Save and exit the file.
1. We need to source the vars file:
| root@localhost:/etc/openvpn/easy-rsa/# source ./vars |
2. Then we clean everything out:
| root@localhost:/etc/openvpn/easy-rsa/# ./clean-all |
3. Then we build the CA. Make sure and fill out your information appropriately.
| root@localhost:/etc/openvpn/easy-rsa/# ./build-ca |
4. Now, we need to generate the certificate and private key for the server. Make sure and fill out your information appropriately. When it asks for the CN, enter server.
| root@localhost:/etc/openvpn/easy-rsa/# ./build-key-server server |
5. Build the Diffie-Hellman parameters. Make sure and fill out your information appropriately:
| root@localhost:/etc/openvpn/easy-rsa/# ./build-dh |
6. Generate the certificates for your client(s). Please note that you must have a unique certificate per client. Make sure and fill out your information appropriately. In the example below, I used client1 and client2 since I am using them as an example. Note: If you would like to password-protect your client keys, substitute the build-key-pass script:
| root@localhost:/etc/openvpn/easy-rsa/# ./build-key client1 |
| root@localhost:/etc/openvpn/easy-rsa/# ./build-key client2 |
1. Download/compile/install the OpenVPN source.
2. The majority of the config files are in /etc/openvpn/clients on Gentoo.
| root@localhost:~# cd /etc/openvpn/clients |
3. We need to create a new config file, I called mine ren-bgw-01.conf:
| root@localhost:/etc/openvpn/clients# vi ren-bgw-01.conf |
4. Put the following information in the config file, where n.n.n.n is the IP of your pfSense box:
port 443 dev tun proto tcp-client remote n.n.n.n 443 ping 30 persist-tun persist-key cipher bf-cbc [this should be the same as what you set in the Cryptography setting in the server GUI. tls-client ca /etc/openvpn/clients/keys/ren-bgw-01/ca.crt cert /etc/openvpn/clients/keys/ren-bgw-01/client2.crt key /etc/openvpn/clients/keys/ren-bgw-01/client2.key ns-cert-type server comp-lzo pull
5. Now, I put all of my keys in /etc/openvpn/clients/keys/<server>/. Make that directory, and copy ca.crt, client2.crt, and client2.key to there:
| root@localhost:/etc/openvpn/clients# mkdir -p keys/<server> |
| root@localhost:/etc/openvpn/clients# cd /etc/openvpn/clients/keys/<server> |
| root@localhost:/etc/openvpn/clients/keys/<server>/# cp /etc/openvpn/easy-rsa/keys/ca.crt . |
| root@localhost:/etc/openvpn/clients/keys/<server>/# cp /etc/openvpn/easy-rsa/keys/client2.crt . |
| root@localhost:/etc/openvpn/clients/keys/<server>/# cp /etc/openvpn/easy-rsa/keys/client2.key . |
6. The last thing is to create the ren-bgw-01 startup script. This must match the config file name (minus the .conf) in order for it to work on Gentoo!. And then we start up the tunnel!
| root@localhost:/etc/openvpn/clients/keys/<server>/# cd /etc/init.d/ |
| root@localhost:/etc/init.d/# ln -s openvpn ren-bgw-01 |
| root@localhost:/etc/init.d/# ./ren-bgw-01 start |
7. If the tunnel doesn't come up, and/or you want to do testing/debugging, simply start openvpn with the --config option to see what it's doing while it parses your config and attempts to establish the tunnel:
| root@localhost:/etc/init.d/# openvpn --config /etc/openvpn/clients/ren-bgw-01.conf |
As of pfSense 1.2.3-RC1 and newer, you can filter incoming OpenVPN traffic. To do so, browse to Interfaces -> Assign and assign the appropriate tun interface to an OPT interface. Then enable the OPT interface, and for IP address, enter "none" in the IP address box. OpenVPN will configure it. Then browse to System -> Advanced and check "Disable all auto-added VPN rules". Then browse to Firewall -> Rules and configure your rules accordingly on your new interface.
If using multiple OpenVPN clients or servers, force them to use a known interface by specifying custom option 'dev tun0', 'dev tun1', etc. Each must use a unique interface.
See OpenVPN Bridging