Archive for November, 2008

VPN is a wonderful thing. I’m particularly fond of IPSEC and OpenVPN, as they allow some great tunneling and remote connection possibilities. Following is a basic tutorial to get your pfsense firewall to handle OpenVPN road warriors, and how to configure the clients. This is based on the tutorial by Frewald on the pfsense forums, but simplified for my personal benefit.
OpenVPN on pfSense – Installation guide for Windows Dummies :- road-warrior.

The first thing you need to be aware of, is that you’re likely going to authenticate to pfsense’s OpenVPN implementation with certificates. The OpenVPN client includes everything you need to create server and client certificates, but you need to bear in mind that server certificates made by “machine A” will only ever validate client certificates also made on “machine A”. For me this meant finding a permanent location, a machine on my network that’s not going to go away, from where to generate all the certificates. If you’re just testing OpenVPN, this is no big deal, and you can download the client to your laptop and generate the certificates from there. If you’re planning for production use however, you’ll need to find a good home. Whatever you choose, this machine doesn’t need to be accessible to clients to authenticate against; once the certificates are created you’ll copy them to the firewall which will handle authentication. I chose to create the certificates (install the OpenVPN client) on one of my certificate authorities, because it’s here for the long haul.

The first thing you need to do is generate keys and certificates for your clients and pfsense to use.

1. Download and install the most recent version of OpenVPN, from http://openvpn.net/download.html If you plan to connect from a PC with Windows Vista you should get version 2.1 or newer. Install OpenVPN using the default options.

2. Start a command prompt with administrator-rights. In Vista this is done by clicking on START and then type CMD… CMD.EXE should appear, you can RIGHT-Click on it and select ‘Run as Administrator’

3. Change the command prompt directory to the directory you installed OpenVPN, and the easy-rsa directory inside of that. Such as c:\programfiles\openvpn\easy-rsa

4. Run the “init-config.bat” file. This creates the initial configuration files.

5. Edit ‘vars.bat’ file, in your favourite text editor. I tend to use Wordpad, as Notepad can’t always handle linebreaks. If using Vista, you may need to open Wordpad as an administrator (you can follow the procedure in Step 2, above). The following lines in the file need to be edited:

“set KEY_COUNTRY=XX”
2 Letters country ID – I use CA for Canada

“set KEY_PROVINCE=XX”
2 Letters Province ID – I use ON for Ontario, but you could use na as in ‘Not Applicable’

“set KEY_CITY=XXXXXXX”
Name of your city (can be longer than the above line).

“set KEY_ORG=XXXXXXXXXXXXXX”
The name of your company or organisation.

“set KEY_EMAIL=youremail@address.com”
Put an email-address here. Don’t use a private personal address, since this address will be attached to the Certificate Authority certificates. You generally don’t need to put a real address here at all.

Save the file.

6. Run the “vars.bat” file.

7. Run the “clean-all.bat” file.

8. Run the “build-ca.bat” file. This will create the certificate authority records. You will be prompted to enter some various answers. You should be able to leave them as their defaults (populated by what you entered in the vars.bat file), except “Common Name” – here you should put something like “pfSense-CA” (in my case I chose a name related to the certificate authority I was generating these keys and certs on).

9. Run the “build-key-server.bat server” file. You’ll be prompted again for some answers; leave them as their defaults except for “Common Name”, you should use the value “server”.

10. Run build-dh.bat

These are all the steps necessary to generate the certificate authority keys and certificates. You only need to follow these steps once, per installation of pfsense. You could begin to setup pfsense with these certificates now, but we’ll leave that step till the end, seeing as we still need to make the keys and certificates for the clients to authenticate. The following section can be repeated for each additional client you wish to add.

11. Run the “build-key.bat” file, but append a unique client name to the end of it, like “ovpn_client1″ or “username”. For example, run: “build-key.bat client1″
Again you will be prompted for answers, the default values are fine, except for “Common Name” – here you need to enter the client name you just chose, such as “client1″ (or whatever client name you chose when you ran the batch file.)
This client name (“client1″ or whatever you chose) will be the name of the keys, the certificate and the name you’ll identify the connection as, later on. You can use whatever name you like, for our production use we use usernames or emails so we can easily identify who the certificate and connection belong to. At this stage, you can choose to generate as many as you want (with unique names), for all the clients that will be connecting to pfsense.

12. Now you’ll need to copy files (some of your newly created keys and certificates) out of the easy-rsa keys directory, and into the OpenVPN config directory. If you’re testing and you chose to create the certificates on the same machine that will be your client, this is simple; you can simply copy from “c:\program files\openvpn\easy-rsa\keys” to “c:\program files\openvpn\config”. However, if you’ve generated the certificates on a central server, such as I did on my certificate authority, then you’ll need to transfer a copy of these files to the actual CLIENT’s install of OpenVPN. In any case, the following files should now be copied from “c:\program files\openvpn\easy-rsa\keys” to “c:\programfiles\openvpn\config”.

ca.crt
client1.key
client1.crt

(Remember, “client1″ is the name you chose when creating the client certificates. If you’re copying the files to another client, make sure you give the correct set of files to the user who needs them. If you don’t see a .crt file but only a .csr file, chances are that you don’t have admin privileges, or something else went wrong in the process. If you’re using Vista, you may need to look at generating the keys and certificates on a NON-Vista machine.)

13. On the OpenVPN client machine, make a file in the “c:\program files\openvpn\config” directory (this is the same place you just placed a copy of the keys and certificates), called “client1.ovpn” (or whatever name you chose for your client, above). Edit the file in your favourite text editor, and enter the following lines (leave out the hashes/pound signs):
####
client
dev tun
proto udp
remote [ip or DNS name of your pfsense server] 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
pull
verb 3
####
You’ll need to enter the public IP address or DNS name of your pfSense box in the ‘remote’ line. You can also adjust the port, if for some reason you are choosing to not use the standard one. For the lines beginning with ‘cert’ and ‘key’, make sure you enter the name of the files you copied across in step 12.

Congratulations, you’ve got everything ready on the client side to connect to pfsense! This section is the only one that needs to be repeated, for future clients. If you have more than one OpenVPN client (and created keys and certs for them in step 11), you may choose to make all the .ovpn files for your clients now (with the corresponding .key and .crt names). These would need to be copied to the appropriate clients install of OpenVPN, like the keys and certs did in step 12.

Now we need to configure pfsense.

14. Log into the web-gui of pfSense.

15. Select VPN/OpenVPN on the menu, and add an entry in the ‘Server’ tab. Use the following settings:
Protocol: UDP
Local port: 1194
Address pool: 192.168.200.0/24 (Pick any network that you DON’T currently use, this will be assigned to your OpenVPN clients.)
Local Network: 192.168.0.0/24 (Enter whatever the network is that you want the VPN clients to connect to, ie. your local network.)
Remote Network: blank
Cryptography: BF-CBC (128 bit) – or use what you want
Authentication Method: PKI

You can choose to use TCP and/or a different port number, if you have a reason for doing so. Remember you’ll need to set that custom protocol and port in the .ovpn file created in step 13.

Now you need to have access to some of the files created in step 12. If you made the keys and certs on a central server, you’ll need to access them there. The folder is “c:\program files\openvpn\easy-rsa\keys” (or wherever you chose to install).

16. Copy the WHOLE contents of ca.crt (open with your favourite text editor) into the “CA certificate” input box.
17. Copy the WHOLE contents of server.crt into the “Server Certificate” input box.
18. Copy the WHOLE contents of server.key into the “Server Key” input box.
19. Copy the WHOLE contents of dh1024.pem into the “DH parameters” input box.

20. Tick DHCP-Opt: Disable NetBIOS (I don’t use it anyway)

21. Tick LZO Compression

Well done. Now pfsense has the CA keys and certificates installed, so it can validate requests made to authenticate against it. Now we need a few simple rules in the firewall.

22. On the WAN interface you should make a rule like:
PASS
WAN
Protocol: UDP
Source: any
OS type: any
Destination: any
Destination port range from: OpenVPN
Destination port range to: OpenVPN
Leave the rest as default.

You can choose to check the log box, if you’d like to be sure traffic is being passed. Remember if you chose to use custom protocols and ports for OpenVPN in steps 13 and 15 above, you’ll need to adjust this rule accordingly.

23. Add a rule on the interface that contains the network you defined in step 15 (local network), this may be LAN:

PASS
Any protocol
Source: 192.168.200.0/24 (whatever the range of the network defined in step 15′s “address pool”)
Destination: LAN (or whatever the local network is)

24. Depending on how locked down your local networks are, you may need to add another rule on the interface that contains the network you defined in step 15 (local network), this may be LAN:
PASS
Any protocol
Source: LAN (or whatever the name/IP range of the network defined in step 15′s “local network”)
Destination: 192.168.200.0/24 (This is the OpenVPN network that you entered as “address pool” in step 15.)

25. Apply the new rules.

That’s it! Your clients should now you should be able to connect using OpenVPN. Right click on the OpenVPN icon in the system tray and select Connect.

As a bonus, you can configure OpenVPN on pfsense to allow clients to access additional networks. In our case we have multiple VLANs and multiple IP ranges for VPN clients, and we want our OpenVPN clients to be able to access ALL these networks. To do this, you need to “push” the address ranges out to the clients, so that the client machines know how to route to those networks. (This is basic TCP/IP routing stuff, and is beyond the scope of this guide.) You’ll also need the appropriate rules in pfsense to allow this traffic. Go to VPN/OpenVPN in the pfsense web-gui, browse to the bottom of the Server tab, and look for the “Custom options” input box. You can enter multiple custom options separated by semi-colons. The option for pushing additional networks is:
push “route 192.168.4.0 255.255.255.0″ (or whatever the network range happens to be)