Scribd
Upload
56K views12 pages

Pfsense OpenVPN Tutorial

This document provides instructions for setting up OpenVPN on a pfSense router. It describes generating certificates for the OpenVPN server and clients using Easy-RSA scripts. It also explains the necessary OpenVPN service and firewall configuration steps in pfSense, including adding rules and NAT settings to allow VPN access. Finally, it outlines basic client configuration for the Windows OpenVPN client.

Uploaded by

navynmr3917
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
56K views12 pages

Pfsense OpenVPN Tutorial

This document provides instructions for setting up OpenVPN on a pfSense router. It describes generating certificates for the OpenVPN server and clients using Easy-RSA scripts. It also explains the necessary OpenVPN service and firewall configuration steps in pfSense, including adding rules and NAT settings to allow VPN access. Finally, it outlines basic client configuration for the Windows OpenVPN client.

Uploaded by

navynmr3917
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

BlackVault pfSense OpenVPN Tutorial – nmr (revised.

10-09-2008)

This tutorial will teach you how to setup OpenVPN on pfSense completely.
Your current network architecture should look like the network architecture in Fig 1.1, or something
similar to that. The private network IP 192.168.1.0 and the pfSense box IP 192.168.1.1 can be different
depending on your setup.

1. Login into your pfSense router by opening a web browser and typing in the IP address of your
pfSense box. For example http://192.168.1.1

2. The first step in building an OpenVPN configuration is to establish a PKI (public key infrastructure).
The PKI consists of:
• a separate certificate (also known as a public key) and private key for the server and each client,
and
• a master Certificate Authority (CA) certificate and key which is used to sign each of the server
and client certificates.
OpenVPN supports bidirectional authentication based on certificates, meaning that the client must
authenticate the server certificate and the server must authenticate the client certificate before mutual
trust is established.
Both server and client will authenticate the other by first verifying that the presented certificate was
signed by the master certificate authority (CA), and then by testing information in the now-
authenticated certificate header, such as the certificate common name or certificate type (client or
server).
Generate the master Certificate Authority (CA) certificate & key

Windows
In this section we will generate a master CA certificate/key, a server certificate/key, and
certificates/keys for 3 separate clients.
For PKI management, we will use a set of scripts bundled with OpenVPN.
Open up a Command Prompt window and cd to \Program Files\OpenVPN\easy-rsa. Run the following
batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and
openssl.cnf files):

cd c:\Program Files\OpenVPN\easy-rsa
init-config.bat

Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE,
KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.

vars.bat
clean-all.bat
build-ca.bat

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking
the interactive openssl command:

C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........................++++++
...................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [New York]:
Organization Name (eg, company) [johndoe]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:nsa
Email Address [johndoe@nsa.us.gov]:

Note that in the above sequence, most queried parameters were defaulted to the values set in the
vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the
example above, I used "nsa".

Generate certificate & key for server

build-key-server.bat server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter
"server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1
certificate requests certified, commit? [y/n]".

Generate certificates & keys for 3 clients

build-key.bat client1
build-key.bat client2
build-key.bat client3

If you would like to password-protect your client keys, substitute the build-key-pass script.
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e.
"client1", "client2", or "client3". Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server.


build-dh.bat

Output:

C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
............+............+......+...............................................
.....................................+..........................................
.......................................................+........................
..+.........................+...................................................

Key Files

Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an
explanation of the relevant files:

Filename Needed By Purpose Secret


ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES

Setting up OpenVPN service and firewall


4. Go to the OpenVPN settings page.
5. Setup your OpenVPN to look like Fig 1.3 below
Protocol Use TCP for this, although more overhead, it works on all
occasions. We have gotten UDP to work with Shared Key but not
PKI for now.
Dynamic IP
Local port 1194 is the universal port for OpenVPN. For more security use
another port.
Address pool This is the network address from where OpenVPN clients will be
assigned addresses. Your local network address must be different
from your OpenVPN network address pool. For example we
have to use a network address besides 192.168.1.0/24 here, we
chose 10.0.1.0/24.
Use static IPs
Local network The address of your local network you want to be able to share or
access over your VPN connection. For example here our local
network is 192.168.1.0. Set this to your network address.
Client-to-client VPN Check this to enable you to access to another OpenVPN client
which is connected. We suggest you check this after your
OpenVPN connection is working properly.
Cryptography Algorithm used. Use BF-CBC (128bit) for now
Authentication Shared or PKI (Public Key Infrastructure). Shared, if you want
Method everyone to have the same key. PKI, each client has its own
unique key.
Shared Key Leave it blank for PKI
CA certificate Paste your CA certificate from the BEGIN and END
CERTIFICATE
Server certificate Paste your server certificate from the BEGIN and END
CERTIFICATE
Server key Paste your server key from BEGIN and END RSA PRIVATE
KEY
DH parameters Paste your Diffie Hellman parameters from the BEGIN and END
DH PARAMETERS
CRL
DHCP-Opt.: DNS-
Domainname
DHCP-Opt.: DNS- Enter you DNS server IP address.
Server
DHCP-Opt.: WINS-
Server
DHCP-Opt.: NBDD-
Server
DHCP-Opt.: NTP-
Server
DHCP-Opt.: none
NetBIOS node type
DHCP-Opt.:
NetBIOS Scope
DHCP-Opt.: Disable
NetBIOS
LZO compression Enabling LZO compression makes VPN faster but uses slightly
more processing power. Enable this after everything works fine.
Custom options push “redirect-gateway def1” -- to automatically setup your default
gateway to go through VPN. Using this option will enable you
client to automatically use the VPN connection for all network
traffic eg. internet, e-mail, etc.
Description Descriptive name for the VPN settings

6. Setup your firewall rule. Go to Firewall > Rules > WAN. Add a new firewall rule by clicking on
7. Once you hit 'Save' the rule below should be added
8. Go to Firewall > NAT > Outbound. Select 'Manual Outbound NAT rule generation (Advanced
Outbound NAT (AON))'. Hit 'Save'. Then add a new mapping according to the VPN network address
pool like below. Hit 'Save' again and you're done. This enables your VPN address pool to go beyond
the firewall.

VPN Client settings road warrior configuration for Windows

1. Download and install the latest OpenVPN client from http://openvpn.net

2. After installing the Windows OpenVPN client, you should see a new network connection that uses
the TAP-Win32 Adapter. Rename the network connection to tap0.
3. Create a new text file with the extension '.ovpn' for example 'blackvaultbox.ovpn' in the path
'c:\program files\openvpn\config' or where you installed the OpenVPN client in the 'config' directory.
Make sure the new text file has the extension '.ovpn' else it will not be detected. Setup the new .ovpn
file like below. Remove the # in front of comp-lzo if you enabled LZO compression when setting up
the OpenVPN server.

float
port 1194
dev tun
dev-node tap0
proto tcp-client
remote blackvaultbox_ip_domain 1194
ping 10
persist-tun
persist-key
tls-client
client
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
#comp-lzo
verb 4

4. Copy the ca.crt, client1.crt, client1.key files to the 'c:\program files\openvpn\config' or where you
installed the OpenVPN client in the 'config' directory.

5. To test your OpenVPN setup. Connect to the internet from another source besides the network where
the server is setup. Launch your OpenVPN client. Right click on the OpenVPN icon on the system tray,
hover over 'blackvaultbox' or whatever name you gave your .ovpn file and click on connect. A window
should pop up with the connection log and the OpenVPN icon in the system tray should finally turn
green. Point your web browser to http://www.copymyiptoclipboard.com and it should show and copy
the IP address of the network your server is behind.

Common questions

Powered by AI

The authentication method in OpenVPN can be determined by choosing between Shared Key and PKI (Public Key Infrastructure). Shared Key allows for a single, common key for all connections, simplifying the setup but potentially lowering security because anyone with access to this key can connect to the VPN. PKI is more secure as it uses a unique certificate and key pair for each client, ensuring individual authentication and better traceability of users .

Firewall rules and NAT settings are instrumental in enabling and securing OpenVPN client access. Firewall rules are configured to allow traffic through specific ports (e.g., port 1194 for OpenVPN) while restricting unauthorized access attempts. NAT settings, especially manual outbound NAT, are configured to map internal VPN client traffic to external networks securely, ensuring that VPN clients can communicate with both the local network and external internet resources as needed. This setup not only facilitates connectivity but also prevents attacks by controlling traffic pathways .

On Windows, it is recommended to name OpenVPN configuration files with the '.ovpn' extension to ensure they are detected by the client. Additionally, the network connection created by the OpenVPN client should be renamed to something relatable, such as 'tap0', which aligns with the configuration file naming conventions and facilitates easier identification and management of VPN connections .

To test an OpenVPN setup, connect to the internet from a different network than where the server is located to ensure there are no local network influences. Launch the OpenVPN client and attempt to connect using the appropriate '.ovpn' configuration file. Observe the connection logs for any errors. If successful, the OpenVPN icon in the system tray should turn green, indicating an active and secure connection. Additionally, one could visit a service like 'copymyiptoclipboard.com' to verify that the external IP address reflects the VPN server's network, confirming the route via the VPN .

Specifying a distinct network address pool for OpenVPN clients is important to prevent IP address conflicts and ensure proper routing. If the OpenVPN address pool overlaps with the local network, it can cause routing issues and prevent clients from connecting to the local network resources effectively. This separation also aids in distinguishing VPN traffic from regular network traffic, which facilitates easier management and troubleshooting .

Diffie Hellman parameters are generated to facilitate secure key exchange between the server and clients in OpenVPN. They provide a method to exchange cryptographic keys over a public channel securely. The strength of the Diffie Hellman parameters influences the security of the VPN connection; hence, generating appropriate parameters, such as 1024-bit long safe primes, is a crucial step in the setup to ensure encrypted data transmission cannot be easily compromised .

PKI (Public Key Infrastructure) is critical in establishing mutual trust between OpenVPN clients and servers as it employs a system of digital certificates issued by a trusted Certificate Authority (CA). Each client and server possesses unique certificates and keys, allowing both parties to authenticate each other's identities. The verification that each certificate is signed by the master CA ensures that both the client and server are genuine, thereby preventing impersonation attacks and establishing an encrypted, authenticated, and secure communication channel .

Disabling specific DHCP options like NetBIOS node type is essential in OpenVPN to avoid conflicts or undesired broadcasts across different network nodes. NetBIOS over VPN can lead to unwarranted network congestion and expose the network to additional vulnerabilities due to broadcast traffic. By disabling these options, the network can prevent unnecessary traffic and enhance security, focusing on more efficient and secure alternatives like DNS for name resolution .

LZO compression increases the speed of data transfer over the VPN by compressing data before transmission, reducing the amount of data sent over the network. However, this compression requires additional processing power, which could impact the CPU performance on low-spec devices. Thus, enabling LZO compression could improve performance in terms of bandwidth but at the cost of higher CPU usage .

The 'Common Name' is a crucial identifier in certificate management. When generating certificates and keys for the OpenVPN server and clients, each must have a unique 'Common Name' that accurately represents the entity's identity. This ensures that each certificate can be distinctly recognized and verified, preventing errors in authentication and enhancing security by tying certificates to specific servers and clients .

You might also like