The pfSense Store

Author Topic: Site-To-Site OpenVPN using PKI (something of a howto)  (Read 51254 times)

0 Members and 1 Guest are viewing this topic.

Offline franklookyou

  • Newbie
  • *
  • Posts: 11
  • Karma: +2/-0
    • View Profile
Site-To-Site OpenVPN using PKI (something of a howto)
« on: November 30, 2008, 07:44:04 pm »
This is a guide for VPN-ing a dozen or more sites using PKI.  If you only wish to VPN 2 or 3 sites together, the OVPN shared key method will certainly be simpler.  The stalwart board moderator GruensFroeschli has suggested the following, and I wholeheartedly concur: "Up to 5 sites i wouldnt bother setting up a PKI."



Earlier this year, I wanted to set up a VPN connection between about 12 offices.  Several threads on this forum, particularly http://forum.pfsense.org/index.php/topic,9624.0.html, helped get me started.

Basically, I needed each branch to be able to route to the home office network, and the home office network to be able to route to each of the branch office networks (but the branches did not need to route each other).

(Just to be clear on this approach: all machines from the home network can reach all machines in the client networks.  Similarly, all machine in the client networks can reach all machines in the home network.  However, machines in a given client network cannot typically reach machines in a different client network.  I believe it is possible to extend this approach to allow client networks to intercommunicate, but I have not done so.)

It is a sort of hub and spoke model.  For us, this allowed everyone to share/print documents through a file/print server located in the home office.  And for me, this allowed for fairly easy addition of new satellites.  

If you have similar needs, then the following information might help you.  It is scaled down to 4 networks.



The home network should have a fixed IP address, but the satellites need not.  A funky dyndns name for the home network might be sufficient, but I haven't run it with anything like that.

For simplicity's sake, the home network is the 10.9 class B, and each of the satellite offices is a Class C located in the 10.10 block.  Each site is located behind a pfsense box.  An additional network, required by OpenVPN to mediate communication, I located in the 10.8 block (somewhat arbitrarily).


Vpn 10.8.1.0/24
Home10.9.0.0/16
Sat010.10.0.0/24
Sat110.10.1.0/24
Sat210.10.2.0/24



Sat0 (10.10.0/24)
       |
       |
Home (10.9/16) ---- Sat1 (10.10.1/24)
       |
       |
Sat2 (10.10.2/24)



Before getting started in earnest, configure the 10.9.0.1 (home network) firewall to allow for incoming 1194 UDP connections.  The rule should look something like this:
UDP**WAN address1194(OpenVpn)**OVPN

Unless you have unusually restrictive firewall rules at your satellite offices, that should be the only firewall rule you'll need.



So, first we need to do some PKI.  Specifically, we need a server key for the home network and a regular key for each satellite network.  For the purposes of this thread, I'm naming the home key home, and the satellite keys sat0, sat1, and sat2.

There are several good tutorials for generating these here in the forums.  The only thing that I'll add here is that the file/common names of the satellite office keys are very important to keep straight, as they are relevant later in the configuration.

You will need to have ca.crt, dh1024.pem, home.key, home.crt, sat0.key, sat0.crt, sat1.key, sat1.crt, sat2.key, and sat2.crt handy to continue.  And be sure not to lose ca.key.


Now, lets get to work on the home office router.  Under VPN -> OpenVPN -> Server, click on the plus sign to add a new server, and we'll get to work.

First, scroll down a bit and change Authentication Method from Shared Key to PKI (Public Key Infrastructure).  Doing this changes which fields are enabled and disabled on the form.


Disable this tunneluncheck
ProtocolUDP
Dynamic IPcheck
Local port1194
Address pool10.8.1.0/24
Use static IPsuncheck
Local networkleave blank
Remote networkleave blank
Client-to-client VPNcheck
CryptographyBF-CBC (128-bit)
Authentication MethodPKI (Public Key Infrastructure)
Shared keyleave blank
CA certificatecopy your ca.crt
Server certificatecopy your home.crt
Server keycopy your home.key
DH parameterscopy your dh1024.pem
a whole bunch of DHCP optionsleave em alone
LZO compressioncheck
Custom optionsroute 10.10.0.0 255.255.0.0;push "route 10.9.0.0 255.255.0.0"
Descriptionsite-to-site

Go ahead and click save.  We should now have an entry under server tab looking something like this:
NoUDP10.8.1.0/24site-to-site

If you're playing close attention, the custom options probably jumped out at you.  They are the first bit of OpenVPN black magic necessary to get this to work and essentially translate to
attn: homeplease route all 10.10/16 traffic into the VPN
attn: all satsplease route all 10.9/16 traffic into the VPN

But they aren't quite enough on their own.  Sadly, we'll need an entry under the Client-specific configuration for each of the Satellite offices.



So, under VPN -> OpenVPN -> Client-specific configuration, click on the plus sign to add a new satellite entry.  Note: still on the home router.

Disableduncheck
Common namesat0this MUST match your sat0 key common name!!!
Blockeduncheck
Push resetuncheck
Interface IPleave blank
Custom optionsiroute 10.10.0.0 255.255.255.0this MUST match the sat0 network
Description10.10.0.0/24using the network here make the display look nice

Click save.

This is the second (and last) bit of OpenVPN black magic.  This whole entry essentially translates to:
attn: homeplease internally route all 10.10.0/24 traffic to sat0

So we've created an entry for sat0.  We also need to create entries (still under Client-specific configuration) for sat1 and sat2.  Here's an abbreviated table showing those values:

-values for sat1values for sat2
Common namesat1sat2
Custom optionsiroute 10.10.1.0 255.255.255.0iroute 10.10.2.0 255.255.255.0
Description10.10.1.0/2410.10.2.0/24

Once you're finished, the Client-specific configuration tab should look something like:

nosat010.10.0.0/24
nosat110.10.1.0/24
nosat210.10.2.0/24

Just a warning, I have at times messed up one of these entries and broken VPN functionality for other entries.  So try to get these right the first time.



Now, we configure the (much simpler) clients.  Bring up the sat0 router (10.10.0/24) and we'll begin at VPN -> OpenVPN -> Client tab.  Click on the plus to add a new client.

Disable this tunneluncheck
ProtocolUDP
Server addressthe public IP of the home network
Server port1194
Interface IPleave blank
Remote networkleave blank
Proxy Hostleave blank
Proxy port3128
CryptographyBF-CBC(128-bit)
Authentication methodPKI (Public Key Infrastructure)
Shared keyleave blank
CA certificatecopy your ca.crt
Client certificatecopy your sat0.crt
Client keycopy your sat0.key
LZO compressionenablejust make sure you're consistent with the server here
Limit outgoing bandwidthleave blank
Dynamic sourceportuncheck
Custom optionsleave blank
Descriptionsat0

Click save.

You should note that there is no real black magic here.  We already baked most of the voodoo into the client-specific configs.



Rather than finishing up the configs for your other 2 satellites, stop to do some testing here.  You should be able to ping an arbitrary machine on the satellite network from the home office network.  The converse should work as well.  (I'll warn you that Windows firewall blocking pings has often made this process more infuriating than it should be for me.)

The OpenVPN logs, acessible under the Status->System logs->OpenVPN tab, are your main tool for tracking down any configuration errors.



Assuming that everything works, then great.  Lets go ahead create OpenVPN clients for your other two satellites.  The only differences among the 3 satellite configurations is the key and cert you paste into the form (and possibly the description).

Congratulations!



Epilogue:

In order to add a new Satellite office, say sat3 using the 10.10.3/24 block:
  • create a new key/crt with common name sat3
  • create a new OpenVPN Client-specific configuration entry on the home office server binding sat3 to the custom option iroute 10.10.3.0 255.255.255.0
  • create an OpenVPN Client entry on the sat3 router, using the new keys
  • enjoy the simplicity you reap now after fighting through the complexity earlier
« Last Edit: July 09, 2010, 05:38:04 am by GruensFroeschli »

Offline Vancouver

  • Full Member
  • ***
  • Posts: 152
  • Karma: +0/-0
    • View Profile
Re: Site-To-Site OpenVPN using PKI (something of a howto)
« Reply #1 on: November 30, 2008, 10:13:23 pm »
Thanks for this excellent How-To. I think this should be made sticky and also be put on the Documentation-Wiki.

Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5424
  • Karma: +86/-3
  • No i will not fix your computer!
    • View Profile
Re: Site-To-Site OpenVPN using PKI (something of a howto)
« Reply #2 on: December 02, 2008, 04:14:42 am »
Stickied and i fixed your tables :)
We do what we must, because we can.

Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

Offline franklookyou

  • Newbie
  • *
  • Posts: 11
  • Karma: +2/-0
    • View Profile
Re: Site-To-Site OpenVPN using PKI (something of a howto)
« Reply #3 on: December 05, 2008, 09:32:47 pm »
Sorry about the tables (thanks for all your hard work here on the forums, GruensFroeschli).

Anyway, I'll try to touch up this little howto when pfsense 2.0 gets released.

Offline franklookyou

  • Newbie
  • *
  • Posts: 11
  • Karma: +2/-0
    • View Profile
Re: Site-To-Site OpenVPN using PKI (something of a howto)
« Reply #4 on: January 07, 2009, 05:36:15 pm »
Added caveat about when how many networks should be involved before using this this technique.