The pfSense Store

Author Topic: OpenVPN for Remote User : A How to  (Read 27806 times)

0 Members and 2 Guests are viewing this topic.

Offline rudraansh

  • Jr. Member
  • **
  • Posts: 52
    • View Profile
OpenVPN for Remote User : A How to
« on: January 15, 2010, 02:24:01 pm »
would like to give a How to Create a remote user VPN Tunnel on Pfsense 2.0 Beta

1. Install pfsense2.0 Beta.I think getting into the detail is out of the scope of this tutorial

2. First lets generate certificates.
   Section (A)   
   Go to    
   System-> Cert Manager ->on ca Tab   Click add
         
   Descriptive Name   ca
        Method =  Create an internal Certificate Authority
        Key Length = 2048 bits
   lifetime = 3650 days
   Distinguished Name 
            Country Code  US
            State or province Austin
            City Texas
            Organisation My Company
            email Address admin@mycompany.com
            common name internal-ca
      Click Save
   You can see a down arrow on the right side. click it and download the certificate

   Section (B)
   Now move to Certificate tab

   Descriptive name server
   Method Create an internal certificate
   Certificate authority select ca (which we created in step 2 Section (A))
   keylength 2048 bits
   lifetime 3650 Days
   Distinguished name
            Country Code  US
            State or province Austin
            City Texas
            Organisation My Company
            email Address admin@mycompany.com
            common name internal-ca (or whatever)

      Click Save
   You can see two down arrows one is the certificate and other is the key. download them both.

3. Now lets create a VPN tunnel.
   On the VPN tab select OpenVPN.Click add botton on the right hand side.
   
   Server Mode Remote Access SSL/TSL
   Protocol UDP
   Interface WAN
   Local Port 1194 (THis is a default port for OpenVPN)
   Description Whatever u want
   
   TLS Authentication remove the check box
   Peer Certification authority ca(this is the same we created in step2 section (A))
   Server Certificate Server(Which we created in Step2 Section (B))
   DH Parameters 1024 Bits
   Enryption Algorithm BF-CBC (128 Bits) (Choosing this does not require it to mention in ovpn config file we create later on client)
   Tunnel Network 10.0.8.0/24 (These ip adddresses will be given to client connection this tunnel)
   Local Network the one you are using on LAN.
   Compression  Check ON Compress tunnelpackets using LZO algorithm
   Address Pool check on Provide a virtual adapter IP address to clients
   Rest unchecked
      
      click Save
4. Now we need to add a rule on the WAN interface. So go to
   Firewall-> Rules->WAN tab
   Click the add button on the righthand side.
   Action Pass
   Interface WAN
   Protocol UDP
   Source any
   Destination any
   Destination Port Range Select From OpenVPN to OpenVPN(if you are using any other port than 1194 mention here)
   Description whatever you like
   
      Click Save
5. Now we need to add a rule on the LAN interface. So go to
   Firewall-> Rules-> Lan tab
   Click the add button on the righthand side.
   Action Pass
   Interface LAN
   Protocol any
   Source any
   Destination any
   Destination Port Range
   Description whatever you like
   
      Click save
Our Server is up now and ready to accept connections

6.    We are on the remote client machine now
   Download OpenVPN CLient(for windows ) from here http://openvpn.net/release/openvpn-2.1.1-install.exe
   Install it whatever default option
   
   Now Go to C:\Program Files\OpenVPN\config\
   
   Paste here all the certifcates and keys  we created in step 2 i.e. (ca.cert, server.cert, server.key)
   
   Now, (We are still in C:\Program Files\OpenVPN\config\)

   create a file server.ovpn
   Open it in Notepad
   Paste the following from #### to ##### into it
   ####
   client
   dev tun
   proto udp
   remote x.x.x.x 1194   #(Where X.x.x.x is the public we configured on the WAN interface of Pfsense2.0)
   ping 10
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   ca ca.crt
   cert server.crt
   key server.key
   comp-lzo
   pull
   verb 3   
   ####
7. Right Click the file Select Start OpenVPN on this config file.
   
   Now you should be able to connect to your Clients behind pfsense from anywhere in the world.(If you have an internet connection available)

8. In case if you would like to add more users to connect to this tunnel.

   In Pfsense.Go to System->User Manager->Click on Add Button (remember we have logged in an admin right now)
   On User Tab
   
   Username rakesh(whatever you like)
   password whatever
   full name rakesh veduvar
   expiration date leave it blank
   group membership select admin move it to the right
   click save
   
   Again edit the same user settings, you will find two new options effective priviledges and User Certificates
   (Effective priviledges is used to restrict particular user to see or edit everything on pfsense)
   
   In User Certificates Click Add on the right hand side
   
   Descriptive Name rakesh
   Certificate Authority ca (The same we have created in Step 2)
   keylength 2048 Bits
   Lifetime 3650 Days
   
      Click Save
   Scroll Down to User Certificates. download the certificate and key.
   LOg out
   
   On donalf system install the same OpenVPN Client
   repeat the same steps
   but thsi time copy ca.crt, rakesh.cert, rakesh.key to C:\Program Files\OpenVPN\config\   
   Right Click the file Select Start OpenVPN on this config file.

You are on.

IN the same manner you came have many more remote user connecting to network behind pfsense.

I think this will come handy to users new to OpenVPmN and PFsense. and Also those who has shifted from previous versions to Pfsense 2.0 beta

Enjoy

I am using pfsense is India from quite sometime now. I am big fan of it for all it is giving us for free.What I could do in return is help users by doing

this.

THanks PFsense Love you .

 

            
         
                  

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6287
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: OpenVPN for Remote User : A How to
« Reply #1 on: January 15, 2010, 07:13:34 pm »
Thanks, I made this a sticky for the time being (though in the near future this is going to be streamlined, which is why I haven't put up a howto yet, it's going to change).

You can skip the download, create config, etc. steps by installing the OpenVPN Client Export package, which adds an export tab to VPN > OpenVPN screen where you can download an installer with the config and certs built-in.

Offline rudraansh

  • Jr. Member
  • **
  • Posts: 52
    • View Profile
Re: OpenVPN for Remote User : A How to
« Reply #2 on: January 15, 2010, 10:02:07 pm »
It was just because I was finding it difficult and then you need to add some lines in the advance section.
I just tried to kept it as simple as possible.

Offline focalguy

  • Full Member
  • ***
  • Posts: 235
    • View Profile
    • My Blog
Re: OpenVPN for Remote User : A How to
« Reply #3 on: January 20, 2010, 11:22:06 am »
Thanks for writing this Rudraansh! I was having difficulty figuring out what the steps were. Until the process has changed, I'll try this for now.

Offline arriflex

  • Jr. Member
  • **
  • Posts: 33
    • View Profile
Re: OpenVPN for Remote User : A How to
« Reply #4 on: April 15, 2010, 12:55:36 pm »
This didn't work for me as I was having many TLS authentication issues until I added a user in the System:User Manager on an embedded snapshot of the 2.0 beta. Then my OpenVPN: Client Export Utility became populated with the user I added and I was able to very easily export a Viscosity bundle that was plug-n-play.

Very nicely done, it's getting a lot easier than it used to be!

Much of what is mentioned here is not necessary as the OpenVPN:Wizard gets much of it accomplished.

Separately, I am finding that the "Provide a virtual adapter IP address to clients" checkbox does not stay checked through a save on the OpenVPN:Server edit page.
« Last Edit: April 15, 2010, 01:00:16 pm by arriflex »

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6287
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: OpenVPN for Remote User : A How to
« Reply #5 on: April 16, 2010, 11:23:33 pm »
Much of what is mentioned here is not necessary as the OpenVPN:Wizard gets much of it accomplished.

Yeah this was written before that wizard existed.