I thought I'd put 2 howto's together to show people how to get the most out of OpenVPN and pfSense. This first one is a straightforward one, but the next howto, 'How to load balance multiple OpenVPN clients
' refers to this as well. Hope they're of use!
With legislation allowing over zealous and officious bodies to strip away all of your online dignity, privacy is becoming a very important point to protect. While the likes of tor and other anonymising techniques are valiant efforts, the problem them is their speed is usally drastically slower. Connecting to OpenVPN providers, with the right set up, allows you to encrypt your traffic. With decent hardware counteracting the additional overhead of encryption and compression processing on your connection stream, if you're lucky like me, you may even see slightly increased
connection speeds (I see an 11% speed boost on average) as well as being encrypted and private.
In pfSense 1.2.3 it was possible, though hard to make an OpenVPN client a WAN connection
, in 2.0, it's significantly easier but still not perfect. Nevertheless, this howto explains how to set up an OpenVPN client connection and use it as a WAN connection.A. Find a good provider!
Before I go ahead, let me say a couple of words on doing your own research
about VPN providers. Like everything in life, not all VPN providers are created equal, and you get what you pay for. If you are also going on to load balance multiple connections, your choice of provider is absolutely vital.
For those who don't have OpenVPN servers of their own, you must understand most VPN providers only allow one connection to any of their servers, however some allow as many different means (ie proxy servers, SSH tunnels, PPTP, L2TP/Ipsec or OpenVPN, etc) and connections to as many of their servers as possible - look for the ability to 'chain servers' (connecting to a server by proxying or tunnelling though another), and of course decent connection speeds to and from the servers from your location. A good overview of the state of the VPN Provider industry, including a list of providers, is available in French here
). For this howto, I'm using Perfect Privacy
, as a provider that does allow chaining and for me has decent speeds. Doing your research is key, and you may find getting several cheaper subs to different providers might be more versatile for you.
Avoid the free one's though as their OVPN setups are generally appalling (so useless even for testing) and of course freetards flocking to them mean they're totally overloaded and their speed is terrible.B. Preliminary info gathering
When setting up an OpenVPN connection, you need a number of files (usually through a member-only download page from your chosen provider). While under proper OVPN setups, each client has their own client certicate and key, VPN providers tend to use the 'auth-user-pass' method of authentication and provide the same client certificate and key to all their users. Nevertheless, I'll refer to these files in the course of the howto:
- The server's Certicate Authority (CA) certificate, (usually ca.crt
- The Client certificates (Usually client.crt
- The Client private key (Usually client.key
- Sometimes they also provide a PKCS#12 (client.p12
) key which you'd need to convert via OpenSSL's command line to get the PEM-format client.crt and client.key files
- Optionally, sometimes the provider also gives a TLS key for the handshake process as well (Usually tls.key
- An OpenVPN configuration file, (either client.conf or more usually, client.ovpn
- Sometimes, providers only give you one certificate, a 'Shared Key'.
I found naming the various options properly, especially when managing various connections mattered quite a lot. Where I say 'ProviderName', replace with the name of your provider (in my case 'Perfect Privacy') and in the 'ServerLocation' enter the server's identifier (in my case 'Steinsel').
Throughout the course of this howto, you need to have your client.ovpn file handy, and read it. If you're unsure of any command, refer to the OpenVPN docs
to decipher. You'll need to mirror the settings in pfSense and constantly refer to it, but you can't unfortunately just import the file in pfSense.C. Import Certificates
First you need to import the certificates.
1. Navigate to System -> Cert Manager. You should be in the 'CAs' tab.
2. Click the '+' to add a new CA.
3. Provide a descriptive name like 'ProviderName / ServerLocation / CA', leave 'Import an existing Certification Authority' selected.
4. Paste the contents of the ca.crt from your provider in the 'Certificate data' box.
5. Press Save.
6. Navigate to the 'Certificates' tab
7. Enter a descriptive name like 'ProviderName / ServerLocation / Client', and leave 'Import an existing Certificate' selected.
8. In the 'Certificate data', paste the contents of the client.crt file.
9. In the 'Private key data', paste the contents of the client.key file.D. Username / Password file
If your client.ovpn file says 'auth-user-pass', then you need to follow this step and also add the line in E.21:
1. Navigate to Diagnostics -> Edit File
2. Enter '/conf/ProviderName-ServerLocation.pas' in the 'Save/Load from path' field (be careful on nanobsd setups to save it in a location that persists across boots)
3. In the box, you need to enter:
On 2 lines, according to the credentials of provided to you from your provider.
4. Press Save.E. Create the OpenVPN Client connection
1. Navigate to VPN -> OpenVPN -> Clients tab
2. Click the '+' button to add a new connection.
3. By default, 'Server Mode' is 'Peer to Peer ( SSL/TLS )'. If only 1 certificate has been provided, select 'Peer to Peer (Shared Key)'.
4. By default, 'Protocol' is 'UDP'. If the client.ovpn says 'remote 126.96.36.199 1194 tcp', select 'TCP' here.
5. By default, 'Device mode' is 'tun'. If the client.ovpn says 'dev tap' or 'dev-type tap', then select 'tap'
6. Leave the 'Interface' as 'WAN'.
7. (Optional) Under 'Local port', enter some arbitrary port you don't use like '50011'. This allows the management interface to keep tabs on the connection and for it to appear under Status -> OpenVPN
8. In 'Server host or address', enter the host (domain or IP) of the VPN server. In the client.ovpn take 'domain.name' or '188.8.131.52' out of the line 'remote domain.name 1194 udp' or 'remote 184.108.40.206 1194 udp'.
9. In 'Server port', if the same 'remote x.x.x.x' says something different to 1194, enter it here
10. Check 'Infinitely resolve server' if the client.ovpn says 'resolv-retry infinite'
11. Provide a good description like 'ProviderName / ServerLocation / Client'.
12. Keep 'Enable authentication of TLS packets' checked
13. If you have a tls.key file, uncheck 'Automatically generate a shared TLS authentication key' and paste the contents of this file in the box that appears.
14. Under 'Peer Certificate Authority' select the name you entered for the 'CA' certificate you entered for this provider.
15. Under 'Client Certificate', select the name of the 'Client' certificate you entered for this provider.
16. Under 'Encryption algorithm', select the algorithm like 'AES-256-CBC' as used in the client.ovpn file where it says 'cipher AES-256-CBC'. If nothing is entered, select an AES algorithm if you have a fast computer, or 'BF-CBC' for slower machines.
17. Leave 'Tunnel Network' empty
18. Leave 'Remote Network' empty
19. Leave 'Limit outgoing bandwidth' unchecked
20. Check 'Compress tunnel packets using the LZO algorithm' if the client.ovpn has a line saying 'comp-lzo', 'comp-lzo yes' or 'comp-lzo adaptive'.
21. In the 'Advanced' field, we need to enter several options, all separated by a ';':
- verb 5 (Increases the verbosity for the logs so we can see what really is happening!)
- engine cryptodev (this will make use of any encryption acceleration hardware in your machine (ie AMD Geode LX or Hifn card). VIA Padlock users should use 'engine padlock')
- auth-user-pass /conf/ProviderName-ServerLocation.pas (where the file is the same as the file you entered above)
22. If your client.ovpn file contains any other lines, such as those for adjusting MTU sizes, put them into the advanced box as well.
23. Press Save!F. Verify it's working
Now we need to check what happens and look at the logs.
1. First navigate to Status -> System Logs -> OpenVPN tab
2. Because we entered 'verb 5' in the advanced field, you'll see a lot more information than normal being logged.
3. You need to look for is the line that says:
openvpn: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 220.127.116.11,dhcp-option DNS 18.104.22.168,dhcp-option DNS 22.214.171.124,route 10.0.61.1,topology net30,ifconfig 10.0.61.54 10.0.61.53'
4. If that line says 'redirect-gateway def1', then your pfSense should be routing all traffic over the VPN connection. Browse to a 'what's my IP' page, and see if your connection is coming from another IP than your own. If not, you're going to have to play around with some of the 'route' commands to sort out your routing table, but generally if you add 'redirect-gateway def1' to the advanced box if it's not being pushed, OpenVPN should modify the routing table and all traffic will flow through the VPN connection.
5. If you entered a local port in the config, you should also see the connection as 'up' and bandwidth usage under Status -> OpenVPN.
That's it!Dev notes for improved support:
1. It's really necessary to have auth-user-pass fields in the config page - especially as you do it for the proxy server section.
2. It might be an idea to import a .ovpn file directly and have a script do a lot of the decisions in the config in a future release?
3. 'engine cryptodev' or 'engine padlock' where it's supported by the system should also automatically be set for OVPN configs - the index.php page shows this, so PHP scripts already have detection code somewhere.
4. Uploading PKCS#12 certificates into the Cert Manager and get pfSense to automatically convert them to PEM format would be a nice addition in a future release
5. For some reason, the Traffic Graph doesn't report any traffic over OVPN interfaces - RRD traffic graphs however are fine.