BlackVault pfSense OpenVPN Tutorial – nmr (revised. 10-09-2008) This tutorial will teach you how to setup OpenVPN on pfSense completely. Your current network architecture should look like the network architecture in Fig 1.1, or something similar to that. The private network IP 192.168.1.0 and the pfSense box IP 192.168.1.1 can be different depending on your setup.
1. Login into your pfSense router by opening a web browser and typing in the IP address of your pfSense box. For example http://192.168.1.1 2. The first step in building an OpenVPN configuration is to establish a PKI (public key infrastructure). The PKI consists of: • •
a separate certificate (also known as a public key) and private key for the server and each client, and a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established. Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the nowauthenticated certificate header, such as the certificate common name or certificate type (client or server).
Generate the master Certificate Authority (CA) certificate & key Windows In this section we will generate a master CA certificate/key, a server certificate/key, and certificates/keys for 3 separate clients. For PKI management, we will use a set of scripts bundled with OpenVPN. Open up a Command Prompt window and cd to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files): cd c:\Program Files\OpenVPN\easy-rsa init-config.bat Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. vars.bat clean-all.bat build-ca.bat The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command: C:\Program Files\OpenVPN\easy-rsa>build-ca.bat Loading 'screen' into random state - done Generating a 1024 bit RSA private key .........................++++++ ...................++++++ writing new private key to 'keys\ca.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank. ----Country Name (2 letter code) [US]: State or Province Name (full name) [NY]: Locality Name (eg, city) [New York]: Organization Name (eg, company) [johndoe]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:nsa Email Address [
[email protected]]: Note that in the above sequence, most queried parameters were defaulted to the values set in the vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "nsa". Generate certificate & key for server build-key-server.bat server As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]". Generate certificates & keys for 3 clients build-key.bat client1 build-key.bat client2 build-key.bat client3 If you would like to password-protect your client keys, substitute the build-key-pass script. Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client. Generate Diffie Hellman parameters Diffie Hellman parameters must be generated for the OpenVPN server.
build-dh.bat Output: C:\Program Files\OpenVPN\easy-rsa>build-dh.bat Loading 'screen' into random state - done Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ............+............+......+............................................... .....................................+.......................................... .......................................................+........................ ..+.........................+................................................... Key Files Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files: Filename
Needed By
Purpose
Secret
ca.crt
server + all clients
Root CA certificate
NO
ca.key
key signing machine only
Root CA key
YES
dh{n}.pem
server only
Diffie Hellman parameters
NO
server.crt
server only
Server Certificate
NO
server.key
server only
Server Key
YES
client1.crt
client1 only
Client1 Certificate
NO
client1.key
client1 only
Client1 Key
YES
client2.crt
client2 only
Client2 Certificate
NO
client2.key
client2 only
Client2 Key
YES
client3.crt
client3 only
Client3 Certificate
NO
client3.key
client3 only
Client3 Key
YES
Setting up OpenVPN service and firewall 4. Go to the OpenVPN settings page.
5. Setup your OpenVPN to look like Fig 1.3 below
Protocol
Use TCP for this, although more overhead, it works on all occasions. We have gotten UDP to work with Shared Key but not PKI for now.
Dynamic IP Local port
1194 is the universal port for OpenVPN. For more security use another port.
Address pool
This is the network address from where OpenVPN clients will be assigned addresses. Your local network address must be different from your OpenVPN network address pool. For example we have to use a network address besides 192.168.1.0/24 here, we chose 10.0.1.0/24.
Use static IPs Local network
The address of your local network you want to be able to share or access over your VPN connection. For example here our local network is 192.168.1.0. Set this to your network address.
Client-to-client VPN Check this to enable you to access to another OpenVPN client which is connected. We suggest you check this after your OpenVPN connection is working properly. Cryptography
Algorithm used. Use BF-CBC (128bit) for now
Authentication Method
Shared or PKI (Public Key Infrastructure). Shared, if you want everyone to have the same key. PKI, each client has its own unique key.
Shared Key
Leave it blank for PKI
CA certificate
Paste your CA certificate from the BEGIN and END CERTIFICATE
Server certificate
Paste your server certificate from the BEGIN and END CERTIFICATE
Server key
Paste your server key from BEGIN and END RSA PRIVATE KEY
DH parameters
Paste your Diffie Hellman parameters from the BEGIN and END DH PARAMETERS
CRL
DHCP-Opt.: DNSDomainname DHCP-Opt.: DNSServer
Enter you DNS server IP address.
DHCP-Opt.: WINSServer DHCP-Opt.: NBDDServer DHCP-Opt.: NTPServer DHCP-Opt.: NetBIOS node type DHCP-Opt.: NetBIOS Scope DHCP-Opt.: Disable
none
NetBIOS LZO compression
Enabling LZO compression makes VPN faster but uses slightly more processing power. Enable this after everything works fine.
Custom options
push “redirect-gateway def1” -- to automatically setup your default gateway to go through VPN. Using this option will enable you client to automatically use the VPN connection for all network traffic eg. internet, e-mail, etc.
Description
Descriptive name for the VPN settings
6. Setup your firewall rule. Go to Firewall > Rules > WAN. Add a new firewall rule by clicking on
7. Once you hit 'Save' the rule below should be added
8. Go to Firewall > NAT > Outbound. Select 'Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))'. Hit 'Save'. Then add a new mapping according to the VPN network address pool like below. Hit 'Save' again and you're done. This enables your VPN address pool to go beyond the firewall.
VPN Client settings road warrior configuration for Windows 1. Download and install the latest OpenVPN client from http://openvpn.net 2. After installing the Windows OpenVPN client, you should see a new network connection that uses the TAP-Win32 Adapter. Rename the network connection to tap0.
3. Create a new text file with the extension '.ovpn' for example 'blackvaultbox.ovpn' in the path 'c:\program files\openvpn\config' or where you installed the OpenVPN client in the 'config' directory. Make sure the new text file has the extension '.ovpn' else it will not be detected. Setup the new .ovpn file like below. Remove the # in front of comp-lzo if you enabled LZO compression when setting up the OpenVPN server. float port 1194 dev tun dev-node tap0 proto tcp-client remote blackvaultbox_ip_domain 1194 ping 10 persist-tun persist-key tls-client client ca ca.crt cert client1.crt key client1.key ns-cert-type server #comp-lzo verb 4 4. Copy the ca.crt, client1.crt, client1.key files to the 'c:\program files\openvpn\config' or where you installed the OpenVPN client in the 'config' directory. 5. To test your OpenVPN setup. Connect to the internet from another source besides the network where the server is setup. Launch your OpenVPN client. Right click on the OpenVPN icon on the system tray, hover over 'blackvaultbox' or whatever name you gave your .ovpn file and click on connect. A window should pop up with the connection log and the OpenVPN icon in the system tray should finally turn green. Point your web browser to http://www.copymyiptoclipboard.com and it should show and copy the IP address of the network your server is behind.