Pfsense VPN 2.0

Setup & Configuration Of OpenVPN On

Pfsense 2.0 RC3

Outline

With the recent release of Pfsense 2.0 there has been a significant number of improvements

to the OpenVPN component. In previous versions of Pfsense, the client, CA and server

certificates had to be created on a client machine and then copied across to the relevant

configuration panes in OpenVPN. The client configuration was not bundled as a package

for download directly from the Pfsense web GUI, and instead resided on the workstation

where the certificates were originally created. For subsequent OpenVPN clients to be

created the process would have to be re-run each time on the same client machine.

This process is now covered by the Pfsense 2.0 web GUI. The full list of OpenVPN

changes are as follows:-

OpenVPN wizard guides through making a CA/Cert and OpenVPN server, sets up

firewall rules, and so on. Greatly simplifies the process of creating a remote access

OpenVPN server.

OpenVPN filtering – an OpenVPN rules tab is available, so OpenVPN interfaces

don’t have to be assigned to perform filtering.

OpenVPN client export package – provides a bundled Windows installer with

certificates, Viscosity export, and export of a zip file containing the user’s

certificate and configuration files.

OpenVPN status page with connected client list — can also kill client connections

User authentication and certificate management

RADIUS and LDAP authentication support

In this guide I will outline creating a new OpenVPN server with local user authentication

under Pfsense 2.0 RC3. If you have upgraded from Pfsense 1.2.3 (as is the case for myself)

and already have OpenVPN configured, I would suggest removing the existing server and

starting from scratch to avoid configuration issues. I will also cover the installation of the

OpenVPN client on Windows 7, Snow Leopard 10.6.8 and Ubuntu 11.04

Download & Install The OpenVPN Client Export Package

The first step is to obtain the client export package, so that we can quickly export all of the

required configuration files for our OpenVPN clients.

Login to your Pfsense 2.0 GUI and navigate to System > Packages. Scroll down and select

‘OpenVPN Client Export Utility’ and run through the installation.

Remove Legacy OpenVPN Server And Certificates

I would highly recommend removing your existing OpenVPN configuration prior to

running through the setup of in this guide.

Firstly navigate to System > Cert Manager. On the ‘CAs’ pane remove any existing

certificates. Once completed navigate to the’Certificates’ pane and remove any existing

certificates. (Do not remove the ‘Webconfigurator default’ certificate)

Finally navigate to VPN > OpenVPN and remove your existing server configuration.

Create New OpenVPN Certificates

We’re now ready to create the required certificates for OpenVPN to function with local

user authentication. Navigate to System > Cert Manager. On the ‘CAs’ pane choose to

create a new certificate and ensure you choose ‘Create an internal Certificate Authority’ in

the drop-down box, like so.

Fill out all the required fields with your organization specific information, choosing a

custom ‘internal-ca’ name. Once completed, click ‘Save’ to create the CA.

Once completed, click the first down arrow icon to the right of your newly created CA and

choose ‘Export CA Cert’ to download to your client machine.

Once completed navigate to the ‘Certificates’ pane and create a new certificate. Once again

choose ‘Create an Internal Certificate Authority’ in the drop-down box. You’ll notice some

of the fields will have been auto-populated. Ensure you fill in any remaining details and

ensure you specify the same common name as inputted earlier. Once completed click

‘Save’ to create the certificate.

Create A New OpenVPN User And Client Certificate

We’ll now create our first OpenVPN client. Firstly navigate to System > User

Manager. Create a new user and fill out the required fields as per below:-

Once completed, click ‘Save’ to finish. Now click on the edit button to the right of the

newly created user and scroll down to the ‘User Certificates’ section and click the add

button.

Run through the client certificate fields, entering all the required information. Ensure you

specify a different common name to what was entered for your CA earlier. This should be

specific to the client. Once completed click ‘Save’ to finish.

On the edit user pane, click the two down arrow icons and choose ‘export private key’ and

‘export client cert’ to download both files.

Create New OpenVPN Server & Configure

We’re now ready to create our OpenVPN server. Firstly navigate to VPN >

OpenVPN. The navigate to the ‘Wizard’ pane to launch the configuration process. Under

‘Type of Server’, choose ‘Local user access’ and click ‘Next’.

Under ‘Choose A Certificate Authority’ you should see your previously created CA as the

only choice. Simply click ‘Next’ to continue. On the following page the server certificate

we created earlier should be listed. Click Next to continue.

On the following page fill out your details as per the following screens. Ensure the

OpenVPN server is set to listen on the WAN interface. You will need to specify a tunnel

network address range. You will need to specify an alternative address range to your local

network address range, otherwise OpenVPN will not function correctly. Choose any

network address range that is in the non-routable class. (10.0.0.0 – 10.255.255.255 or

172.16.0.0 – 172.31.255.255 or 192.168.0.0 – 192.168.255.255) Ensure the host ID size is

specified in compliance with CIDR notation.

Once completed ensure the automatic firewall and NAT rules are created (both boxes are

ticked by default) before clicking ‘Finish’

Export Client Configuration

We’re now ready to export our OpenVPN client configuration. Navigate to VPN >

OpenVPN. Click on the ‘Client Export’ tab and scroll down. You should see the user we

created earlier. (If you don’t, this is usually down to a certificate mismatch somewhere

along the line)

Choose the ‘Configuration archive’ option next to the user to download an archive with all

required files for our client, as per below.

Once completed extract the archived files to a directory along with the files we extracted

earlier. The contents of the directory should look like the following:-

These files should be moved across to your OpenVPN configuration directory (If running

OpenVPN on Windows)

Installing And Configuring An OpenVPN Client In Windows 7

In order to connect to the Pfsense 2.0 OpenVPN server, you will need to install an

OpenVPN client. The official client works very well under Windows 7 and is updated

fairly frequently.

Firstly download the latest installer (as of writing) from here. Once downloaded run

through the installer choosing the default options. You will then need to copy your

previously downloaded configuration files to C:\Program Files\OpenVPN\config

Once completed, simply launch the OpenVPN client and choose ‘Connect’. The

application will turn green once it has connected successfully to your gateway. If your ISP

assigns you with a dynamic IP address (most do) you will need to use a service such as

DynDNS to assign a hostname for use with OpenVPN. You will need to edit your

OpenVPN .ovpn file in your configuration directory to reflect your Dynamic DNS

hostname as per below:-

Notice the dynamic DNS hostname inserted in the ‘remote’ section including the default

OpenVPN port number.

Once you are connected, you should see if you can ping your default gateway and other

network hosts to ensure the VPN tunnel is working as expected. If you specified a DNS

server during the initial OpenVPN server setup, you can ping via DNS name. If this is not

the case I would suggest editing your hosts file on each client with the relevant IP addresses

and hosts that they need to access.

If the connect is successful the connection log windows should look like the following:-

If you are running in a domain environment with home network drives automatically

mapped upon login via AD, then you should be able to access your mapped network drive

as usual. If you are not running in a domain environment, you can map your drive by right

clicking on ‘Computer’ > ‘Map Network Drive’ and then specifying the path to the share

and your network credentials.

Alternatively you can create a batch file to map the drive as per below:-

net use k: \\server\share /user:domain\username /persistent:yes

Substituting with an available drive letter and the server and share name you want to

connect to. If you are using AD authentication, specify the domain name and

username. The /persistent:yes switch will ensure the drive is remapped after a reboot.

Installing & Configuring An OpenVPN Client On Mac OS X Snow Leopard

I would recommend using the excellent freeware OpenVPN client Tunnelbrick, which

works well on OSX 10.6.8. Firstly navigate to the TunnelBrick download page here and

download the latest release. Once completed mount the .dmg file and run through the

installation.

When the installation completes, you will need to copy your OpenVPN client configuration

files to /Users/username/Library/Application Support/Tunnelbrick/Configurations

Once completed, open Tunnelbrick and right click and choose ‘Connect’ (Your OpenVPN

configuration entry should be listed)

If you would like to auto-mount a network drive after logging into OSX, simply click ‘Go’

on the Finder menu, then ‘Connect to server’ and then type in the network path as per

below:-

smb://server/sharename

and click ‘OK’ to complete. Enter your network credentials when prompted. If you would

like to auto-mount the network drive during the login process, navigate to ‘System

Preferences’ > ‘Accounts’ choose your username and then click on ‘Login Items’ Drag

and drop the mounted network drive from your desktop to the login items window.

Installing & Configuring An OpenVPN Client On Ubuntu Linux 11.04

Ubuntu 11.04 includes full OpenVPN functionality, and has a built-in client accessible

from the Network Indicator icon > VPN Connections. Unfortunately this did not

automatically add the default route successfully once the VPN tunnel was established when

using a Vodafone Mobile Connect dongle. Therefore I opted for a dedicated GUI based

client (GoPenVPN)

Firstly we’ll install the pre-requisites. Open up a terminal and type the following:-

sudo apt-get install libglib2.0-dev libgtk2.0-dev libglade2-dev libgnome-keyring-dev

gksu subversion build-essential autogen automake autoconf intltool

Once completed, we’ll download the GOPenVPN source, like so:-

svn co https://gopenvpn.svn.sourceforge.net/svnroot/gopenvpn gopenvpn

Once completed, change to your GoPenVPN directory:-

cd gopenvpn/trunk/gopenvpn/

then type:-

autoheader

And run the autogen script:-

./autogen.sh

and then:-

intltoolize

Now we’ll run through configure, make and finally install:-

./configure

then:-

make

and:-

sudo make install

Once completed, copy your OpenVPN client configuration files to /etc/openvpn. I would

suggest deleting the existing configuration files first from the /etc/openvpn directory. You

will to do this via the command line using sudo as the ownership permissions are set to

‘root’ Change to the openvpn directory via the terminal and run the following:-

sudo rm filename

Substitute with the existing files in the openvpn directory in order to remove all of them.

Finally, copy across your configuration files as per below:-

sudo mv /vpnconfigfolder * /etc/openvpn

Once completed you can launch the GOpenVPN client from the terminal, like so:-

/usr/local/bin/gopenvpn

However, I would suggest adding the client to your startup process, so the icon will appear

in your Gnome/KDE panel.

If you are running Gnome, navigate to System > Preferences > Startup Applications. Click

on ‘Add’ and ensure your item looks like the following:-

The command should point to /usr/local/bin/gopenvpn. Click ‘Save’ once completed.

To ensure GoPenVPN runs without requiring root permission, bring up the terminal and

type the following:-

visudo

Scroll to the bottom of the file and insert the following:-

%username ALL=NOPASSWD: /usr/local/bin/gopenvpn

Substitute ‘username’ with the username you are logged in as.

You are now ready to connect. Simply right click on the GOPenVPN icon in the Gnome

panel and choose ‘connect’ Once connected the icon will turn green. The connection

window will look like the following:-

To auto-mount a network drive under Ubuntu, I use ‘gigolo’ and handy front-end for

network connections. I much prefer this over using Nautilus.

To install gigolo, bring up a terminal and type the following:-

sudo apt-get install gigolo

Once completed, gigolo can be launched from ‘Applications’ > ‘System Tools’ > ‘Gigolo’.

Once launched, create a new bookmark with your home folder/network drive information

and click ‘OK’.

Finally, right click on the ‘Gigolo’ icon in the Gnome tray and choose ‘Preferences’. Set

the ‘Bookmark auto-connect interval’ to ’10′ and then click the ‘interface’ tab and ensure it

looks like the following:-

Once completed, click ‘Close’

We have now successfully setup GOPenVPN on Ubuntu 11.04, and set gigolo to auto-

mount a network drive on login.

This concludes our guide on setting up a Pfsense 2.0 RC3 OpenVPN server and the client

installation process on Windows 7, Snow Leopard and Ubuntu 11.04

In a future guide I will go over the setup and configuration of Vodafone’s Mobile Connect

dongle on all three operating systems for full OpenVPN compatibility.