View
48
Download
1
Category
Preview:
Citation preview
Setup & Configuration Of OpenVPN On
Pfsense 2.0 RC3
Outline
With the recent release of Pfsense 2.0 there has been a significant number of improvements
to the OpenVPN component. In previous versions of Pfsense, the client, CA and server
certificates had to be created on a client machine and then copied across to the relevant
configuration panes in OpenVPN. The client configuration was not bundled as a package
for download directly from the Pfsense web GUI, and instead resided on the workstation
where the certificates were originally created. For subsequent OpenVPN clients to be
created the process would have to be re-run each time on the same client machine.
This process is now covered by the Pfsense 2.0 web GUI. The full list of OpenVPN
changes are as follows:-
OpenVPN wizard guides through making a CA/Cert and OpenVPN server, sets up
firewall rules, and so on. Greatly simplifies the process of creating a remote access
OpenVPN server.
OpenVPN filtering – an OpenVPN rules tab is available, so OpenVPN interfaces
don’t have to be assigned to perform filtering.
OpenVPN client export package – provides a bundled Windows installer with
certificates, Viscosity export, and export of a zip file containing the user’s
certificate and configuration files.
OpenVPN status page with connected client list — can also kill client connections
User authentication and certificate management
RADIUS and LDAP authentication support
In this guide I will outline creating a new OpenVPN server with local user authentication
under Pfsense 2.0 RC3. If you have upgraded from Pfsense 1.2.3 (as is the case for myself)
and already have OpenVPN configured, I would suggest removing the existing server and
starting from scratch to avoid configuration issues. I will also cover the installation of the
OpenVPN client on Windows 7, Snow Leopard 10.6.8 and Ubuntu 11.04
Download & Install The OpenVPN Client Export Package
The first step is to obtain the client export package, so that we can quickly export all of the
required configuration files for our OpenVPN clients.
Login to your Pfsense 2.0 GUI and navigate to System > Packages. Scroll down and select
‘OpenVPN Client Export Utility’ and run through the installation.
Remove Legacy OpenVPN Server And Certificates
I would highly recommend removing your existing OpenVPN configuration prior to
running through the setup of in this guide.
Firstly navigate to System > Cert Manager. On the ‘CAs’ pane remove any existing
certificates. Once completed navigate to the’Certificates’ pane and remove any existing
certificates. (Do not remove the ‘Webconfigurator default’ certificate)
Finally navigate to VPN > OpenVPN and remove your existing server configuration.
Create New OpenVPN Certificates
We’re now ready to create the required certificates for OpenVPN to function with local
user authentication. Navigate to System > Cert Manager. On the ‘CAs’ pane choose to
create a new certificate and ensure you choose ‘Create an internal Certificate Authority’ in
the drop-down box, like so.
Fill out all the required fields with your organization specific information, choosing a
custom ‘internal-ca’ name. Once completed, click ‘Save’ to create the CA.
Once completed, click the first down arrow icon to the right of your newly created CA and
choose ‘Export CA Cert’ to download to your client machine.
Once completed navigate to the ‘Certificates’ pane and create a new certificate. Once again
choose ‘Create an Internal Certificate Authority’ in the drop-down box. You’ll notice some
of the fields will have been auto-populated. Ensure you fill in any remaining details and
ensure you specify the same common name as inputted earlier. Once completed click
‘Save’ to create the certificate.
Create A New OpenVPN User And Client Certificate
We’ll now create our first OpenVPN client. Firstly navigate to System > User
Manager. Create a new user and fill out the required fields as per below:-
Once completed, click ‘Save’ to finish. Now click on the edit button to the right of the
newly created user and scroll down to the ‘User Certificates’ section and click the add
button.
Run through the client certificate fields, entering all the required information. Ensure you
specify a different common name to what was entered for your CA earlier. This should be
specific to the client. Once completed click ‘Save’ to finish.
On the edit user pane, click the two down arrow icons and choose ‘export private key’ and
‘export client cert’ to download both files.
Create New OpenVPN Server & Configure
We’re now ready to create our OpenVPN server. Firstly navigate to VPN >
OpenVPN. The navigate to the ‘Wizard’ pane to launch the configuration process. Under
‘Type of Server’, choose ‘Local user access’ and click ‘Next’.
Under ‘Choose A Certificate Authority’ you should see your previously created CA as the
only choice. Simply click ‘Next’ to continue. On the following page the server certificate
we created earlier should be listed. Click Next to continue.
On the following page fill out your details as per the following screens. Ensure the
OpenVPN server is set to listen on the WAN interface. You will need to specify a tunnel
network address range. You will need to specify an alternative address range to your local
network address range, otherwise OpenVPN will not function correctly. Choose any
network address range that is in the non-routable class. (10.0.0.0 – 10.255.255.255 or
172.16.0.0 – 172.31.255.255 or 192.168.0.0 – 192.168.255.255) Ensure the host ID size is
specified in compliance with CIDR notation.
Once completed ensure the automatic firewall and NAT rules are created (both boxes are
ticked by default) before clicking ‘Finish’
Export Client Configuration
We’re now ready to export our OpenVPN client configuration. Navigate to VPN >
OpenVPN. Click on the ‘Client Export’ tab and scroll down. You should see the user we
created earlier. (If you don’t, this is usually down to a certificate mismatch somewhere
along the line)
Choose the ‘Configuration archive’ option next to the user to download an archive with all
required files for our client, as per below.
Once completed extract the archived files to a directory along with the files we extracted
earlier. The contents of the directory should look like the following:-
These files should be moved across to your OpenVPN configuration directory (If running
OpenVPN on Windows)
Installing And Configuring An OpenVPN Client In Windows 7
In order to connect to the Pfsense 2.0 OpenVPN server, you will need to install an
OpenVPN client. The official client works very well under Windows 7 and is updated
fairly frequently.
Firstly download the latest installer (as of writing) from here. Once downloaded run
through the installer choosing the default options. You will then need to copy your
previously downloaded configuration files to C:\Program Files\OpenVPN\config
Once completed, simply launch the OpenVPN client and choose ‘Connect’. The
application will turn green once it has connected successfully to your gateway. If your ISP
assigns you with a dynamic IP address (most do) you will need to use a service such as
DynDNS to assign a hostname for use with OpenVPN. You will need to edit your
OpenVPN .ovpn file in your configuration directory to reflect your Dynamic DNS
hostname as per below:-
Notice the dynamic DNS hostname inserted in the ‘remote’ section including the default
OpenVPN port number.
Once you are connected, you should see if you can ping your default gateway and other
network hosts to ensure the VPN tunnel is working as expected. If you specified a DNS
server during the initial OpenVPN server setup, you can ping via DNS name. If this is not
the case I would suggest editing your hosts file on each client with the relevant IP addresses
and hosts that they need to access.
If the connect is successful the connection log windows should look like the following:-
If you are running in a domain environment with home network drives automatically
mapped upon login via AD, then you should be able to access your mapped network drive
as usual. If you are not running in a domain environment, you can map your drive by right
clicking on ‘Computer’ > ‘Map Network Drive’ and then specifying the path to the share
and your network credentials.
Alternatively you can create a batch file to map the drive as per below:-
net use k: \\server\share /user:domain\username /persistent:yes
Substituting with an available drive letter and the server and share name you want to
connect to. If you are using AD authentication, specify the domain name and
username. The /persistent:yes switch will ensure the drive is remapped after a reboot.
Installing & Configuring An OpenVPN Client On Mac OS X Snow Leopard
I would recommend using the excellent freeware OpenVPN client Tunnelbrick, which
works well on OSX 10.6.8. Firstly navigate to the TunnelBrick download page here and
download the latest release. Once completed mount the .dmg file and run through the
installation.
When the installation completes, you will need to copy your OpenVPN client configuration
files to /Users/username/Library/Application Support/Tunnelbrick/Configurations
Once completed, open Tunnelbrick and right click and choose ‘Connect’ (Your OpenVPN
configuration entry should be listed)
If you would like to auto-mount a network drive after logging into OSX, simply click ‘Go’
on the Finder menu, then ‘Connect to server’ and then type in the network path as per
below:-
smb://server/sharename
and click ‘OK’ to complete. Enter your network credentials when prompted. If you would
like to auto-mount the network drive during the login process, navigate to ‘System
Preferences’ > ‘Accounts’ choose your username and then click on ‘Login Items’ Drag
and drop the mounted network drive from your desktop to the login items window.
Installing & Configuring An OpenVPN Client On Ubuntu Linux 11.04
Ubuntu 11.04 includes full OpenVPN functionality, and has a built-in client accessible
from the Network Indicator icon > VPN Connections. Unfortunately this did not
automatically add the default route successfully once the VPN tunnel was established when
using a Vodafone Mobile Connect dongle. Therefore I opted for a dedicated GUI based
client (GoPenVPN)
Firstly we’ll install the pre-requisites. Open up a terminal and type the following:-
sudo apt-get install libglib2.0-dev libgtk2.0-dev libglade2-dev libgnome-keyring-dev
gksu subversion build-essential autogen automake autoconf intltool
Once completed, we’ll download the GOPenVPN source, like so:-
svn co https://gopenvpn.svn.sourceforge.net/svnroot/gopenvpn gopenvpn
Once completed, change to your GoPenVPN directory:-
cd gopenvpn/trunk/gopenvpn/
then type:-
autoheader
And run the autogen script:-
./autogen.sh
and then:-
intltoolize
Now we’ll run through configure, make and finally install:-
./configure
then:-
make
and:-
sudo make install
Once completed, copy your OpenVPN client configuration files to /etc/openvpn. I would
suggest deleting the existing configuration files first from the /etc/openvpn directory. You
will to do this via the command line using sudo as the ownership permissions are set to
‘root’ Change to the openvpn directory via the terminal and run the following:-
sudo rm filename
Substitute with the existing files in the openvpn directory in order to remove all of them.
Finally, copy across your configuration files as per below:-
sudo mv /vpnconfigfolder * /etc/openvpn
Once completed you can launch the GOpenVPN client from the terminal, like so:-
/usr/local/bin/gopenvpn
However, I would suggest adding the client to your startup process, so the icon will appear
in your Gnome/KDE panel.
If you are running Gnome, navigate to System > Preferences > Startup Applications. Click
on ‘Add’ and ensure your item looks like the following:-
The command should point to /usr/local/bin/gopenvpn. Click ‘Save’ once completed.
To ensure GoPenVPN runs without requiring root permission, bring up the terminal and
type the following:-
visudo
Scroll to the bottom of the file and insert the following:-
%username ALL=NOPASSWD: /usr/local/bin/gopenvpn
Substitute ‘username’ with the username you are logged in as.
You are now ready to connect. Simply right click on the GOPenVPN icon in the Gnome
panel and choose ‘connect’ Once connected the icon will turn green. The connection
window will look like the following:-
To auto-mount a network drive under Ubuntu, I use ‘gigolo’ and handy front-end for
network connections. I much prefer this over using Nautilus.
To install gigolo, bring up a terminal and type the following:-
sudo apt-get install gigolo
Once completed, gigolo can be launched from ‘Applications’ > ‘System Tools’ > ‘Gigolo’.
Once launched, create a new bookmark with your home folder/network drive information
and click ‘OK’.
Finally, right click on the ‘Gigolo’ icon in the Gnome tray and choose ‘Preferences’. Set
the ‘Bookmark auto-connect interval’ to ’10′ and then click the ‘interface’ tab and ensure it
looks like the following:-
Once completed, click ‘Close’
We have now successfully setup GOPenVPN on Ubuntu 11.04, and set gigolo to auto-
mount a network drive on login.
This concludes our guide on setting up a Pfsense 2.0 RC3 OpenVPN server and the client
installation process on Windows 7, Snow Leopard and Ubuntu 11.04
In a future guide I will go over the setup and configuration of Vodafone’s Mobile Connect
dongle on all three operating systems for full OpenVPN compatibility.
Recommended