Pki Pf Openvpn

7/31/2019 Pki Pf Openvpn

1/24

Building Site to Site Connection with OpenVPN on pfSense 2.0 RC1 with

PKIMay 11, 2011 /Stefanposted inTechnical/No CommentsIn the last post weve setup a Site To Site with Shared Key, now instead we will use internal

Certificate Authority. Honestly speaking if I did not follow this guide, there was no routing between thetwo sites.OpenVPN Site-to-Site PKI (SSL)For reference here is the network diagram:

pfsense01 will be out OpenVPN server, and pfsense02 will be our OpenVPN client. Client and Server

are just host on the two LANs behind routers.On pfsense01 go to System > Cert Manager, On CAs leaf create new Certificate Authority.Enter Descriptive Name, choose as a method Create an internal Certificate Authority, leave Key length

and Lifetime to defaults.
http://blog.stefcho.eu/?p=611http://blog.stefcho.eu/?p=611http://blog.stefcho.eu/?author=1http://blog.stefcho.eu/?author=1http://blog.stefcho.eu/?author=1http://blog.stefcho.eu/?category_name=technicalhttp://blog.stefcho.eu/?category_name=technicalhttp://blog.stefcho.eu/?category_name=technicalhttp://blog.stefcho.eu/?p=611#respondhttp://blog.stefcho.eu/?p=611#respondhttp://blog.stefcho.eu/?p=611#respondhttp://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29http://blog.stefcho.eu/?p=611#respondhttp://blog.stefcho.eu/?category_name=technicalhttp://blog.stefcho.eu/?author=1http://blog.stefcho.eu/?p=611http://blog.stefcho.eu/?p=611


2/24

Fill in the rest of the fields.

Then go to Certificates leaf, add new and create the server certificate.


3/24

Enter descriptive name, Ive used the router host name, as a method choose Create an internal

Certificate.Verify that for Certificate authority the CA that we have created in the previous step is selected. Leave

the rest of the fields to default, with exception of Common Name, here enter the host name of the

server, in my case it was pfsense01.


4/24

Now go to System > User manager, create new user. For the sake of simplicity for username Ive used

the host name of the second router, pfsense02. Enter Password, for Full name Ive used again the

router name. Then tick the Click to create a user certificate.


5/24

For descriptive name use the host name of the router, this is the Common Name of the certificate and

it is important to match.


6/24

Instead of creating new user, you can create new Certificate directly.Go to Cert Manager, on the Certificate leaf add new. Again as Descriptive name and Common Name

use the host name of the second router, in my case pfsense02.


7/24

Go to VPN > OpenVPN on the Server leaf, add new.


8/24

As Server Mode select Peer to Peer (SSL/TLS). As protocol UDP, Device Mode is TUN, Interface is

WAN, leave the port to default 1194. Enter Description, Tick Enable authentication of TLS packets and

Automatic generation a shared TLS authentication key.As Peer Certificate Authority select the CA that we have created in the beginning. I did not have a

Peer Certification Revocation List so leave it to None. Select the Server Certificate that we have

created. For DH Parameters Length you can leave it to the default 1024 bits. Choose Encryption

algorithm in my case BF-CBC (128-bit), take note of the algorithm we have to use the same on the


9/24

client too.


10/24

As Tunnel Network choose one different from your LANs, in my case the default 10.0.8.0/24. Enter the

Local Network, in my case 10.10.9.0/24. Enter the Remote Network in my case 10.10.10.0/24. Leave

the rest to defaults.


11/24

Go to VPN > OpenVPN in Client Specific Overrides, and add new entry for the client.

For Common name enter the host name of the second router that we have used as common name in

the certificate, in my case pfsense02. Enter some description, and the Tunnel Network, in my case


12/24

10.0.8.0/24. Leave the rest to default.

In the Advanced form, enteriroute 10.10.10.0 255.255.255.0


13/24

Without this step there will be no routing between the two LANs.


14/24

Got to Firewall >Rules and on the OpenVPN leaf, add new rule.


15/24

Here for testing purposes Ive made allow all rule. Select any as Protocol, leave the rest to default and

enter description.

For the client to be able to connect, lets open the OpenVPN Server port.


16/24

In Firewall > Rules on the WAN leaf, add new rule. Select UDP as Protocol.


17/24

As Destination port Range in our case select OpenVPN.

Now it is time to export certificate for use on the second router.


18/24

Go back to System > Cert manager export public and private CA certs, click on the first downward

pointing triangle. As a guide, when you hoover over it the text label is Export CA.

Then go to User Manager, enter the configuration of our user pfsense02, in the User Certificates

section click on both downward pointing triangles to download both cert and key.


19/24

Now on pfSense02, go to System > Cert Manager on CAs leaf, add new one.And as Method select Import an existing Certificate Authority. Enter as Descriptive name the name of

the certificate from the first server, in my case pfsense01.You have to have opened the certificate with notepad, or another text editor. Then simply copy / paste

the content of the file.


20/24


21/24

Go to VPN > OpenVPN in Client leaf and add newAs Server Mode select Peer to Peer (SSL/TLS), Protocol is UDP, Device mode is TUN, and Interface is

WAN. For Server host or address enter the WAN IP of pfsense01, in my case 10.10.2.2 and enter the


22/24

port. Put some Description.


23/24

Open the Server configuration (VPN > OpenVPN > Server leaf) on pfsense01, copy the TLS

Authentication.


24/24

Paste it in the TLS Authentication form on our client configuration on pfsense02. Unpick Automatically

generate a shared TLS authentication key and leave Enable authentication of TLS packets.

Documents

Pki Pf Openvpn