Sharing a Port with OpenVPN and a Web Server

Sharing a Port with OpenVPN and a Web Server

Routing your entire internet traffic over VPN when away from home is almost a must. Especially when using public WiFi hotspots or hotel internet.

Hello all, long time no see. I have a lot of other engagements lately and can’t reach to our beloved topic of pfSense. The fact that I don’t write new posts does not mean that I have abandoned it. Sometimes you have to put priorities to things in your life that are not as pleasant as other, but are just as much if not more important.

Enough said about that. Let’s get to the topic.

Recently I was visiting Asian country. As you probably know there are some places that some sites are restricted for access. It was a strange experience to not be able to open pages that you usually use every day. On other hand I would prefer to route all traffic over my Internet connection back at home when in a foreign country. Just as a protection.

So for test purposes I’ve setup an OpenVPN instance to check if I’m able to route all my traffic back home.

During my research I’ve came across very interesting article on the pfSense documentation. The article is: “Sharing a Port with OpenVPN and a Web Server

It works and the only modification that has to be made to the OpenVPN server configuration are as follows:

  1. Set the protocol to TCP in the General Information sectionSharing a Port with OpenVPN and a Web Server 01
  2. Don’t forget to tick in the Tunnel Settings > Redirect Gateway

(Force all client generated traffic through the tunnel.)

Sharing a Port with OpenVPN and a Web Server 03

  1. In Advanced configuration section in Advanced field put the following:

port-share localhost 443Sharing a Port with OpenVPN and a Web Server 02

The old OpenVPN configuration instructions you can find here:

pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

Now you can connect to your pfSense / OpenVPN server on HTTPS and hopefully it would appear much like you are opening a page over SSL.

Have fun and as usual I don’t take any kind of responsibly for the way you use this setup, or any legal actions or consequences for that matter or related to it.

Potential DNS Rebind attack detected, workaround

If you publish sites to the Internet behind pfSense device, and then try to open the Internet address you will receive the following error message:

Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding

Try accessing the router by IP address instead of by hostname.

This will appear on your browser.

Potential DNS Rebind attack detected 01

Recently I’ve hit this issue.

The workaround the problem that I’ve found is as follows.

You set for the network behind the pfSense device a static DNS record for the site, pointing to the internal IP address. In this way you bypass the security checks.

The solution is as follows:

Go you the Web GUI of the pfSense, select

Services > DNS Forwarder

Potential DNS Rebind attack detected 02

There at the bottom of the page, is the section Host Overrides.

Clock on the “+” sign in this section

Potential DNS Rebind attack detected 03

Here for the site that you want to open fill in the following:

Let’s say for example you published the site:

Something.anything.com

In the Host field enter: Something

In the Domain field enter: anything.com

In the IP Address field: enter the internal IP address of the server hosting the site

In the Description: fill something useful, so half a year later, you can remind yourself that this exception was for 😉

Click on Save.

Potential DNS Rebind attack detected 04

Upgrade from pfSense 2.1.5 to 2.2 on Hyper-V

After the release of pfSense 2.2 it was time to upgrade some installations. They resides on Windows Server 2012 R2 Hyper-V. After the first reboot my test machine did not come up. The screen looks like this:

pfSense 2.2 Upgrade 01The error message is quite interesting at first:

Mounting from ufs:/dev/ad0s1a failed with error 19.

After little goggling I’ve found this article:

Mounting from ufs:/dev/adaxs1a failed with error 19.

and after simple entering of one ? the answer to the problem was in front of me:

pfSense 2.2 Upgrade 02The disk names were change from

ad0s1a

to

da0s1a

So to boot I’ve typed:

pfSense 2.2 Upgrade 03and voilàpfSense 2.2 Upgrade 04

Now the only thing that is left if to make changes to the boot configuration

You have the option to for form console

8) ShellpfSense 2.2 Upgrade 05and edit the file pfSense 2.2 Upgrade 06Mine looked like this:pfSense 2.2 Upgrade 07and after the change like thispfSense 2.2 Upgrade 08

Of if you will you can make the change using the web gui

go in the Diagnostics menu and selecting the Edit FilepfSense 2.2 Upgrade 09From there you just naviage to the “/etc/fstab” and edit the text.pfSense 2.2 Upgrade 10After changes test that the system is booting from the correct partition.

 

pfSense 2.2 Released!

It’s been a while since I’ve been digging in pfSense. A lot of things had happened. The good news is that currently I’ve got a few projects related to the topic and will make a few posts about them. Next post will be related to upgrading to 2.2 from 2.1.5.

In the meantime you can check what are the new features in this release here:

2.2 New Features and Changes

The official article about the release:

pfSense 2.2-RELEASE Now Available!

and of course the Upgrade Guide

 

 

MBA

Hi guys,

As you probably noticed I haven’t post anything since October 2011. The reason for this is not absence of interesting topic or inspiration, but lack of time. Currently I’m in a MBA program and this consumes all my time and energy. Hopefully I will finish it around October 2012, and at that time I will be able to embark into some new endeavours. In the meantime you could share some topics that are of interest for you and I will try to replay as soon as I can, or will include them in my plans for future posts.

Until then good luck, have fun.

Windows Server 8 on VM Workstation 8 with Hyper-V Role

As you probably know, on the Build conference was announced the Developer Previews of Windows 8 and Windows Server 8.

Because of the numerous new features in Hyper-V 3.0 I want to check them personally. Because I do not have two spare boxes on which to install them, virtualization comes in play.

Before Hyper-V role is added to the server, there is configuration to be made on the Virtual Machine:

The best description of the process that I find is in this article:

Nesting Hyper-V with VMware Workstation 8 and ESXi 5

In the Processors configuration Virtualize Intel VT-x/EPT must be checked,

And one line must be added to the configuration file vmx:

hypervisor.cpuid.v0 = “FALSE”

That’s it, now you can add Hyper-V role and play with it.


pfSense 2.0 Release Now Available!

The 2.0 release is finally available.

Here is the news:

2.0 Release Now Available!

My experience so far is good, I’ve already upgrade some of my machines.

You can take a look at the upgrade process from RC3 to RTM here:

 

 

Before performing any kind of upgrade read carefully the Upgrade Guide!!!

 


Using your OpenVPN Road Warrior setup as a Secure Relay

Introduction

If you are in a café or another place with free wireless Internet access you are under a security risk. Your traffic can be monitored, captured and analysed. Your sensitive data can be stolen or your laptop infected with malicious application.

To avoid as much as possible of the above we can route all your traffic through the internet connection at home or in your office.

Configuration

As a base configuration you can use pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

up until the Tunnel Settings section of the OpenVPN Configuration.

There tick the Redirect Gateway.

 

Under Client Settings enter DNS Server 1 as the IP address of you LAN interface.

Explanation

By doing so you will redirect all your traffic through the VPN connection and avoid the risks related to the publicly available Internet access hotspots. The addition of DNS server address is needed in order to use you own device to resolve web sites IPs instead of the publicly available DNS server of the hotspot.

Testing

As a test you can trace route (tracert bbc.co.uk for example) a popular internet site with or without established VPN Connection.

Conclusion

At the cost of building just another VPN Server on your device you are gaining a little peace of mind while surfing the net from insecure location.