Skip to content

Stefcho's Tech Blog

Software Development, Cloud, DevOps and PfSense

Tag: OpenVPN

pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

Posted on 17/04/2011 - 18/02/2019 by Stefan

VPN is very important service nowadays. The possibility to connect to remote network is very powerful feature used by single user accessing files at home to thousands of business users working remotely with applications and services available previously only on their desktops in the office.  Because of that there are many alternative on the market providing such service. In this post I will focus on the OpenVPN running on the new version of pfSense 2.0 RC1. The goal is to compare the new features with the capabilities of the older 1.2.3 version.

One of the reasons choosing OpenVPN was for the rich feature set, small system requirements the level of control. You can easily setup is up on virtual machine or on SoHo router. The possibility to authenticate users not by insecure usernames and passwords, but by certificates was very compelling.

On 1.2.3 version of pfSense, instead of generating the certificates on the router, I was generating them on a Windows Machine. Following guidance from this sources:

http://www.runpcrun.com/howtoopenvpn

http://openvpn.net/index.php/open-source/documentation/howto.html#pki

After generating all the required certificates, it was just a matter of copy / paste in the configuration.

In the new 2.0 version of pfSense there is a Cert Manager. Using it you can manage your certificate on the box, not just pasting pre-generated certificates.

The other new feature that we will use is User Manager. You have three options for central location of your users: local database, LDAP and RADIUS.For this post we will use local database, as it is the easiest way.

 

As a first  step, let’s install the “OpenVPN Client Export Utility” package, from System > Packages. We will need it later.

Then go to System > Cert Management. On the CA (Certificate Authority) leaf, create new one. Take a note of the Descriptive and Common names you give it, we will need them later. Enter the rest of the details for the CA.

Now under System > User Management, create new user account.Tick in the Certificate section “Click to create a user certificate.”, or after the user is created, enter the newly created user account and generate a certificate for the user. As a Method select “Create an Internal Certificate”, enter the Distinguished name details.

Now is time to configure the OpneVPN server. Go under VPN > OpenVPN, select the Wizard leaf.

For type of Server, select Local User Access

For Certificate Authority Select the name of the one we created earlier, in our case Road Warrior CA

For Server Certificate, select Add New Certificate, type in something memorable for Descriptive name, because we will use it right away.

 

Now edit the configuration of the OpenVPN server. On this page you can enable TLS.

Select the size of DH, Encryption Algorithm.for Tunnel Network choose a subnet that different from your LAN subnet. In the Local Network enter your LAN subnet. Decide on the number of Concurrent Connections, and if you want to use compression.

As this is a very basic configuration, we won’t enter DNS servers, and Default Domain, but you should consider these options, depending on your environment.

Now go to VPN > OpenVPN, select the Client Export leaf. The package that we have installed in the beginning gives us the possibility to automatically export archive with the user configuration files.

Find the user for whom you want to export configuration, and click on the Configuration archive link.

If you haven’t already download the OpenVPN client, download and install OpenVPN Client with GUI from Here

Now open the Configuration Archive and extract the files in this location on the machine from which you are going to establish the VPN connection.

C:\Program Files\OpenVPN\config\

 

You should be able to successfully connect to your VPN from outside.
The management of users and certificate is much easier in pfSense 2.0. You don’t have to keep a Certificate Authority on separate box, and the discomfort with transferring the CRLs is gone. The utility that generates bundles with the required certificates and configuration for each user automate most of the tedious manual work from the previous version.

As a bonus I have recorded the process of configuration, you can check it out here:

 

Posted in TechnicalTagged OpenVPN, pfSense28 Comments

Posts navigation

Newer posts

Tags

ADDS AES-NI Asterisk ASUS Azure Captive Portal Cell Phone CentOS Certification Creative DD-WRT DNS Hyper-V LDAP Learning Linksys Microsoft Mikrotik RouterBoard RB250G Network OpenLDAP OpenVPN OpenWrt pfCenter pfSemse pfSense pfSense 2.0 RC1 pfSense 2.0 RC3 pfSense 2.2 PKI RADIUS Raspberry Pi Routing Site To Site Technical Uncategorized VLAN VMWare VoIP Vyatta Web Sites Windows Server 8 Windows Server 2008 R2 Windows Server 2012 R2 Wireless Workstation 8

Archives

  • April 2020
  • July 2019
  • May 2019
  • March 2019
  • February 2019
  • October 2018
  • August 2018
  • March 2016
  • April 2015
  • March 2015
  • January 2015
  • February 2012
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • July 2010
Proudly powered by WordPress | Theme: micro, developed by DevriX.