The new version 2.4.4 if finally here. You can check what’s new here.
The new version 2.4.4 if finally here. You can check what’s new here.
Sharing a Port with OpenVPN and a Web Server
Routing your entire internet traffic over VPN when away from home is almost a must. Especially when using public WiFi hotspots or hotel internet.
Hello all, long time no see. I have a lot of other engagements lately and can’t reach to our beloved topic of pfSense. The fact that I don’t write new posts does not mean that I have abandoned it. Sometimes you have to put priorities to things in your life that are not as pleasant as other, but are just as much if not more important.
Enough said about that. Let’s get to the topic.
Recently I was visiting Asian country. As you probably know there are some places that some sites are restricted for access. It was a strange experience to not be able to open pages that you usually use every day. On other hand I would prefer to route all traffic over my Internet connection back at home when in a foreign country. Just as a protection.
So for test purposes I’ve setup an OpenVPN instance to check if I’m able to route all my traffic back home.
During my research I’ve came across very interesting article on the pfSense documentation. The article is: “Sharing a Port with OpenVPN and a Web Server”
It works and the only modification that has to be made to the OpenVPN server configuration are as follows:
(Force all client generated traffic through the tunnel.)
The old OpenVPN configuration instructions you can find here:
Now you can connect to your pfSense / OpenVPN server on HTTPS and hopefully it would appear much like you are opening a page over SSL.
Have fun and as usual I don’t take any kind of responsibly for the way you use this setup, or any legal actions or consequences for that matter or related to it.
It’s been a while since I’ve been digging in pfSense. A lot of things had happened. The good news is that currently I’ve got a few projects related to the topic and will make a few posts about them. Next post will be related to upgrading to 2.2 from 2.1.5.
In the meantime you can check what are the new features in this release here:
The official article about the release:
and of course the Upgrade Guide
If you are in a café or another place with free wireless Internet access you are under a security risk. Your traffic can be monitored, captured and analysed. Your sensitive data can be stolen or your laptop infected with malicious application.
To avoid as much as possible of the above we can route all your traffic through the internet connection at home or in your office.
As a base configuration you can use pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication
up until the Tunnel Settings section of the OpenVPN Configuration.
There tick the Redirect Gateway.
Under Client Settings enter DNS Server 1 as the IP address of you LAN interface.
By doing so you will redirect all your traffic through the VPN connection and avoid the risks related to the publicly available Internet access hotspots. The addition of DNS server address is needed in order to use you own device to resolve web sites IPs instead of the publicly available DNS server of the hotspot.
As a test you can trace route (tracert bbc.co.uk for example) a popular internet site with or without established VPN Connection.
At the cost of building just another VPN Server on your device you are gaining a little peace of mind while surfing the net from insecure location.
After having enough of tests with the RC3 in virtual environment, I decide to upgrade my pfSense 1.2.3 appliance running on Alix2d13. Considering my Dual WAN setup with load balancing and some other rules, I didn’t really want to lose any of my configurations during this process.
If I made in-place upgrade what is my rollback strategy?!
If I performed clean install and just restored configuration backup what are the guaranties that is will work. Of course I can test it in my virtual lab, but there are risks with the physical scenario that I can’t predict using this method. So I needed and alternative.
I want to test upgrade my pfSense 1.2.3 to 2.0 RC3. For that purpose I need a reliable rollback plan with no data loss, and minimal operations required. How did I achieve it you can find in the Explanation section.
The setup is described in this post: SoHo Firewall Appliance with Alix2d13 and pfSense
,noting change there since.
First I made a backup of the full configuration of the 1.2.3, you know just in case.
Then download the image file: pfSense-2.0-RC3-4g-i386-20110621-1821-nanobsd-upgrade.img.gz
And extract the image from the archive.
Now as it is described here: Installation on a standard PC (CF/IDE version)
We need the physdiskwrite tool to write the image to the Compact Flash (CF). I’ve used the
Then I plug in the new CF in the card reader make sure there are no portions on it using the Disk Management Console (Start > Run> diskmgmt.msc), otherwise you will receive error message like the one in the Issue section below.
Then start physdiskwrite with PhysGUI, select the CF disk.
Right click on the disk select Image laden (Load Image), Offnen (Open). Brows to the extracted image and select it.
You will see this warning message window, tick the check box next to Remove 2GB restriction, mine is 8 Gigs, if your CF is smaller then don’t.
Yet another warning message windows, asking you if you really want to overwrite the disk with the image.
No you have about 20 – 30 minutes of waiting, so be patient, do some other stuff.
We are ready.
Finally I get it, instead of changing the content of my original Compact Flash, why not get second one and use is for the tests instead? This way I can retain my original configuration and with just a swap of the cards be right back where I started.
After successful installation I’ve just swap the CFs and configured pfSense 2.0 RC3 using console cable.
Then using the WebGUI restored the backup configuration from the 1.2.3. Now it is time to check the functionality.
The Interface configuration like interfaced configuration was in place but the Load Balancing configuration was gone. Also my OpenVPN configurations were restored but in a non-working state. The firewall rules were applied but with the missing Load Balancer there was little use of them. After about half hour of checks, I decided to roll back to 1.2.3. Swap the CFs again and everything works the old way.
Writing to the CF card, As stated in Special considerations for Windows Vista/7
If you get write errors shortly after physdiskwrite has begun writing to the target disk (usually after 65536 bytes), this may be caused by existing partitions on the disk. Use the Disk Management utility (right-click on the “Computer” icon on the desktop and select Manage, then navigate to Computer Management (Local)/Storage) to delete all partitions on the target disk before starting physdiskwrite.
If you are unable to delete all the partitions with the Disk Management utility, try the following procedure:
1. Open a command window as admin (“cmd”)
2. Type “diskpart” and hit enter.
3. Type “list disk” and hit enter to find out the number of your drive.
4. Type “select disk X” (where you replace X with the number of your drive) and hit enter.
5. Type “clean” and hit enter.
So I had to clean the disk first but it was a breezy task. Then everything was alright.
Up until the restoration of the configuration backup everything is ok. Now I have to test the restoration in my lab, or better yet reproduce my original configuration there. I ought to think for the second alternative more.
To configure everything in the lab and then just backup and restore the configuration from the same one and the same version sound reasonable to me. Better yet I will know that it works.
I’ll have to test Dual WAN in fail-over configuration, then test recreate my OpenVPN configurations, and test all the rules that I have applied.
After writing OpenVPN with LDAP authentication on pfSense 2.0 RC1, a reader of my blog shared some problems with configuring OpenLDAP on CentOS. So I decide to build such a setup and test.
The scenario is as follows, authenticating users requiring access to the OpenVPN server against OpenLDAP service running on CentOS.
I’ve spent most time in preparing the CentOS server. Initially my decision was to use CentOS 6.0, but after a few failed attempts to configure it and the absence of how to guides for this purpose, I’ve decided to fall back to 5.6.
For this version there is a wonderful how to guide here:
Following this instructions I’ve managed to setup OpenLDAP very fast. The only comment that I have is in this section:
All data loaded is in LDIF format. Create a file to initialize the LDAP database:
# vi ldap-init.ldif
you have to have one new row, otherwise the import in the next step fails. So the above should look like:
# vi ldap-init.ldif
Next step is to create a few test users. For that purpose I’ve used :
Ldap Admin is free Win32 administration tool for LDAP directory management. This application lets you browse, search, modify, create and delete objects on LDAP server. It also supports more complex operations such as directory copy and move between remote servers and extends the common edit functions to support specific object types (such as groups and accounts).
You can use it to manage Posix groups and accounts, Samba accounts and it even includes support for Postfix MTA. Ldap Admin is free Open Source software distributed under the GNU General Public License.
It is time to configure the pfSense. I will skip all the steps described in the previous posts. You can find them here:
Now let’s get straight to System > User Manager and on the Servers leaf.
Hostname or IP address: this it the address of the CentOS server
Base DN: this is the domain name
Authentication container: after insterted the Bind credentials, it was visible, but when I’ve click on the Save button, nothing happen. So I’ve typed it in manually.
Bind Credentials: enter User DN and Password. , I’ve tested it and with Use anonymous binds to resolve distinguished names, it works also.
Group Member Attribute: you can modify this with the Uid=%s, if you need.
Just for reference this is my test user.
After preforming the OpenVPN configuration, enter the user name and the password.
If everything is OK, you should be successfully connected and see something similar in the OpenVPN logs:
You can also test the connection using the Diagnostics > Authentication, Select the Authentication Server, in my case the CentOS OpenLDAP connection is named Test. Enter Username and Password, and see the result.
If you get error, you can check the Status> System Logs on the System leaf for errors.
I’ve got this error when the CentOS server was turn off.
The issues that I faced was the problem with selecting the OU in which my users resides. Hope this will be fixed in future versions. On the CentOS side the problems were releted with the changes of OpenLDAP in the 6.0 version.
That’s it. Thank you for reading.
These days I’ve looked at the tweets of Scott Ullrich and what catch my attention is the mentioning of pfCenter several times.
As written here:
After I have took a look at the shred screen shots from his image gallery.
There is even a thread in the forum with obscure information: Next Gen of pfSense <—> pfCenter
My suspicion is that this center will perform tasks similar to Astaro Command Center.
There will be a Real-Time Monitoring, Site-to-Site VPN configuration for multiple sites made quick and easy. We can hope for centralisation of Device Maintenance tasks such as firmware upgrades and configurations propagation, some kind of Inventory Management component that can show us what, where and in what state we have. Access Management so you must know only one set of credentials to manage all hooked up devices. I really do hope that there will be some form of Aggregated Reporting functionality, RRD is great for some purposes, but alone is not enough and NTOP is great but a dedicated appliance is better suited for it alone.
The next logical question is where you would you place such thing?
On a pfSense box, might be, but a dedicate Appliance sounds more reasonable, taking into account the amount of data and load, that such a solution could generate. As alternative a Virtual Appliance sounds as a good idea. Last but not least as an option is a service in the cloud, a hosted multi-tenant installation of the pfCenter. Which of these alternatives will be the one we’ll see?
Until then, take a look at the teasers:
The source of these images is Scott Ullrich twitpic gallery.
In my previous posts we’ve Install pfSense 2.0 RC1 on VMWare Workstation 7 and adjusted the memory of the Virtual Machines in pfSense 2.0 RC1 on VMware Workstation 7.1.4 – RAM size.
Now let’s continue with the setup of the Virtual Machine with the installation of VMware Tools for pfSense.
For that purpose go to System > Packages
, and on the Available Packages find Open-VM-Tools. Click on the “+” next to it and start the installation.
Wait it to finish, and on the Installed packages you should see it listed. Click on the link below Package Info, to see the instructions how to verify successful installation.
ps ax|grep vmware