Wednesday, May 23, 2012

Install OpenVPN Remote Access (TLS + User Auth) on pfSense 2.0

Install OpenVPN Remote Access (TLS + User Auth) on pfSense 2.0

Install OpenVPN Client Export Utility Package
Go to System > Packages > "Available Packages" tab > install "OpenVPN Client Export Utility" package.

Create CA (Certificate Authority)
Go to System > Cert Manager > "CAs" tab:

Descriptive name: Road Warrior CA
Method: "Create an internal Certificate Authority".
Key length: 4096 bits.
Lifetime: 3650 days.
Country Code: CA
State or Province: British Columbia
City: Port Coquitlam
Organization: YOUR_COMPANY_NAME Inc
Email Address: test@example.com
Common Name: Road Warrior CA

Create a OpenVPN Group
Go to System > User Manager > "Groups" tab > Add Group:

Group name: OpenVPN
Description: OpenVPN

Click on "Save" button.

Create a OpenVPN User
Go to System > User Manager > "Users" tab > Add User:

Username: openvpn_client1
Password: ********
Group Memberships: OpenVPN

Click on "Save" button.

Edit the user we just created > User Certificates: Add:

Method: Create an internal Certificate
Descriptive name: openvpn_client1
Certificate authority: Road Warrior CA
Key length: 4096 bits
Certificate Type: User Certificate
Lifetime: 3650 days

Distinguished name:
Country Code: CA
State or Province: British Columbia
City: Port Coquitlam
Organization: YOUR_COMPANY_NAME Inc
Email Address: test@example.com
Common Name: openvpn_client1

Click on "Save" button.

Service configuration
Go to VPN > click on "OpenVPN" > click on "Wizards" tab > Type of Server "Local User Access" > click on "Next" button
> Certificate Authority "Road Warrior CA" > click on "Next" button
> for server certificate, click on "Add new Certificate" button:

Descriptive Name: Road Warrior Server Certificate
Key length: 4096 bits
Lifetime: 3650
Country Code: CA
State or Province: British Columbia
City: Port Coquitlam
Organization: YOUR_COMPANY_NAME Inc
Email Address: test@example.com

Click on "Craete New Certificate" button.

Cryptographic Settings:
TLS Authentication: check "enable authentication of TLS packets".
Generate TLS Key: check "Automatically generate a shared TLS authentication key".
DH Parameters Length: 4096 bit.
Encryption Algorithm: AES-256-CBC (256-bit)
Hardware Crypto: No Hardware Crypto Acceleration.

Tunnel Settings:
Tunnel Network: 10.0.8.0/24
Redirect Gateway: check "Force all client generated traffic through the tunnel".
Concurrent connections: 10
Compression: check "Compress tunnel packets using the LZO algorithm".

Client Settings:
Dynamic IP: check "Allow connected clients to retain their connections if their IP address changes".
Address Pool: check "Provide a virtual adapter IP address to clients (see Tunnel Network)".
DNS Servers: check "Provide a DNS server list to clients".
DNS Servers: Server #1: 8.8.8.8
DNS Servers: Server #2: 8.8.4.4

Click on "Next" button.

Firewall Rule: check "Add a rule to permit traffic from clients on the Internet to the OpenVPN server process.

Make sure following is unchecked:
OpenVPN Rule: uncheck "Add a rule to allow all traffic from connected clients to pass across the VPN tunnel.

Click on "Next" button.
Click on "Finish" button.

OpenVPN: Client Export Utility
Go to VPN > OpenVPN > "Client Export" Tab > look for a user > click on "Configuration archive" link.

Firewall Rules
Go to Firewall > Rules > OpenVPN tab > Add rule:
Interface: OpenVPN
Protocol: any
Source: any
Destination: check "not"
Destination: type "LAN subnet" (we don't want VPN clients to access LAN subnet).
Description: OpenVPN Road Warrior

Click on "Save" Button.

Go to Firewall > NAT > Outbound tab > click on "Manual outbound NAT rule generation" > Save Button > Add a new mapping rule:
Interface: WAN.
Protocol: any.
Source: type "network".
Source: address "10.0.8.0 / 24".
Destination: check "not" (we don't want VPN clients to access LAN subnet).
Destination: type "Network".
Destination: address 192.168.1.0 / 24.

Click on "Save" button.
Click on "Apply changes" button.

Reference:
http://www.packetwatch.net/documents/guides/2012050801.php

No comments: