Saturday, January 9, 2016

OpenVPN on Pfsense

Configure VPN connection with OpenVPN on Pfsense


1. Lab:

All virtual machines are created on Hyper-v:
  • Virtual Machine 1: pfsense.
  • Virtual Machine 2: Windows server 2012 (to try to establish a remote desktop connection).
  • Virtual Machine 3: Centos 7 (to try to establish a ssh connection).
Two network cards must be installed on pfsense server (WAN and LAN)
In this tutorial, I got two IP addresses:

WAN: 192.168.1.100/24 (Let's suppose it a public IP)
LAN: 10.10.10.100/24

2. OpenVPN configuration:

2.1. Certificate configuration:

First, we should create an internal server certificate CA

Log in to pfsense with admin user

In System, click on Cert Manager

In CAs tab click on "plus" icon to add a new certificate
 

Put all the informations by the certificate
 Now the certificate CA is created
 We need to create an other certificate for the server.
In this part, most people create a user certificate. You need to make sure to select certificate type "Server Certificate" otherwise you will get an error message on VPN client "Handshake error"

Click Save.

2.2. User creation:

In System, click User Manager


 Click on "plus" to add a new user
Fill the user informations

The VPN user is created

2.3. OpenVPN client package:

In System, click on Packages


Wait to load the available packages
Now we can see all packages

Move down on the page and search for OpenVPN Client Export Utility


Click on Confirm

Installing the package on pfsense
 
The client export package is installed

2.4. Configuring OpenVPN:

In VPN tab, click on OpenVPN

In Server tab, click on "plus" icon to add a new OpenVPN server

Select the user access type and click Next

Select the CA certificate we created in the previous step


Select the server certificate we created before and click Next


Fill OpenVPN information and click Next


Ckeck OpenVPN rules that must be created in the firewall rules and click Next


Click Next

Now the OpenVPN server is created

2.5. Firewall rules:

In firewall tab, click rules


Go to OpenVPN tab. We see that all traffic are allowed on OpenVPN rule but we need only the SSH and the remote desktop.

Delete the default rule and create two rules allowed the SSH (port 22) and the remote desktop (port 3389)

2.6. VPN client export:

In VPN tab, click on OpenVPN, go to Client Export tab

Move dow to the page and download the VPN client installer. We nned the Windows x64bit version


2.7. OpenVPN client installation:

Copy the install package to the client and execute it. Right click and "Run as administrator"


When the installation finish, OpenVPN icon appeared. Double click on it


An authentication Window will pop-up,  Enter the login and password for the user we created


Wait for the connection to start


The VPN connection start successfully 


2.8. Testing:

We have two local server: Windows and Linux
We will try to connect to the Windows server, open mstsc


We can connect now with remote desktop to the Windows Server


Let's try the SSH connection the Linux Server. Open Winscp or putty to run the test


SSH access works fine


Publié par à 6 comments:
Libellés :
Subscribe to: Posts (Atom)