Remote-access Guide

pfsense openvpn remote access ssl/tls + user auth

by Geovanni Lemke Published 2 years ago Updated 2 years ago
image

Go to VPN > OpenVPN: [pfSense] menu VPN > OpenVPN In the “Servers” tab (the default tab), click on the “+ Add” button at the bottom right of the page. The fields to be filled in are the following: Server Mode: choose Remote Access (SSL/TLS + User Auth).

Full Answer

Why choose pfSense and OpenVPN for remote access solutions?

It is necessary to be able to offer remote access solutions to its travelling or teleworking users. These accesses must be secure and reliable. Good news, pfSense and OpenVPN are the ideal solution for this need!

What is the range of the pfSense VPN tunnel?

We will use the range 172.16.45.0/24 in this example. The IPv4 Local Networks are networks that pfSense has access to which you would like to make available to devices on the VPN. In most cases this will be your LAN but if you have multiple interfaces configured on your pfSense you may want to expose some or all of these over the VPN tunnel.

How do I set up an OpenVPN remote access server?

On the first screen of the OpenVPN Remote Access server wizard, choose a method for user authentication. The choices available for Authentication Backend Type are Local User Access, LDAP, and RADIUS. If an existing authentication system is already in place, such as Active Directory, pick LDAP or RADIUS depending on how that system is configured.

What is the shared secret on the pfSense firewall?

The Shared Secret is the password configured on the RADIUS server for accepting authentication requests from the IP address of the pfSense firewall. If there is an existing Certificate Authority defined on the pfSense firewall, it may be chosen from the list. To create a new Certificate Authority, choose Add new CA.

image

What is PFSense OpenVPN?

The PFSense OPENVPN client wizard automatically makes the routing for the WAN which is what is used in most setups as most organizations use one firewall. If you re-run the export wizard and if you made a change to the rule it will reset any changes you made to the WAN.

What is remote access authentication?

Remote Access (User Auth) Authentiation only, no certificates. Useful if the clients should not have individual certificates. Commonly used for external authentication (RADIUS, LDAP) All clients can use the same exported client configuration and/or software package.

What is OpenVPN server mode?

The OpenVPN Server Mode allows selecting a choice between requiring Certificates, User Authentication, or both. The wizard defaults to Remote Access (SSL/TLS + User Auth). The possible values for this choice and their advantages are:

Why is my VPN working offline?

Once you connect to your VPN you will be working in offline mode because your not connected to the domain right away. If you click the work online on the client the DFS shares will come right up.

Is PFSense a good firewall?

PFSense is a great firewall solution. It is flexible, easy to customize and comes with built in VLAN and VPN support. Now I am going to document this for setting up a User Authenticated Open VPN Server in PF using the local database that is in PFSENSE. This will have to be modified for larger organizations; but would be great for smaller and mid-range shops. This is the least secure way to set this up but is the easiest to setup.

How many concurrent connections are needed for DFS?

If you want access to DFS Shares though AD, you will want to push all traffic through the VPN. Check the Redirect Gateway. The default is 10 Concurrent Connections.

Is TLS key secure?

Most secure as there are multiple factors of authentication (TLS Key and Certificate that the user has, and the username/password they know)

How to add a group to OpenVPN?

Go on “Groups” tab, then click on the “+ Add” button at the bottom right. Give the name you want to the group. In our case we choose “OpenVPN-users”. Then click on the “Save” button. Once done, come back on the “Users” tab, then click on the “+ Add” button. The fields to be filled in are the following:

How does VPN work?

How it works. The goal is to offer a VPN solution for travelling or teleworking users allowing them to have secure access to the company’s LAN. These users can use a computer or a smartphone to connect. In all cases, they will use an OpenVPN client.

How to add a certificate to a symlink?

Go in the “Certificates” tab, then click on the “+ Add/Sign” button at the bottom right of the list of existing certificates.

What is the default port for a local port?

Local port: we keep the default value (1194).

Is OpenVPN compatible with Mac?

OpenVPN = the perfect solution for home-office users. OpenVPN is easy to implement and is compatible with all types of platforms (Windows, Mac, Android, iOS, …) This article does not cover site-to-site mode configuration of OpenVPN (shared key or X.509).

How to add a user to OpenVPN?

To add a user that can connect to OpenVPN, they must be added to the User Manager as follows: 1 Navigate to System > User Manager 2 Click Add to create a new user 3 Enter a Username, Password, and password confirmation 4 Fill in Full Name (optional) 5 Check Click to create a user certificate, which will open the certificate options panel 6 Enter the user’s name or some other pertinent information into the Descriptive Name field 7 Choose the same Certificate Authority used on the OpenVPN server 8 Choose a Key Length (may be left at the default) 9 Enter a Lifetime (may be left at the default) 10 Click Save

How to download PKCS#12?

Click to download the user certificates. Click to download the key for the certificate. Click to download a PKCS#12 bundle which includes the user certificate and key, and the CA Certificate (optional). In most cases, the CA Certificate should also be downloaded with the user certificate.

Can you add a LDAP user to a firewall?

Contact the server administrator or software vendor for assistance. Certificates for LDAP or RADIUS users cannot be created from within the firewall’s web interface in a way that reflects a user-certificate relationship. However, it is possible to create the certificates on their own using the certificate manager as described in User Certificates

What is pfSense package?

pfSense provides a package called openvpn-client-export which creates preconfigured OpenVPN profiles for you to download containing all the VPN settings and the user certificate if one is used. For Windows users it also allows you to download an OpenVPN client installer which will automatically install the OpenVPN client application and configure it with the VPN settings. This step is optional as you could configure the client settings manually but in most cases, doing it will simplify deployment.

How to create a certificate for OpenVPN?

From the pfSense dashboard, go to System > Cert. Manager > CAs and click Add to create a new CA. Enter a descriptive name to help you identify what the CA is called and a common name which will appear on the certificates. The rest of the settings can be adjusted if required but the defaults should provide a reasonable balance between security and performance for most use cases. By default the CA lifetime is set to 3650 days (10 years) which is reasonable for a CA but can be adjusted if desired. If you wish you can also include location and organisation data but this is entirely optional.

How to export OpenVPN client?

The easiest way to configure client settings is to use the openvpn-client-export package we installed earlier. Go to VPN > OpenVPN > Client Export. At the bottom of this there is a section called OpenVPN Clients. In this section you will see a list of available users whose configuration we can export.

What port does OpenVPN use?

The other setting you may wish to change is the listening port. By default OpenVPN listens on port 1194 in either UDP or TCP mode. You can change the port if you wish, either based on personal preference or if you are on a network which blocks VPN traffic or outbound ports.

What branch of OpenVPN is used for Windows 7?

For Windows 7, 8 or 10 and their corresponding server versions you will want to use the 2.4.8 branch of OpenVPN client. For Windows XP or Vista (shown as win6 in this interface) you will need the older 2.3.18 branch (also, upgrade your PC). Download the installer you want and transfer it to the target PC. Download the correct installer and copy it to your target PC. The installer behaves like any standard Windows installer, just run it, click the “install” button and follow the prompts.

How to create a user in OpenVPN?

To do this we will need to create a user. Go to System > User Manager and add a user. You will need to configure a username and password as per the picture below. The other settings can be left as default although if you are only planning to grant the user temporary access you may want to set the account to expire automatically when access is due to be revoked.

How to install OpenVPN client export?

From the pfSense dashboard go to System > Package Manager > Available Packages and search for the openvpn-client-export package. Click the Install button to install it.

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9