Configure pfsense as OpenVPN Client in a Site to Site VPN using Netgate SG-1100

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we configure a net gate SD 1100 as a client on a site-to-site open VPN configuration the use case for this is we have a client who has 15 remote workers working around the country and they need to login to the main office and access files securely even if they're behind a modem or a modem router double-knotted the tunnel will get created and they plug their computer into the LAN port and away they go they're connected to them to the to the internet and to the assets back at the main building let's jump into the configuration we're gonna start with a factory defaulted unit right from the beginning and here we have ours username is password and PF sense for default and we'll walk through the wizard to get a base configuration we don't need to change the hostname or a domain name and then for dns we'll just put in a couple usual suspects in there hit next that's fine for the time zone if you really want to you can change your time zone this is just an example so I'm not too concerned about it the way an interface there's no changes that we need to make here the LAN interface so by default pfSense wants to create a 192 168 1 Network that's a very common private network seen in a lot of home routers cable modems and that kind of cable modem routers and we want to make sure that there's not going to be a conflict that there's not going to be the same IP scheme on the land side as there is on the wind side so we want to choose an IP scheme that would not be duplicated by the typical cable modem router or big-box store router that we might be installed behind so for our example we're going to use a 1 7 2 Network click Next an admin password this should be a difficult and secure password for our example we're going to use password but don't do that at home click and reload alright we're going to click finish and we'll lose the router because now the land scheme has changed oh that came right back up and probably have to release and renew our configuration and try and reload that page and there we go so again it's admin and the very secure password you've created not the one that I've using make a change this dashboard I don't see the need to have the net gate service and support box up there what will be helpful to us later is to add the Gateway and after that services so the steps that we're gonna take today first we're going to create an open VPN connection and then establish traffic to travel through it from our from from the land the next thing that we'll do is we'll create a wind failover if the Open VPN tunnel goes down you want to be able to continue to route traffic through the way in and we'll do that second and then the last thing that we'll do is we'll show slightly a slight modification to that and that will route all web traffic port 80 and 443 through the wind port all the time and that just puts less of the load on the ISP back at the main building instead of having all of all the 15 employees traffic come through the open VPN tunnel just the necessary information for retrieving files from the file server will but all the regular youtubing or you know playing games on the internet that'll go through their LAN modem alright so we're at the dashboard and we're going to start configuring the system the first thing that we do is we go into system and certificate manager and we need to add a CA so we click add and give it a name like Open VPN VPN cert and we're not going to create one but we are going to import one this was created by the pfSense open VPN server and it created a file for you you'll take that file and just copy the CA out of that file and paste that here nothing else that's needed on this page we hit save and we're good we need to come over to VPN and open VPN and create our Open VPN client so the clients tab and then add and we'll go through all the sections here there's a lot of sections this is the biggest changes that we'll be making biggest number of changes when we make it and we'll go through all the different ones that that you need so we're gonna start with its peer to peer its UDP it's a tunnel and it's on the LAN so the server host or address is the fqdn of this server that you're trying to reach out to mine is at a friend's business so we'll put in his fqdn yours will be different you want to make sure that you're using the right address or you won't be able to make establish a connection the server port for default Open VPN uses 1194 we're going to use 1199 and that's just because my friend already has an open VPN server running on on 1194 so for this instance it's 1199 again it's important that you put the correct port in that your server will be using or listening on in the description just let's name it VPN to Pat that's a good name because my buddy's name is Pat hey Pat alright we're gonna use username and password authentication for this and the reason for that is we have 15 different sg-11 hundreds that we'll be logging in and from a quick look at a dashboard on the server we'll be able to see which ones are logged in which ones are not logged in and it's a quick troubleshooting help to kind of establish who's working and who's not so type in the path word for my test and move along we will be using a TLS key but we will not be automatically generating one again this was created by the server it's in that document the server output and you just want to go over there and select your TLS key and paste that in here alright your peer certificate authority is Open VPN cert that was the name that we created when we created our CA and it's auto-filled here so it's you know by default it's done for us but if you have multiple cas on your system you're going to want to make sure that you select the correct one from this list our encryption we're using 256 cbc select that from the list again that's important that you select the encryption that your server is using or your established you will not get established a connection all right tunnel settings the ipv4 tunnel network this is the IP address that will be used in the tunnel and for ours we've established 192 168 1 10.0 yours will probably be different and the remote network this is the network where the assets are sitting or the file server for our client is sitting again this is an this is a test example back to my friend's router and we've established 192 168 1 11 0 the important thing to remember here is that this is the address that you're trying to reach ultimately for your asset file server or whatever you have compression our setup is using to the omit preference it's important again that you select the correct compression for your server or you will not get established and then custom options there's some cups custom options that will be in that file generated by the server you just want to copy those and paste them in here important thing Gateway creation ipv4 only by default it's both but our server was set up to be ipv4 so it's important that we select ipv4 only in our client with all that we're gonna hit save you know I've got a long list here just want to make sure that we did all of the things that we need to do looks like we got them all we'll hit save and that's about it at that point if your server is up and running and listening for your client we should see that we're already established to check that we go to status and openvpn you can also get to it by this icon on the dashboard and we'll see that we are up hey our stat our tunnel is established mm-hmm we can go over to what's my IP and check to see our IP address we're getting a six seven address that is Comcast cable modem in Milford where my office is we are not actually getting any traffic through the tunnel the tunnel has been established the connection has been made but we haven't yet set up rules to allow the land traffic to route through that tunnel we'll do that now so back over to our SG 1100 and we're going to start with interfaces our interface assignment and right here on the opt interface we want to select the Open VPN hit save and after that an important thing is to click on opt to go into that interface and enable it it's not enabled by default it's not enabled when you when you connected it to open VPN you have to come here and do that and at this point we can give it a good descriptive name Open VPN that's excellent that's all you that you need to do in this section save that apply those changes and it'll be off to the firewall once this reloads okay firewall and NAT you need to make changes to the outbound net it is going to be manual you need to hit save there and then this rule right here when to 172 we want to duplicate this rule this rule states that the 172 Network can route traffic through the win we want to say that the 172 Network can also route traffic through Open VPN so the interface is what you want to change you'll see that there's two very similar interfaces here and you want to select in my case the lower case one OpenVPN because that is the name of the interface that we want to route just about everything else can be the same where's the description because it's always good to have a good description oh there it is let's all say land to open VPN and save you need to apply those changes after that is done it's back to firewall and rules on the land side and it's this rule right here this rule says that any traffic ipv4 traffic on the land will get routed through the default gateway but we don't want to use a default gateway we want to use the Open VPN gateway so we're not going to duplicate it we're just going to edit this rule I'm going to come in here and right down to advanced and select gateway and choose the Open VPN from the selection save that and apply those changes and now we should be good we can go back to what's my IP and reload well I know what I forgot to do back when we set up our dashboard to have our services it's an easy way to restart the Open VPN and we're just want to click here and do reload and since we have our gateways displayed on that dashboard we can see after a second that the open VPN gateway will establish become online there it is online and we know that we're good to go let's go back to what's my IP and reload that and there you go nine six address is not the win of my router but modem but the IP address the way an IP address of my friends path so there you go we've established the Open VPN site-to-site connection and we are now routing land traffic through that connection actually you know what we can do go over here and go too fast and do a speed test just to see we should not be getting the 200 or so megabits per second that my ISP offers it's going to be limited coming through the SG 1100 in the site-to-site and we'll see that in a second certainly limited there you go and that's all that you need to do to create a site-to-site open VPN tunnel between an SG 1100 and l'm pfsense router at the server side but the next thing that we wanted to do was create a gateway group the gateway group creates a failover so if the IP if the Open VPN server was to fail the employee using his computer would think that the internet was out and they wouldn't be able to get anywhere and so we can create a failover where when the Open VPN tunnel is down the way and address the LAN port will be used to route right through there modem we can do that by going to system and then routing and Gateway group and we're going to add a new gateway group give it a good description when and OpenVPN and we want to set this to tear to an open VPN to tier one by doing that it's going to by default use Open VPN and if the Open VPN tunnels not there it's gonna fail over to the win gateway we can give it a good description when win and open VPN all right we'll need to apply those changes and then we can make a quick change to our firewall rule on the land side that same rule we're going to go back into it where it says all land traffic should be routed to the Open VPN we want to go back down to that gateway and we want to select the win and Open VPN hit save and apply changes and now ipv4 traffic on the land will be using that gateway group we can come back to what's my IP and see that we're still connected through the Open VPN tunnel to Pat's site and try fast again to see how our data speeds are and certainly we're still using the Open VPN tunnel a little bit faster at that time so make a quick call the Pat I'll have him kick us off the Open VPN server and we should see that we can continue to route traffic using the win and we'll experience actually a faster download all right be right back all right so Pat's kicked us off the server and actually back at our dashboard we can see that the Open VPN is offline when is still online so we can go right here and quickly check what's my IP it's back at 67 the Milford Comcast win address of my office and give fast a try well wrong button there you go so weird it'll settle in now we're done in 93 good old Comcast giving us those awesome speeds all right so the last thing that we want to do is that we want to break out web traffic port 80 and 443 to not use the Open VPN tunnel the reason for that is if we had all the traffic pass through the tunnel and you have 15 employees you're gonna put a large load on the ISP back at the main building there's no reason for that web traffic such as YouTube videos or just general searches can be routed through the win interface of each employees own home router we can do that by just having to make a couple of firewall rules on the land side so we want to create a new rule just above our land rule and the destination port 80 and advanced we want to select our gateway has the win oh you know what we should give it a good descriptive name port 80 via win and it's save and add one more and our destination will be port 443 a good description port 443 vo an in our gateway is the wind gateway apply changes alright once that's reloaded let's go back to the dashboard I think Pat by now has put us back on the server and there you go the Open VPN is online the Wynn is online and we can try a speed test well I shouldn't have knocked Comcast there at the end they dropped down to 93 but it ended when we left a 530 I don't pay for 530 megabits per second I don't know hey I'll take it alright so we're seeing 220 megabits per second right now in that test and if we came back to the SD 1100 and went to our firewall rules on the land side we'll see that all that traffic right there 230 megabits traveled through the rule that routes for for three traffic through the win and not through the Open VPN all right so that's everything that we need to do to set up the SG 1100 as a site-to-site client in an Open VPN configuration I hope you found this video interesting and if you did please consider giving us a thumbs up or subscribing and if you'd like to contact us to help you with your network you can reach us at our contact information below thank you

Info

Channel: Smarthome and Theater Systems

Views: 4,164

Rating: undefined out of 5

Keywords: netgate, sg-1100, pfsense, openVPN, site to site, VPN, networking, security

Id: SVUE6tcznM4

Channel Id: undefined

Length: 20min 44sec (1244 seconds)

Published: Tue May 12 2020