From Ciphers to Certificates: Your Comprehensive Guide to Configuring OpenVPN on pfSense

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] systems and we're going to talk about how to set up openvpn in pfSense here in May of 2023. I've done this video before but I want to do it with a modern twist in terms of what are the new ciphers that are offered compared to when I did my previous videos and how do those affect performance or which ones should you be using and for the most part this is going to be pretty simple in terms of setting up because I'm going to limit it and scope to local users but if you're interested in how to do things like radius server I have videos on that topic linked down below but when you get to the cipher part hey you can use this video for reference for that because everything else is going to be the same first we're going to cover how to set up pfSense server and then we'll cover how to set up the clients for both windows and Linux on this to be able to get things imported and get other devices connected it's pretty straightforward to do now I have covered the topic of overlay networks and other types of network design and those videos are also linked down below because that's a popular topic those weren't available or weren't as widely popular when I did my previous video so I think they're worth mentioning because there's different ways to approach the this we're going to focus just on the openvpn approach which does mean you need a public IP and I'm going to be doing this in pfSense which is a release candidate right now of 2305 but there's not really anything different if you're using the 2301 or even the 2.6 or even the 2.7 of CE so whether using CE or pfSense plus doesn't really matter the only thing CE offers over plus one in terms of openvpn is the data Channel offload dco which is a really neat feature it's currently marked as experimental here in May of 2023 so it's not something I'm going to talk about using but hey there's a link down below where you can read the blog post or you can do a little Googling and learn more about what data Channel offload is and why it's pretty cool now before we get into the video here I do want to thank a sponsor and that sponsor is me if you like to hire us for a project whether it's Network Consulting engineering or anything related to many of the things you've seen on this channel head over to our website launchsystems.com click that hires button at the top and it's greatly appreciated now let's jump into how to set this up in pf sense now the first step we're going to do is let's go over here to system package manager and we want to make sure we have the openvpn client export utility loaded if for some reason you don't have it loaded you can just go over here to the available packages and add it this makes it substantially easier to export all the settings into a client after you have openvpn set up then we're going to go over here to openvpn from here we're going to go over to the wizard and we'll just be using local user access so we click next certificate Authority I have my LTS demo certificate Authority in here if you'd like to add your own self-signed CA you absolutely can we're going to hit next we're also going to use this same certificate that I already have once again if you want to add a new certificate that's signed by the certificate Authority you created go ahead and do that and now we're going to start filling this out description YouTube demo VPN sounds good UDP UDP is faster than TCP but it is an option if you want to be able to use TCP on this but UDP is going to be the preferred it's going to be a faster VPN interface if you have multiple interfaces you could choose this such as multiple band but we're just going to leave it at Wan here a local Port of 1194. I'll leave it at default but obviously this is easy enough to type in and change TLS authentication yes you want to enable authentication TLS generate a new TLS key automatically generates a shared TLS authentication key you don't have to fill anything in here it'll do that for you GH parameter length 2048 that is perfectly fine next data encryption algorithms now I don't want to get too far out of scope on this but Cha-Cha 20 poly1305 is a stream Cipher versus AES which is a block Cipher and thus offers better performance for devices that do not have a ensi hardware acceleration it can be considered also a bit more secure than AES based encryption because the use of lookup tables makes it vulnerable to side loaded cash timing attacks on systems that don't have AES and I Hardware now if you want more information I'll link to a computer file video down below where they really dive deep into Cha-Cha 20 poly1305 and asni is not by any measure insecure but if you have a client and this is not just talking about server when you negotiate an encryption algorithm with openvpn one side is the client one side's a server and they both have to be using the same ciphers so the aesni acceleration you may have on your Hardware in terms of PF sense may not be available to the client so you will have some performance limitations but of course it's important that your PF sense have adequate Hardware to support the number of users so it still may make more sense because you're not worried about the individual user speeds your individual users are only going to use so much bandwidth versus the aggregate of all the users it may be better to choose either one so either one is still secure you're not causing an insecure issue but I will mention Cha-Cha poly 1305 was chosen for wire Regard in a lot of other modern systems because it's a really good site for to use and there's no risk at all of using it inside of PF sense so it's the one I'm going to recommend but you can still use the other ones if you want now you can choose multiple as another option and for example if he chose both of these the system would negotiate which one it wants to use and then you would have a fallback of one of the other ones I'm going to leave it at Cha-Cha poly matter of fact let's take out AES because I'm just not going to use it but you just hold the control key and select all the ones that you find relevant these three are the recommended but as I noted openvpn's been around for a long time so they have some of these ciphers some of them probably really shouldn't be used because they're so old next is our off digest algorithm and we want that to be sha-256 that's perfectly fine it's secure Hardware crypto if you have it and as I said I'm using Cha-Cha poly so this won't really matter but we can just leave it here it doesn't hurt to do this leave it at the crypto engine that we have in here ipv4 tunnel Network it is very important you choose a tunnel Network because these are the IPS that are going to be assigned the tunnel IPS to the clients you have coming in that means it should not ever overlap with your clients networks common client networks are for example 192.1680 or one dot one you want to make sure you do something like 192.168.169 and anything that's uncommon so you really could put other ranges here and I'm going to do a slash 24 which leaves us plenty of room to have many clients on this system next is redirect ipv4 Gateway now ibb4 Gateway redirect means send all traffic through the tunnel this may be something you want but usually isn't because if people have a lot of different apps open such as YouTube Spotify et cetera things that they may be watching streaming services that means all that traffic's coming over there too from the client maybe that's what you want maybe you don't have the bandwidth to be able to support that that is kind of a design consideration you need but this is essentially the difference between split tunnel or checking this means full tunnel split tunnel means only access the resources that we've pushed speaking of resources that we've pushed ipv for local networks these are the local networks attached to your PF sent so we have this network here if we had another Network and we'll just put it like at a different range 10 10 maybe 10 10 10 0 you'd put each one of these in a comma on a space and these are any of the local subnets that are attached to your PF sense that you want to have pushed as a option for the clients to Route traffic back over to concurrent connections we're going to leave that blank refuse any non-stub compression that is the most secure and this talks about compression tunnels and the problems you can have where you're trading bandwidth for the potential security risk because compression creates prediction in terms of what the data might be so I'm not going to dive too far off topic on that but that's an interesting type of attack on there but we'll leave this disabled compression I don't want any intercline communication so allow communication with client-side server if you have a use case for it you can turn it on generally you don't allow multiple concurrent connections from the clients using the same common name this is generally not recommended but needed for some scenarios It's actually an interesting problem you run into is if you do allow the duplicate connections you may want that because if a user drops and tries to reconnect until it drops on the server side there's a delay in letting them connect so you can say limit the number from the same user to two for example that way if they have a connection drop or switch networks and they haven't expired their session they don't have to wait maybe a minute or two for that to expire I would say definitely yes on Dynamic IP allow connected clients to retain their connections to their IP address changes that's fine if you have special DNS that you would like to push to them for example if they're connecting in and you're expecting them to connect to your active directory and you need them to use your active directory servers DNS you would then put the IP addresses of those DNS servers here and then you have win servers if you're still using those I'm not so we're next definitely we want to add the firewall Rule and definitely want to add the rule allow traffic connected clients to pass inside the tunnel add a rule to permit connections to this open median server and since we're anywhere on the internet so next and finish now the VPN is set up now before we start using this let's edit the server and talk about the server mode we have the option of remote access user auth we have remote access SSL TLS plus user awesome let me explain the difference openvpn server mode SSL TLS plus user auth or remote access user auth makes it sound if you don't read all the details that you're just not verifying certificates if you use user auth and that's not how that works it's a little bit more complicated so let's explain it if you want to use a per user certificate that is where you have SSL TLS plus user auth if you just want user auth but still verify those certificates that we created to attach to our VPN server that still works if you're just using user authorization it still has to verify those certificates that he embedded in the config file from when we created the openvpn server so you're probably wondering what's the advantage of a per user certificate well the way this would work and let's walk through an attack scenario that this protects again so we have user one user 2 user three and we first are just using user auth we create an open VPN config file we put it on each one of these users systems it allows them to remotely access so the system is going to verify that they have the certificates that we created that TLS key and the the actual CA cert the self-signed one and it says yes you have both of those what's your username and password if they do not have one or the other or either one of those it says Nope I will not get your username and password what if you use the TLs auth plus user auth that means we're going to ask for a third certificate so we're going to take the user ones certificate give them an install file that contains all three of these certificates in there and if user one gets compromised and their system maybe someone got that openvpn config file off there we can create a certificate revocation list in pfSense then we can revoke that user's certificate not delete it revoke it is specifically how you do this and you attach it to openvpn with revocation and then the openvpn server goes nope that certificate is now on the revocation list therefore that user can't log in let's play a scenario out if you're just using user auth you've given all three of your users exactly the same file one user gets compromised you now have to regenerate a certificate for everybody because now anyone who has a copy of that file there's no way to get rid of it you can delete it off of openvpn but you're doing it for all three users simultaneously because they're all using exactly the same config file so this allows you to create a per user config file that will be revocable through the revocation system in pf sense so it's not necessarily more secure in terms of like the encryption layer itself it's just a further safety net so if you had a hundred users rolled out and a user gets their system compromised and someone's able to lift that openvpn config file off their system you don't have to redeploy a hundred users new VPN config because you just revoke the one certificate that was compromised and assigned to that user the downside of course is managing certificates for every individual user becomes a different challenge but it's worth noting that's how that system works now since I left the system requiring that certificate we're going to go ahead and edit the user Tom here and we can say let's add a certificate for Tom so we'll just hit add and all this is fine and we'll just call it as a common name Toms cert scroll down here at the bottom hit save and now this user has a cert now if you go back over here we see we have tom2 and whose belongs to no groups you don't need because we're using local user authentication any privileges for this user to log into pfSense so just here as a way to authenticate against so we can set them up in openvpn you notice currently there's no certificate and I want to show what the difference is here we go over here to openvpn we go to client export with client export there's our client Tom because Tom has a certificate but I can't export tom2 because no certificate so if we go back over here to the system and then users we'll edit tom2 and we'll add a certificate for time 2 give it a common name of tom2 save now time 2 has a certificate and we can see each one of these users now these users go away if we go back into openvpn go here's sir and if we change it just to this back over to client export and this eliminates the different users because it says no cert but technically there's still certs in there there's just not a per user search that's why it has no certificate name in here I just want to make sure that is not confusing download for most clients let's take a look at the client download I won't spend too much time covering this in Linux but essentially you can do sudo open VPN the name of the file enter the username enter the password and you'll see if it connects sequence completed and now it's connected we're able to actually ping things behind the device and we can test that real quick by splitting the screen we'll type in ping this IP address which is behind that firewall and if we hit Ctrl C to exit this you can see it dropped now let's show how to get this going in Windows and we'll ping the same IP address for a demo for Simplicity I'm just going to log into my Windows machine here go to the openvpn client export and now we're going to choose the installer so right here is our Windows installer so we're going to click this as a download now let's go ahead and run the installer then we go down here at the bottom and we can click connect we can see this is the local IP of this device right here but if we now type ipconfig now that we're connected we can see the tunnel Network this works the same in Linux I just didn't demonstrate that and now we can ping that same IP address and if we turn the VPN off over here if we disconnect it you'll see that the Ping stops we are no longer able to Ping it now in terms of troubleshooting we are obviously connecting fines so there's no troubleshooting to do here but make sure you take the time to look at the logs both here whether it's your Linux client your windows client start with the client logs to see if any of these errors are pertaining to why you can't connect and if you go to status system logs openvpn you can see that there's any log errors that you may have that are related to your problem here of note for anyone wondering why there's so many errors these are unrelated to this demo this is because when I set up a new pfSense server a other demo that I'm working on is still trying to connect to this and it doesn't exist anymore so these are the type of handshake errors you get because it's trying to present the wrong certificate and I can't quite Express just how important it is that you take the time to look at the client and the server logs when you have a connection failing before you post in a forum it'll be one of the first things people and especially myself ask is where's the logs you can't just say it didn't connect or it doesn't work without some little bit of research into the logs of why because the Y is pretty detailed out in logs and psense or even on the client side nonetheless I love hearing from you let me know your thoughts and comments on this and other videos and if you want to have a more in-depth discussion about this head over to my forums it's a nice place to reach me engage with me and dive into some of the particulars and maybe argue about ciphers because I have a feeling there's going to be some opinions on that little piece there nonetheless check out the rabbit holes you can go down to computer file is awesome for explaining Cha-Cha poly that's why I left a link to them down below so you can get a better understanding of how that Cipher works like And subscribe it's always appreciated it really helps out the channel and lets you know that there's more content coming and lets you to get notified of it hopefully YouTube's not the best at that but it at least gives a suggestion that they should do it thank you for watching and I'll see you over in the forums take care [Music] thank you [Music]

Info

Channel: Lawrence Systems

Views: 29,977

Rating: undefined out of 5

Keywords: LawrenceSystems, pfsense openvpn, pfsense tutorial, pfsense openvpn configuration, pfsense openvpn configuration step by step, pfsense vpn, pfsense openvpn setup, openvpn tutorial, pfsense setup, pfsense (software), openvpn pfsense

Id: I61t7aoGC2Q

Channel Id: undefined

Length: 17min 7sec (1027 seconds)

Published: Wed May 17 2023