OPNSense – OpenVPN Instance Remote Access (SSL/TLS + User Auth)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone welcome back to another tutorial room assis admin 102 in today video I will show you how to reate an open vbn Instant and set up the remote access uh with the SSL TLS as well as uh user authentications if you are new to my channel don't forget to subscribe like and share at the end of video If you think the video is helpful and if you are my return viewer thank you for your support and with that let's get started all all right before we even start it let make a copy of the system configurations so in case anything go wrong you can restore from there we are human and human make mistake so let's just make sure that we have a backup so navigate the uh system and configurations and back up and from here you can uh download the configurations or you can uh encrypt the configuration as well and there we go so first let's go over the requirement so in order to set up uh open uh VPN instant you will need uh either a public static IP address or uh you will need a dynamic domain name system ddns there is a free ddns uh provider out there or you can purchase one uh it probably cost around a $10 per years uh depend how fancy the domain you want it might cost a little bit more but you can purchase one and set it up I have a tutorial to set it up the ddns with up scene using loud flares however if you're using a different uh domain service provider uh it's pretty similar you can follow my tutorial as well and let's get started so the first step we will need to uh reate a local uh certificate Authority if if you haven't done so um if you already have one you can uh Skip To The Next Step so R Ops we would navigate to uh system and under trust and then authorities all right and we're going to add a new one and from here I got to select create an internal certificate Authority I'm going to call it Sis admin 102 VPN server CA and then uh I want to keep up the default RSA then the key L the longer the key L the longer it take to generate the um key so you can keep at the default 20 48 or you can go up to 4096 but whatever you do make sure that it's theay uh the same for the certificate Authority the uh server certificate and the client certificate so for this tutorial which is the keep at the default 2048 and for the digest algorithm I will select uh H 512 the higher the more secure and the lifetime for the certificate is up to you but uh typically 365 that's one year and if you add zero that's 10 year and then you're going to fill out all the applicable info uh common name typically I like to keep it the same as the uh descriptive name all right and once you done that you click uh save and next we're going to re reate the server certificate so that would be uh step number two if you follow my uh tutorial all right so we're going to go uh to certificate and we're going to select add to add a new one all right and we're going to reate an internal certificate I'm going to call at sis admin 102 bpn server search for certificate and certificate of authority uh make sure you select a correct one if you have multiple certificate Authority and then uh the tab is going to be uh server certificate again RSA we going to keep everything as default except for the digest algorithm we're going to change it to uh at H 512 and for the light time I'm going to give it 10 year or 3650 okay for a common name so for this one a common name you're going to use the fully qualified domain name fqdn for your Ops if you do do not have one you can use the same like the descriptive name so for this one I'm going to call it op. sisadmin 102. org all right and once you done that select uh set all right and for Next Step we're going to reate a username and generate the user certificate so you would be in Step number three so in order to do that we will uh navigate it to uh system and access and then users and then we're going to select add the new user all right and I'm going to call it the test user one and then we're going to give it the password then full name t user one all right and you can reate a user certificate from here but we're going to do it manually all right so if you already have a user account reate you would go to users and you would select edit the user that you want to generate a certificate and then we will head down to user certificate and here we can add or reate a new one all right and we're going to select reate an internal certificate and then make sure you select the correct certificate Authority if you have multiple and obviously it's going to be a client certificate uh again RSA 2048 we're going to keep a default and then for the digest algorithm it's going to be H a512 and then for life time I'm going to keep as a default and common uh name uh typically it automatically repopulated the same as the descripted name make sure that your descripted name and the common name are the same if you're going to enforce uh strictly enforce a CN or common name if the common name and the username it didn't match um you're not going to able to lock in or authenticate with the VPN server all right once you done that uh select s All Right Moving On To The Next Step so step four we can reate uh static key so in order to do that you would navigate to uh VPN and then you will select openvpn and you select uh in instances and from there you will select uh static keys and we're going to select add the new one I'm going to call it open VPN key1 and then we're going to select or well we're going to keep a default uh setting for and cryp and authenticate all control channel package so I'm going select generate the new key all right and we're going to save it next we're going to reate an open VPN instant so you would navigate to uh instances and if you follow my tutorial it would be uh step number five all right so we're going to select add and for the description I'm going to call assist admin 102 VPN server and the port number going to be 1190 for me all right and it's going to be UDP so by default it's going to be uh $194 however I already have uh open VPN server currently running using 1194 so I'm going to use this 1190 uh if this is your first server you can use 1194 or uh you can pick whatever um appliable Port that you want to use all right buy uh buy address this is only for uh if you have a public static IP address if you do not have one leave it blank then server IP we're going to you uh Class A Riv uh IP address so 10 do 1.8.0 and subnet 24 so keep in mind that you should uh select the unique uh subnet because if it the same subnet would uh we over the uh common router such as like 10.0.0 1/24 um or 192.168.0 uh these are common subnet and if if it uh the same with the router that you connected to uh vbn won't know how to rout the packages because uh it not uniquely identify the locations all right and server IPv6 this is uh optional if you want to have uh IPv6 if not you can keep it blank topology is going to be a subnet and then uh certificate we're going to select the server certificate that we reated earlier all right keep everything defa and then do not check we're going to select one client flood server and then to static key we're going to select the uh static key that we just reated in the last step and authentications going to be a local database or if you want to use TP servers that's your options and then strict user CN uh matching so when you're authenticating a users and if you enforce match between a common name and the client certificate with the username uh given at login if you end Force this if the username and the CN or common name of the client certificate it didn't match uh that username won't be able to log in with that certificate you will have to regenerate a certificate so it the option is your if you want to enforce uh CN matching or you not uh for the use Cas such as you sharing the certificate with multiple users uh this option should be off all right and local network this going to be your local IP address so for me going to be 10.13 do 2.0 and subnet 24 all right remote Network going to be blank uh options I'm going select client to client that let two client uh in the same Tunnel able to connect to each other uh again if you want to read more about the options uh head over to my website and I have uh the definition for each one of the options all right and put options we can to select a push lock outside DS so this going to blck the outside DNS and rusher DNS keep in mind these is my only work for uh window and redirect Gateway so if you select it op all traffic going to be routed to um the VPN tunnel however if you selected option uh you have to either set up a net or some kind of like interface and um rules in the firewall so that's why that it know how to route the traffic uh if you keep the thing off you still able to connect to the remote site and access the resources but your internet still going to go through uh the untal so you still go to unencrypted uh traffic whatever the internet you connected to all right so for this one we're going to select uh default and again all the options uh and the definitions and what it do I have it on my website so if you want to check it out all right and we have a Ral DNS so you can either select a push Ral DNS or you can select the option either one is f and then DNS default domain this is if you have a domain if you don't uh have a DNS uh local DNS then uh you can keep it blank and then for DNS servers it's going to be my uh DNS server 10.3.2 do1 or uh you can add it the quart n or uh FL flare DNS server there we go and if you want to have a ntp servers is optional as well and once you done that select set and don't forget to hit uh apply changes all right in the next step we're going to assign an interface to the VPN server so that would be uh step number six if you follow along my tutorial all right right and we go to uh navigate to interfaces and then we will select assignments and from here under add new interface we will select the um open VPN servers as you see I have two of it and the one I just created the 1190 and you can change the description or you can use uh the prepopulated this one and select add all right when we added it make sure that you uh save it and then we're going to select the um sis admin 102 VPN server 1190 the new interface that we just created and we're going to enable the interface and we're going to rev the interface removal and we're going to save it and don't forget to apply changes all right now that we have the interface created next step is to add firewall rules so in order to do that you would navigate to uh firewall and you will select rules and we're going to set the um w y area network rle first so the first R we're going to reate it to allow the outside traffic to access uh the VPN servers uh as you see I already have one for 1194 over open uh now we're going to reate a new one all right and first one action going to be a pass and apply when traffic going to be in and we can allow either EBV ipv4 or IPv6 protocol we uh we're going to allow any protocol or you can select uh for this Cas I'm going select TCP or UDP all right and for the Dentin naations we're going to select uh W address okay and right here uh the destination uh Port is going to be uh if this is your first one and you select 1194 you will select uh open VPN from here if you are do if you select any port order then uh 1194 you will select order and then you will specify the port number in here which is uh IU 1190 instead all right and once you done that select sa and don't forget to select apply changes all right now we're going to add a second rule this is to allow the clients to access whatever IP address uh they intended to access or you intended for them to have access to so we select uh 6 admin 102 VPN server 1190 the one you just reated earlier and we will select add a new rues and again it's going to be pass everything should be at defa uh TCP IP again I'm going select both iv4 and iv6 any and then for the source it's going to be um the uh CIS admin 102 VPN server 1190 net all right and other think should be any and that should be it uh keep in mind this is um to keep a symbol I select any for Dentin naations that mean that the VPN tunnel will have access to uh all the resources offer by the uh upsin router uh any subnet it will have access to uh you can choose whatever subnet or customiz it to limit the amount of access that um anybody can access this VPN server have access to that totally up to you but for the uh simplexity upd the tutorial we're going to select any but again uh twist is to whatever appliable for you and we going to save it and again don't forget to uh apply changes all right and we should be at the last step which is Step number a which is exporting the client this is super simple so what you would do it you would uh go back to VPN and select open VPN and select client export and from here you're going to select the remote server so I'm going to select the one we just created which is uh 1190 and Export T is going to be F only unless you uh use the rainbow or viscosity all right host name so this is when it come down to if you have a public static IP address you would put your uh stat static IP address in here if you do not you would use your um ddn or dynamic DN address all right and of course it's going to be 1190 uh if you you again if you do the default uh open vbn it's going to be 1194 and from there you just select uh download to download the certificate and from there you uh should be able to import the certificate with uh any open vbn client uh if you on Max you can air drop it to your iPhone uh if you have the app already downloaded uh it automatically open with the apps and from there you just input your username and password for that users and you should be able to access the openvpn server if you think this tutorial is helpful don't forget to subcribe like and share uh thank you for watching and I'll see you guys in the next tutorial bye-bye
Info
Channel: SYSADMIN102™
Views: 2,922
Rating: undefined out of 5
Keywords: Nhan, Nguyen, Sysadmin102, openvpn pfsense remote access, pfsense remote access, openvpn access server, pfsense openvpn remote access setup, pfsense vpn remote access, openvpn com remote access, opnsense openvpn android mobile remote access, pfsense openvpn remote access ssl/tls + user auth, pfsense openvpn remote access, secure remote access, access server, pfsense private internet access, remote access, remote access vpn, private internet access vpn setup, private internet access
Id: 3A5eIYs6adk
Channel Id: undefined
Length: 22min 0sec (1320 seconds)
Published: Wed Mar 06 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.