pfSense Basics - Remote User VPN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up guys Andy with crosstalk solutions again and today I'm going to be going a little bit further into pfSense and VPNs in this video we're actually going to set up a server for remote users or remote clients and it's a single endpoint to VPN back into your local LAN this comes in especially handy for you know anybody the travels and needs to access documents back at the the actual office this would allow you to do so securely from say a hotel Wi-Fi or whatever the case may be so without further ado I'm gonna go ahead and just jump right into it okay so we're sitting here I've already logged in we're reusing one of the pfSense boxes from the previous video this is the red site so first thing I don't want to do is go to your cert manager here and we are going to create a certificate authority so select that create internal CIA we're just going to call this one crosstalk CA and you just fill out whatever info is appropriate here I'm just gonna say common name we will call this crosstalk CA go ahead create that and so there there you go now we've got a internal certificate authority and now to create a couple certificates using that CA that we just created so you're gonna come over here to your certificates tab go ahead and do add and we want to create an internal certificate descriptive name we're gonna do a server certificate here so we're gonna call this crosstalk server certificate authority is the one we just created key length if you're paranoid I don't know see much benefit to go on that high with it but if you're paranoid you can go much higher on the key length keep in mind it takes a little bit longer to generate a bigger key though let's see here so it's already got our info pretty much filled in from the ca their common name we're going to keep this simple so we're going to again call it crosstalk server and where it is my type there we go you want to change this right here the certificate type down to a server certificate for this particular one go ahead and save that and then now the next step is we need to create client certificates for however many remote users are going to be connecting back into this machine in this case we're just going to do one just as a demo so we're basically going to repeat the same process we just did only we won't change that certificate type since it defaults to a user certificate so we're going to call this crosstalk client here common name same thing crosstalk client now the the difference up here the the top one is just for your own reference it's never really used anywhere in the config so you can have space as special characters just something convenient something easy for you to remember but the difference so down here the common name I usually try to keep it something close to the description above but that does need to be with no spaces no special characters or anything like that just a one continuous string I'd say no more than now no the actual length that's a no more than good rule of thumb no more than maybe 20 characters or so you start getting any longer than that and it's just ridiculous okay so our certificate type like I said we're not going to change this and we're gonna leave this one add user certificate and so there you go now we have both our certificates in there so we are done with the certificate manager section let's go create our actual VPN server so under VPN we're going to come down here to open VPN and we are creating a server so last time if you'll remember we did a site-to-site this time we are going to do a remote-access and we are doing certificates so we're going to do a SSL TLS device mode tunnel mode that's fine interphase we want and on our way in interphase now since we've already used 1194 which is the default port for Open VPN for our site-to-site tunnel between the red side and the blue side pfsense has already got us one port above that so we're going to leave it at eleven ninety five this is going to be our remote clients I usually leave this off that's your preference you can turn it on if you want here we're gonna use our crosstalk CA then we are going to actually set this to that crosstalk server client that we created just a minute ago the rest of these should pretty much be just fine there we go and here we're going to do our tunnel Network which if you'll remember from the last video just needs to be something other than any of the lands you're wanting this user to access so I'm gonna call this one 192 168 twelve dot 0 / 4 also when you're deciding the subnet for this if you're gonna have a more than 255 or 254 users connecting to this actually less than that with the way that it divides it up you'll want to consider using a be a bigger net mask but if you're if you're going beyond you know more than a few dozen users you're probably needing more than one VPN server but just something to think about and let's see here now the ipv4 local networks is going to be what you want this to be able to reach so we want to read the local subnet in this case so anything on this local subnet I can't further down here in the advanced client settings something that you can actually do is enable giving it you know DNS servers that you supply a case in point being I had a I hate dealing with Windows Active Directory but I did have a client that did want the Windows Active Directory DNS servers to be passed out to any of the remote clients and that comes in handy if you've got say a user has a laptop that's part of your company domain for instance and whenever they're out at a remote site you want them to be able to VPN back into the Windows domain network and be able to access you know like map drives and network shares that they're accessing by name and not by just IP address so this basically would be this would be where you would enter that type of information for this one I'm not going to do that I'm just gonna leave it disabled we're just gonna get our user connected here so I believe that's gonna be just about it for setting up your basic server we're still not done though we got a couple other steps so after that's done you want to go over here to your firewall just like we did for our site to site and on our land interface here to make this easy since we've already got the rule from the other one I'm just going to actually copy this rule make one based off of it so that that way all I have to do everything else is set already or UDP for this we want to match it to the winner dress and here's where I would actually change on changes to our 1195 port that we specified for our remote users and I change the note to open a VPN server remote users just something so it's easy for me to remember go ahead and apply that so that should allow remote users now to connect on the wind side and then to get the remote users what they need to actually connect we're going to install a package that is available in the package manager on pfsense so right under system package manager will land on this page you only have this available packages tab and search term is we're gonna do export and hit enter and right there open VPN client export as you can see allows a pre-configured openvpn windows client or mac os/x about a viscosity configuration so i mean it it'll generate our config files and make life just a whole lot easier for us so we're gonna go ahead and click install and confirm that we want to install this package and there we go already installed so once that's done we're gonna come back over here to our VPN tab and under Open VPN you'll see that it's actually add as a tab here actually a couple more tabs so we're gonna go ahead and hit the client export tab that's that it's now added and one piece of information I didn't mention earlier in the video the machine that they were that were shooting this video on is actually not inside the local land so I'm actually accessing this on the pseudo or pretend public IP address just an FYI so we're gonna use this machine as our actual test machine to connect so I would like to show you right quick before we actually connect this puppy so as you can see we cannot ping the TF census internal IP address I already so under our client export utility here you're going to choose the server so we got remote access clients UDP for 1195 that's our server we just created interface IP address that should be fine if you do have a DNS name you can do other or pfsense also has under services here well we'll do this on another video but it does have dynamic DNS available that if you enable that it'll show up in this list here so we're going to use the interface IP address for this one make things really easy a lot of this can be pretty much just left default and then down here you'll see a list of your actual client certificates available and so what we're gonna actually do here since we're a Windows machine is just click this guy right here current windows install or 2.4 what that's gonna do is that's going to actually generate this executable installer down here so if you click on that now go ahead and show it in our folder you'll need this over to where you can see it and then right there it's our installer double click that guy go ahead and run it it's gonna ask you do you want to install this happiest we do go ahead and click our install next I agree fortunately they don't have any add or spyware in this so northward that pretty much can just next next install all the way through it and it's going to pop this up here asking what you like to install this software always select that and click install it's installing the tons life tap driver and that is what we need to actually be able to use on the VPNs finish close this already and so now we should be able to just start typing openvpn on our search there and there's our GUI we're gonna go ahead and start that and that's gonna put down here our system tray our OpenVPN GUI and if you right-click on that and click connect this window should disappear soon as we're successfully connected provided we successful if Mac there we go got that little guy down there says we're connected ok and now we're gonna repeat that ping that we did earlier and there you go you're actually pinging an internal address from the next jarl machine well guys I think that's about it for this video one thing I do want to mention is in the last video we had the red site the blue site now if you go in and modify the accessible networks on that site to site tunnel you can enable it to where this remote user here that's connected in can not only access the stuff behind the red sites firewall but their traffic can also traverse the site-to-site tunnel and access the stuff at the blue side as well I'll probably do another like an advanced VPN routing video at some point on that but that that's kinda outside the scope of this one we asked if you like this video please give me a thumbs up if you want to see more like it don't forget to click Subscribe until next time guys have good [Music] [Applause] [Music]

Info

Channel: Crosstalk Solutions

Views: 44,282

Rating: undefined out of 5

Keywords: pfsense, remote user, remote user vpn, vpn, user vpn, pfsense vpn, crosstalk, crosstalk solutions

Id: Q6YbCQEiC3c

Channel Id: undefined

Length: 15min 22sec (922 seconds)

Published: Thu Dec 21 2017