pfSense | OpenVPN | How to setup remote user access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

some from Sheridan computers gonna be taking a further look at pfSense this time we're going to be looking at how to set up Open VPN so one of the current issues at the moment is the fact that everybody's got to work from home with this carbon 19 issue pfsense an open-source firewall solution so it's a perfectly acceptable way to give your employees remote access to your office so I'm going to go through and I'm going to show you how you can set up Open VPN I can set the clients upon the employee machines etc and from there you should be fully accessible to the inside of your office and your internal office network so if you like this video please do tell the times hit like button and consider subscribing to the channel if you hit the notifications icon you will receive notifications of any new videos as they are released also if you would like to hire us for anything such as this project for example head across to our website Sheridan that code at UK if you click on the higher ones button leave some details on what you're looking for or get back to you so my test started and we were taking off from the fresh install I dove pfsense that I did in my previous video so now I'm gonna have a look at what we need to do to set up open BPM okay so this is basically where Aleph pfsense on my previous video I did on how to install pfsense but I installed it set a couple of initial options and we left it here so this is where I left that video so to setup Open VPN we're gonna need to go into the VPNs tab and select open ppm so we've got no servers in here you can add more than one server one thing to take note is if you do add more than one server they're gonna have to listen on set for external addresses can't separate external ports or you can have this more than one VPN server listing on one port pretty much common sense but just to clarify ISO pfsense supports a wizard for setting this up so we're going to go ahead and use the wizard it cuts out a few steps mainly we've certificates some things so we need to select an authentication back-end type will have various options local user access which just uses a local database of users we can use LDAP our radius for this purpose we're going to use local user access I'm going to click Next so at this point the next step is to set up a certificate authority so we need to set this up to go ahead and give it a descriptive name so I'm gonna use Pearson ca0 to type that in on a previous did someone give it something that you can identify it to make life easier in the long run the key limp is fine at 2004 J bit lifetime be set to 365 0 by default so 10 years should be long enough for us so we need to put the two letter is out country code M so G beat states are probably greater Manchester Manchester this it it and then we're gonna put the organisation they were so let's go ahead and hit great that certificate so we've created that so now we need to create a service certificate so he's gonna put a CL vpm again we can leave it to 2048-bit lifetime he sets a 398 days so sorry lifetime in days the service which now have a lifetime over 398 days or some platforms will consider them invalid so you can set this to whatever you want it's a 365 we can leave the rest of the options at default and go ahead and create that certificate so we've created the certificate for the certificate authority we've created the certificate itself so the next thing that we need to do is to actually set up the Open VPN server so interface is obviously going to be your one interface so we need to listen for our incoming connections on the one not really much fighting on listen from one protocol so we can use UDP for so UDP on ipv4 ipv6 TCP or we can use like multi-armed I'm just gonna use UDP on ipv4 only if using ipv6 and obviously gonna want to change them settings local port as I mentioned you can only have one server listening on one port so the default is that one 194 we're gonna leave that as default one thing to know here is once you've created the server you still won't be able to connect unless you open the open therefore in the firewall anyway so you can give it a description I'm gonna leave it some time being CLS authentication there let it create the shared key dat parameter lamp we're gonna leave that group for team which is 2040 bit encryption algorithm so I wondered and 28 bit is like a standard it's due it's not quite as secure as 256 bit but it's secure but it actually runs a lot faster but we're gonna use 256 cbc and I want 256 bits sha-256 if your hardware supports crypto hardware then go ahead unselect that it will speed the VPN up by a lot some on network so it says here this is the virtual network used for private communications between this client host so if at your office you've got 191 6 81.0 and at home you've got 1 9 2 1 6 0 0 you'd create an over one another network the default is 10.0 8.0 and now acts as an intermediary subnet between the two so one thing to be careful of here is if you set your network up to 190 once it's a 0 one it'll cause problems if with a lot of home users and things the same with local network ranges is generally a good idea to avoid using subnet little clash we have a lot of home we home user rooters and things so 10.0 8.0 24 is fine other problems using this redirect gateways so if you don't take this your clients will still be able to access the machines on the other side of the network if you do to get and all the inside access will also go straight through this gateway so that's kind of dependent on a use case scenario I generally do tick this and redirect traffic from it if people want to use internet they can disconnect from work it also gives options with DNS later take a local network this is one 191 6 AIDS 1.0 24 a local network again like I said you should have by using this for home routers anything connected to this concurrent connections is the maximum amount of connections that you'd like at any one time so stick a sensible value in there compression if you want to sell compression you can do this if you're gonna set compression leave a legacy style compression on there for older VPN client I'm just gonna leave that as is type of service have never needed to play with this too much into client communication so allow communication between clients connected to this server so this option here is if you have two laptops from home users if the needs to be able to access each other then you want to allow it generally your wouldn't if you're connecting to an office they need users server office 365 whatever you use them so I generally do not allow communication between clients you might have a perfectly good reason to do so [Music] kupah connections allow multiple connections from the same client make can cause issues and I wouldn't do this if you have somebody that's got a laptop for example I have my laptop that has one connection I have a separate connection set up for my phone so completely different username and password for each device dynamic IP our connected clients to return their connections if their IP address changes that's generally a good thing to leave ticked because of the disconnected means that reconnect with a different IP address it'll change the IP address on the VPN so that's generally a good idea to leave that as it is sub now you can assign a slash 30 if you'd want to you can just leave this as it is the default domain is the default day announcement domain that you want to pass so if it's you know people like Sheridan don't locally that have been the domain if special if you're on Active Directory DNS servers are the DNS servers like to pass to your clients so in here you can put like wildflower one that one that one the one use Google eight two eight eight eight everyone denied an Active Directory type of network then generally you'd want to put the DNS the IP address of your DNS server in there so they can resolve other clients and devices on the network and you can push an NTP server again if you've got a local ntp server look at that air to push it out as well so everything matches up whether or not you want to enable NetBIOS over tcp/ip Vardhan to make things easier for our client and then you can specify wind servers as well so we'll go ahead and click Next to this don't firewall wheel configuration open VPN access server setup wizard so we're gonna basically let it create firewall rules for us now when it does that keep in mind it's going to allow our port all traffic into the port that we defined our server on so we want to create that and I also want to create the OpenVPN rule as well this is the benefits of using the wizard is that you don't have to set these up manually so openvpn reserve setup wizard is now complete and we can go ahead and set our users up once we've done that we can use browse to system packages and install of the VPN client export I did mention this on my previous video and I did install on the previous video and it's a really handy package to have installed it just allows you to create the export the clients very easily download them onto a laptop or pendrive or email them or whatever and hello it sets up quite easily so go ahead and click finish so as you can see we've got our interface set up we've got protocol port I've got the tunnel Network it just shows an overview of it and if want to go in and edit these for any reason and we can go in and change our settings we can disable the server and we basically adjust any of the settings that we've just made and you can see our certificates are generated here [Music] just don't look if there's anything that we need to change in here no it's pretty much picked everything up for us so if you do make any mistakes you need to make any changes and you can do that block outside DNS this is generally a good thing to do especially in the if you force in traffic through the Gateway you can block access to all DNS servers so it forces the DNS through the Gateway and over the VPN so if you do that in an Active Directory environment that way you make sure that the DNS is absolutely querying your DNS servers we can do a force DNS cache update which is generally good on Windows 10 machines so we'll clear the DNS before it gets there VPN so addresses resolved correctly if want to provide a list of NTP server to the clients that's fine and you can stick in any open VPN pass-through wheels you can put in there if you need to get a bit more advanced with it and Gateway creation I did set it up on IP is set to both but even though we're only using ipv4 I find on both that's it so now we can go ahead and look up creating users so now let's take a look at creating a user so we're gonna create a user to allow them to connect so if we're going to use a manager and add a new user so give this a user name this house I'll give you the option to you can edit these later and you can go back in and like disable use this from being able to log in which is really hung there and you're gonna want to give it a password so if you go ahead and stick a password in there obviously give the user's name expiration date so if you wanted to expire on the account login after a certain date you can go ahead and do that custom settings you don't need to worry about that too much group membership not really gonna need to add them into admins certificate let's go ahead and create it so far descriptive name I'm gonna basically give that the same name as the user and then we can go ahead that's pretty much it to create a user so now I'm created as easy as you can see okay so how do I know go ahead about configuring the endpoints you connect whether it be a laptop or desktop whatever it is well this is where I mentioned if you go into package manager and ensure you have Open VPN client export installed this is just make life so much easier so then when we actually want to set up a VPN for a user which we just need to go into VP and open BPM and if we go into clients sorry client export we can literally scroll straight down to the bottom and my user exists here we've got various expo options so most clients will explore Open VPN configuration file which you can import into Open VPN we've set up inform Java you can do it that way if you're using Windows then there's a bundle here so part of the export client package exports the Open VPN client as well so we click that it'll download the full install and install Open VPN at least only let's tell the package you know they start configuration files and I'll set it all up for you then it's just really quick and easy way to set these things up so if we go ahead and download that I'll go ahead and save it so it's a Windows 10 cute well let me go ahead and save that file okay so in order to do this I need to switch to a Windows machine and I'll go through the install over how to do it on a Windows machine and warm until they install on this because it's Linux so bear with me one second while I switch Regine's okay we're back on Windows and I've got my configuration file here so we're gonna go ahead and run that okay UAC pop up asking you to have permission so go ahead and do it and then we get the Open VPN installer click install each other's pop over here I'm click Next through the options let's go ahead and install my shoulder readme and now we have Open VPN installed so we've run up of VPN and the icons here let's pause the video there were I drag the task bar over so you can see what I'm doing so if we right click right click it sorry undo connect my drug leads across so this is what we go so we're put in our username that we specified and then the password let's grab what it was so password and then we can go ahead and try and connect so now we're connected drop to a command prompt real quick so now I should be able to ping the Gateway on the other side of the VPN there it is finally appeared rest of the machine that I set it up one moment 8 1 6 8 1.1 once as you can see I can pick my Kali machine as well that's basically pretty much all you need to do to get Open VPN sir it is quite easy to set up I'm we offer a service so like I said at beginning this video if you liked it and you found this video helpful and you made use of made use of it and you could not imagine set VPNs up in store for that please take the time to hit the like button it does take some time to do these videos and if you subscribing to the channel you will receive notifications of any videos I do that's about it for Fargo if you'd like to have is please head across to our website at Sheridan up cold at UK click on the high roads link and follow it through them thank you

Info

Channel: Sheridan Computers

Views: 3,363

Rating: undefined out of 5

Keywords: pfsense openvpn setup, pfsense openvpn configuration, pfsense openvpn setup step by step, pfsense vpn, pfsense openvpn, pfsense tutorial, pfsense setup, pfsense vpn setup, pfsense vpn client setup, pfsense vpn client, pfsense openvpn client, pfsense openvpn server setup, pfsense openvpn remote access, pfsense openvpn remote access ssl/tls + user auth, pfsense openvpn client setup, pfsense openvpn client export, remote access vpn, pfsense, openvpn tutorial, openvpn

Id: 7nvXS_EPVww

Channel Id: undefined

Length: 20min 25sec (1225 seconds)

Published: Mon Apr 20 2020