Tutorial: pfsense OpenVPN Configuration For Remote Users 2020

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Tom here from Warner systems and we're going to talk about OpenVPN in pfSense I've done videos on this before but I want to do a 2020 edition of this particular video and talk about all the details because a few options have changed since the last couple of years since it a video if you wanna learn more about me or my company head over to Lauren system's comp you like to hire short project there's a higher s button up at the top if you wanna support the channel in other ways there are some affiliate links down below to get your deals and discounts on products and services that we talk about on this channel now I want to start out with our lab setup so this is the first part of this where we have to kind of describe where everything is to get you an idea I have a Windows 10 running in VirtualBox locally on my computer here VirtualBox has its own NAT firewall and I did this on purpose so I could show you that openvpn working through NAT because generally why you use Open VPN and where you'll be using it whether you want to connect from home to your office or from one office to another office or whenever you're out and about you want to use Open VPN to connect to get to resources on the other side of the network or just tunnel all your traffic so this isn't added this is the VirtualBox NAT this is our pseudo internet if you will so 192 168 3/24 Network and that attaches to the wind side of a PF sense in my lab here so it's got a way on address of 192 168 3.1 95 and then we're gonna focus on the fact that it has a 192 168 40 address yes it has a 10 address we're gonna briefly mention it I just wanted to point out it exists but we're trying to get to the goal when we have this configured is to get to this 40 Network that is behind this particular firewall so 192 168 40.1 is the gateway so it's 40 slash 24 and we have this server running w9 at 192 168 40.1 1 9 so the goal is to get from this network this network using Open VPN so we're gonna walk you through how the wizard works and that's the easiest way to get started with Open VPN I've already got some other advanced videos and your to do some really tricky things with it but we'll start with the basics here to get you started and walk through what these steps mean so go over here to VPN Open VPN and this is where you're gonna run the wizard now I guess I should probably back up real quick here and go over to the package manager because this will make your life a lot easier the Open VPN client expert utility it's a free plugin I've already got it loaded juice going the available packages look for open VPN client export it'll save you a lot of trouble you'll see after we run the wizard so the wizard will configure everything for you in terms of Open VPN the client export is really helpful in making it simple when you want to export all the settings and import them into Windows so right now the client expert is loaded but there's nothing in here because there's no VPNs configured and the way it works is you'll have a list of service here you can configure more than one open VPN server inside a PF sense and there's special use cases that you want to do for that I've already got another video on how to use radius LD opposite other option if you have other authentication methods they are available but for the basics we're just going to cover local user access now if it didn't have a certificate authority the wizard lets you create one pretty simple you'll fill out the information of your made-up self signed certificate authority we're gonna click Next as I have one I already have a certificate called LTS VPN pretty straightforward there so we'll go ahead and choose that when protocol UDP multi-home or just TCP UDP for I'm going to say the best way to do this is going to be TCP IP v4 but it's up to you you can leave it at default and it'll work perfectly fine and have both enabled but some people have asked me and I don't have a lot of knowledge in ipv6 myself it does have support for it but I know there's limitations to it so don't ask me anything about ipv6 support now if you have the hardware acceleration turn it on I don't in this particular lab environment but all these other defaults are pretty much fine here so we're gonna go down here tunnel network this is important make sure this tunnel network does not conflict with any other network it's defaulting to 192 one six eight seventy dot 0 slash 24 and the tunnel network is basically the bridging methodology in between so even though you see on this here going from this network through right here and getting me here the tunnel where network is essentially an intermediary that is going to be created in here so we can technically add it to this and we called it tun 1 I to 168 about 70.1 slash 24 and what these are is kind of a virtual network that is the broker to get the data across as long as it doesn't conflict with in any other networks you're fine if it does change it it's kind of arbitrary that it's set to 70 now this part here redirect gateway this one can be a bit of a challenge because this is a big design decision so we have the local networks down here that we want to push through as and we want to say hey you have access to these networks and it pushes the routing information for 192 168 40.0 slash 24 and 1.10.10 slash 24 but forcing all generated traffic through the tunnel let me give you a better idea of that so this is going to come through here come across here go in here and have access to this resource but how does it get back out to the Internet well right now it's going to go from here through the view box NAT and away we go this way out to the net Internet and when you redirect the Gateway that works differently so if you redirect the Gateway that means we're gonna take and that computer actually goes out of here so it's going to come in here and come back out and go out the internet this way this is redirected gateway to give you an idea so if you want to use this that's great except the problem you run into now this is an excellent scenario for when you're out of the office and you want to tunnel all your network back through your office network because you want to make sure that everything you do is encrypted within that tunnel that works great but if you have a business and you have a lot of remote users and you want all of their traffic tunneled through the network now that means all of their traffic that means if they have YouTube open Netflix open anything that that particular computer has VPN din it's now redirecting all the traffic there and this is to comply as well if you're doing a site-to-site VPN with Open VPN do you want all that sites traffic to completely tunnel through and over this sometimes creates bandwidth problems restrictions because you only have so much resources to dedicate to Open VPN now if you have a really fast server and a lot of bandwidth it's not a big deal but this is a big design consideration like I said as you want to make sure you have the ability to handle the bandwidth one user not a big deal 10 users 20 users 30 users later and all of them have different things open and are not just trying to access this one lonely server down here they're tunneling all their traffic through and then back out here so through and back out and it can take a lot of resources to run that so decide whether or not you want to redirect the Gateway push whatever networks that you want down map for access to and this is you know advantage when you set up multiple VPNs you can say maybe I only want to push certain networks over this you can set up multiple servers inside a pfsense on different ports this because I've actually set this up a few times just a false report 1195 which you can actually choose any really high level port you want for Open VPN it doesn't have to be on 1194 or 1195 whichever port you choose just make sure you have the matching firewall rules for it concurrent connections specify the maximum number of clients connected to the server something if you want to put some restrictions on there omit the preference for compression set the tos IP header of packets value done never here'll II need to set that maybe there's some special circumstances where you do I'm not gonna dive into that inter client communication allow communication between clients on the server as I said this one 92168 70 0 will be where each one of these IP addresses gets assigned that being said do you want them to be able to in or communicate with each other probably not duplicate connections allow multiple concurrent connections from clients with the same common name no this is John not generally recommended but maybe needed for some scenarios you run into a problem occasionally if someone drops and tries to connect right away you may see that be a problem if because maybe they dropped and didn't have enough time for it to drop them from the firewall so they'll not be able to connect so there are scenarios sometimes where you want to have this on there where you allow duplicates it's only temporary because the other one will drop off over time but maybe you want it or maybe they have more than one computer the downside of doing it that way if they have more than one computer logging in you don't know which ones which so you can have some confusion so I recommend creating different users if they have multiple computers they want logged in but you know do that as you will you can leave all this at default dynamic IP allowed connected retain their client connections that the IP changes subnet one IP address per client per subnet that's fine at default this is where you can push if you had specific DNS servers that you wanted to force across the network so allows you to specify them maybe you have internal DNS servers that you want to specify but it gives you some options here if you want to force certain ones over the network because you want them to have resolution over local resources that are going to be accessing and leave all these other things at the fault all the way through on the bottom right here there are kind of special use cases and the firewall rule yes and add the OpenVPN rule yes go ahead and do those things on there let it do that you can always change them later but the defaults are just basically wide open rules to allow the open VPN to connect and work so we're gonna go ahead and hit finish now let's go back in and do some fine-tuning if you want this is optional so the default out of the box this will work and we have a TLS key for TLS authentication I dive deeper into hardening OpenVPN I've got a lot of open VPN videos on some of these other especially use cases or special hardening um you may or may not want to have multiple cipher options you can disable this if you want this expands more ciphers this shouldn't be a problem at all because someone will see shots 160 you go hey he hasn't shot one broken this is part of the H Mac authentication encapsulations so don't really worry about that client certificate depth so do you want each client to have their own client server certificate depth and what this means is and all the way over here this is checking the certificate on a per client basis as well as all the other settings in here and this is an extra layer of security but if you were looking for simplicity you don't want to deal with any certificates per user you can set it just not as we're gonna leave it at default but I'll show you at the client export what that means so all these can be left at defaults as well I did another video on fine-tuning VPNs as well and like I said for performance and you can tweak some of these and try them but the best thing to do right here is just try it when you have the default setup so we didn't change any settings now here's where the client export will help you a lot we only have one VPN so test VPN TCP port 95 this is that multiple client certificate so we have an admin and a time we got two users on this the reason you have to get the specific export is because there's a different bundled certificate with each one of these that's that extra feature and I'll just show you if we turn it off you go here let's say we're only going to be used or autumn I didn't save export now it doesn't matter we're only going to do no per client certificates that means the configuration stays the same but there's not a certificate for every user like I said this comes down to different methodologies maybe you want just a standard installer that what you can just change the user names and add them as needed the in not have the deal with certificates especially if you're using another device to authenticate those certificates so that's an optional one on there it still requires and we're going to dive into this now by you first testing this and Linux so we'll download this file and we'll show you what's inside of it so go over here and it still has a certificate it just doesn't have the PERT user so here's that TLS key down at the bottom here certificate needed so all these parameters are needed in or get in there there's a remote client here's the resolve retry infinite and the NCP cipher options plus the cipher option right here so here's all the little details regarding all the settings that are in this particular file now we're gonna get into Windows but first let's show you how it works on Linux and the reason I'm doing this because it's kind of easier to do because Linux has OpenVPN built in but we'll get to the Windows installer next so obviously I can't ping 192 168 dot 40 oops 1 1 9 and if you remember from our map here or T dot 1 1 9 is this server because it's behind there and right now I'm on my computer which happens to be 192 one six eight dot 3 9 don't worry we're gonna get to the windows 1 next so what we're gonna do is from the command line here I have other videos on how to set this up to be through the actual UI but we're just gonna do it from the command line so this is an easy way to test it open VPN you have sense lab now you have to run sudo because you need to run Open VPN as a privileged user this is true both in Windows and Linux so log in is my privilege user and username password away we go and see if it connects absolutely it connects we can go down here and ping actually first let's disconnect it so well ping that right now and just show you it doesn't work 40.1 1-9 can't ping it if we do route the only routes I have are this one 92168 3 Network go just up arrow and Su do OpenVPN that same one again login all right now we've done it and the first thing I'm gonna do before I even ping this because we already seen two transmitted nun working we're gonna put route again and here was the route I only have this one Network now I have all these networks here's that intermediary network one night one six eight seventy then we have 192 168 forty then it says the 40 network has a gateway of the 70.1 so if we want something on the 40 network go out 70.1 you notice those didn't exist in the route this is a very important piece to make sure that this route is here so now we can ping and I can get to that Debian server no problem actually I don't think I have SSH turned out in that particular box at the moment but we can paint it but the point is we can get to this Network and that's what we're that's what the goal was here so we're able to get to the network I'm able to ping it it's working next now let's do this inside a window so we're going to go ahead and cancel this and get rid of it so don't really need to do anything else trees can go RM so I deleted the file it's gone and we're gonna do the same thing but we're gonna do it with windows so we go down here current Windows installer no problem now this is great this installer here has everything we need inside of it so show folder OpenVPN lab tcp windows 7 install now it says windows 7 but if you notice here it's a it supports Windows 7 8 8.1 2012 r2 and also Windows 10 so all of them are supported actually I need this installer I grabbed the wrong one this is the one that's a 7 8 1 and this is the Windows 10 installed right next to it actually did download the wrong one there we go nothing like doing it all live right here's our Windows 10 installer I was looking for so go ahead and delete this one here's our Windows 10 installer and if I move it over to this folder I can copy it on to right there and then we're going to go back over to our window machine and run that wizard here's this Windows machine 10.20 2015 we're gonna do a route print so you can see here's the local routes that it has the ten dot Network and that's really it it can't go anywhere else now I can get on the Internet is online but we are certainly not going to be able to ping because there's no route to this being 192.168.1 40.1 one nine hi there we go being anything all right over here get this OpenVPN installer copied over and we're go ahead and run the installer [Music] windows does a security scan there we go yes minimize this you can just next thing s all the default work perfectly fine for this all right so Penn VPN is loaded and let's go ahead and open it up so from here now we have a little icon down here and we're gonna go ahead and connect before we do that we'll just pull this route back up again print so you can see all the routes you can see there's no one 92168 40 network to route to so if we tried to ping anything it's just not going to work so ping one 92.1 the whoops dot one six eight dot four 0.119 get to it because the route doesn't exist we're gonna go ahead and connect use your name put in the password and it looks like it's connecting there we go PF sense connected alright we'll do a route print now and there's those extra networks there's that 40 network there's the 10 network it's saying that a gateway is going to be that tunnel network 191 68 70 so if you want to get to any resources on there that's the gateway to use on this tunnel network matter of fact if you were to ipconfig with windows it now has two different network connections here's the 70 network in here's this particular network here so let's go back over route print that works and I wish build a ping so ping and away we go we're able to get to that server and get to the resources on that side of the network so that's pretty much it for getting it set up in Windows or in Linux and being able to get to the resources on another working openvpn it's pretty straightforward to do now troubleshooting is another topic one read the error messages this is the biggest thing I see that people don't do and it's so many people that can go through and solve the problem by a quick Google search if you go here and we're gonna go to the if you seen we went to system system logs you go over here to open VPN it details out all the steps everything that's happening for the users connecting this is really easy and a lot of times you can go through and literally Google by right-clicking google search you wouldn't believe how many times you just find the answer you'll see it'll say error because this happened error because of that happened failed this failed that and those are really quickly as you can start doing it especially if you're trying to fine tune and tweak things and you've changed a bunch of settings you're not really familiar with Open VPN I'll you'll lead to breaking it also feel free to delete everything and run the wizard sometimes starting it back over is a good way to start and start from a base known working also once you get it working before you do the tuning do a backup restore if you grab the backup file before once you know it's working before you start tuning it you can then easily roll back to the known working state and a lot of times I'll download a backup it called known working good that way worst case scenario I can always just restore back to the known working good state of the system now another note here when you're go here to open VPN you can go here so you I went Open VPN and then you go this and this will show you the users connected so I got user Tom now because I'm running VirtualBox on my computer 192 168 3.9 is my computer and this windows computer as this 10 address behind here it shows my computer's IP address just FYI it shows the public IP of whatever that user is connecting from so even if they're three Nantz deep behind something else you'll actually see their public IP right here from where they're coming in and then the virtual address that they're assigned this is that 70.1 is the gateway for the tunnel network inside a PF sense 70.2 has been assigned to user tom when they connected and what kind of data they're sending right here you can also add over here you have sense go to the dashboard and you can click Add this openvpn right here won't let me add it twice I don't think no doesn't look like it oh yeah well neat I never tried adding it twice so if you wanted to put this in more than one spot on the dashboard you can I'm kind of fine with one spot but this will list out all the users especially if you're dealing with a lot of VPN traffic you can kind of narrow it down and and make some determinations of how many users are logged in and go from there once again it kind of goes to the fine-tuning so hopefully this helps get you started with Open VPN there's lots of advanced videos I have on how to use different authentication like free radius for this even loading a free radius server within PF sense is the video demo I have on that fine tuning and what the different settings mean as far as the cryptographic settings and some of the performance tuning it goes with it there's a lot of settings you can tweak because the wizard only exposes so many but obviously once it's all configured and set up everything's exposed including if there's anything that they didn't have inside of here custom options are in there as well so if you have some custom configuration things you want to do with Open VPN you can actually push different settings right here is well in addition to for example is going to be pushing routes and I'll do another video and at a later time Ari then thinks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to lawrence systems comm fill out our contact page and let us know what we can help you with in what projects you like us to work together on if you want to carry on the discussion how to row to forum style lawrence systems comm where we can carry on the discussion about this video other videos or other tech topics and general even suggestions for new videos they're accepted right there on our forums which are free also if you like to help the channel on other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time

Info

Channel: Lawrence Systems

Views: 136,970

Rating: undefined out of 5

Keywords: lawrencesystems, pfsense OpenVPN Configuration, pfsense, vpn, openvpn, pfsense setup, pfsense tutorial, firewall, pfsense openvpn, pfsense router, pfsense (software), pfsense openvpn configuration step by step

Id: PgielyUFGeQ

Channel Id: undefined

Length: 23min 0sec (1380 seconds)

Published: Sat Mar 28 2020