Milestone 3

This milestone we are going to work with VPN on pfsense, remote access and site-to-site VPN types.

In case you are getting locked out on Web interface (forgot password), use these steps: Login protection is default for a period of 120 seconds:

Week 5

For configuring remote access vpn (RA-VPN) using openvpn, the following steps need to be done:

1. Update pfsense firewall to latest version in order to use openvpn client package for exporting configurations (we are going to use that package at the end), by going to webui > Sytem > Update and confirm (latest base system should be now 2.7.x). This will take ~10 minutes in total.

2. After updating the firewall, we need to go to VPN > OpenVPN > Wizards to add a new server.

3. Choose Local User Access for authentication.

4. Create a server certificate (call it sredCA), keep 2048 bits for key lenght, 10 years availability, and complete the subject details (CN can be left null).

5. Add also a server certificate (that will be signed by the CA from above) and keep the default values completed.

6. Next, on server setup, add a clear description, keep udp protocol, on WAN interface, and local port 1194. Keep also the crypto settings (CHACHA and AES).

7. For tunnel network add (the subnet used to assign ips for clients connected, on tun interface) and for local network (the exposed one) (this way, remote client will access the local one).

8. Keep the rest of configurations as they are and tick the creation of firewall rules (to permit accessing the server and traffic to pass inside the local network).

9. At last, click finish and continue with adding a new local user in firewall System > User Manager. Choose username sreduser and password sred + click to create a user certificate.

10. Go to System > Package Manager > Available Packages and install openvpn-client-export (in case you receive an error when retrieving the packages, check this link:

11. Create a new Linux node in eve-ng, and connect it to Cloud0 (where pfsense is connected). Use as MAC address the format 50:00:00:SECOND_BYTE:01:FORTH_BYTE (remember the logic from milestone 2:, add 1 vCPU and 2GB of RAM.

12. Install ovpn, using this link: (choose method 1) and run the bash script.

13. Check the assigned ip address (should be from subnet and add a new firewall rule on WAN to permit access from this instance. Check then that you can access the firewall's interface from browser.

14. Login using default credentials, go to VPN > OpenVPN > Client exports and download inline config for most clients.

15. From terminal, connect to ovpn server:

user@host:$ openvpn --config sred.ovpn # or the name of the downloaded ovpn file
# add username sreduser and password sred

In case you have issues, you can debug the connection by going to Status > System Logs > OpenVPN. Also, for cipher issues, data-ciphers from sred.ovpn file can be changed to AES-256-CBC for client to use this one (as it's accepted by server).

16. In the end, go to client from local network (the one configured on milestone 2, that is in network and start create a local file + start python server http.server. Go to remote client and try to get that file. Check also the assigned ip on interface tun0.

user@host:$ curl

Documentation can be found here:

Week 6

For the second type of VPN (site-to-site) we require an additional pfsense firewall to be added in topology.

1. Create a new node in topology, select the same image already created for pfsense and select vnc

2. Connect it to Cloud0 (for internet access) and start it

3. Finish network configuration (only for wan = vtnet0) and change the mac address as follows:

# select shell (8 key)
# change mac address based on your eve_ng instance ip
ifconfig vtnet0 link 50:00:00:$SECOND_BYTE:$THIRD_BYTE+2:$FORTH_BYTE
# example: for, use mac address 50:00:00:06:02:10

4. Get the new ip address and access webui using browser:

ifconfig vtnet0
dhclient vtnet0

5. Add firewall rules to permit traffic from FW1 (local) to FW2 (remote) and vice-versa. Test this using ping.

6. Using the documentation provided by NetGate, see the steps here:

- for names, use ToRemote for FW1 and ToLocal for FW2

- we do not need firewall rules for now, so that part can be skipped

- for subnets, you can use for FW1 and for FW2

7. In the end, test the connection by going to Status > IPsec > click connect P1 and P2 (make sure the tunnel is established and routes should be installed via child sa).

sred/milestone_3.txt ยท Last modified: 2024/01/19 20:17 by horia.stoenescu
CC Attribution-Share Alike 3.0 Unported Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0