This milestone we are going to work with VPN on pfsense, remote access and site-to-site VPN types.
For configuring remote access vpn (RA-VPN) using openvpn, the following steps need to be done:
1. Update pfsense
firewall to latest version in order to use openvpn client package for exporting configurations (we are going to use that package at the end), by going to webui > Sytem > Update and confirm (latest base system should be now 2.7.x). This will take ~10 minutes in total.
2. After updating the firewall, we need to go to VPN > OpenVPN > Wizards to add a new server.
3. Choose Local User Access
for authentication.
4. Create a server certificate (call it sredCA
), keep 2048 bits for key lenght, 10 years availability, and complete the subject details (CN can be left null).
5. Add also a server certificate (that will be signed by the CA from above) and keep the default values completed.
6. Next, on server setup, add a clear description, keep udp protocol, on WAN interface, and local port 1194. Keep also the crypto settings (CHACHA and AES).
7. For tunnel network add 10.0.0.0/24
(the subnet used to assign ips for clients connected, on tun interface) and for local network (the exposed one) 192.168.1.0/24
(this way, remote client will access the local one).
8. Keep the rest of configurations as they are and tick the creation of firewall rules (to permit accessing the server and traffic to pass inside the local network).
9. At last, click finish and continue with adding a new local user in firewall System > User Manager. Choose username sreduser
and password sred
+ click to create a user certificate.
10. Go to System > Package Manager > Available Packages and install openvpn-client-export
(in case you receive an error when retrieving the packages, check this link: https://forum.netgate.com/topic/163723/help-i-get-this-unable-to-retrieve-package-information/4)
11. Create a new Linux node in eve-ng, and connect it to Cloud0 (where pfsense is connected). Use as MAC address the format 50:00:00:SECOND_BYTE:01:FORTH_BYTE
(remember the logic from milestone 2: https://ocw.cs.pub.ro/courses/sred/milestone_2), add 1 vCPU and 2GB of RAM.
12. Install ovpn, using this link: https://www.webhi.com/how-to/how-to-install-openvpn-server-on-ubuntu/ (choose method 1) and run the bash script.
13. Check the assigned ip address (should be from subnet 10.6.0.0/16) and add a new firewall rule on WAN to permit access from this instance. Check then that you can access the firewall's interface from browser.
14. Login using default credentials, go to VPN > OpenVPN > Client exports and download inline config for most clients.
15. From terminal, connect to ovpn server:
user@host:$ openvpn --config sred.ovpn # or the name of the downloaded ovpn file # add username sreduser and password sred
data-ciphers
from sred.ovpn file can be changed to AES-256-CBC
for client to use this one (as it's accepted by server).
16. In the end, go to client from local network (the one configured on milestone 2, that is in network 192.168.1.0/24) and start create a local file + start python server http.server
. Go to remote client and try to get that file. Check also the assigned ip on interface tun0
.
user@host:$ curl 192.168.1.10:8000/sred.txt test
Documentation can be found here: https://turbofuture.com/computers/How-to-Setup-a-Remote-Access-VPN-Using-pfSense-and-OpenVPN
For the second type of VPN (site-to-site) we require an additional pfsense
firewall to be added in topology.
1. Create a new node in topology, select the same image already created for pfsense and select vnc
2. Connect it to Cloud0 (for internet access) and start it
3. Finish network configuration (only for wan = vtnet0) and change the mac address as follows:
# select shell (8 key) # change mac address based on your eve_ng instance ip ifconfig vtnet0 link 50:00:00:$SECOND_BYTE:$THIRD_BYTE+2:$FORTH_BYTE # example: for 10.6.0.10, use mac address 50:00:00:06:02:10
4. Get the new ip address and access webui using browser:
ifconfig vtnet0 0.0.0.0/0 dhclient vtnet0
5. Add firewall rules to permit traffic from FW1 (local) to FW2 (remote) and vice-versa. Test this using ping.
6. Using the documentation provided by NetGate, see the steps here: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html.
- for names, use ToRemote
for FW1 and ToLocal
for FW2
- we do not need firewall rules for now, so that part can be skipped
- for subnets, you can use 192.168.1.0/24
for FW1 and 192.168.2.0/24
for FW2
7. In the end, test the connection by going to Status > IPsec > click connect P1 and P2 (make sure the tunnel is established and routes should be installed via child sa).