pfsense 2.0.1 OpenVPN Configuration Guide

Discussion in 'Networking & Security' started by jadams, Jan 5, 2012.

  1. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    The following guides are based on pfsense v2.1 BETA-1


    OpenVPN TAP/Bridging Guide for pfsense v2.1 BETA-1
    The first guide will involve an OpenVPN Server that individual PC clients will connect to:

    First some considerations. What is bridging/tap mode? Tap/Bridging mode takes out the requirement of a tunnel network. When a remote client connects to the OpenVPN server it will will recieve an IP address from the local LAN. Why would you want to do this? Mostly broadcasts come to mind. I first started this guide in an effort to setup OpenVPN tap so that I could could utilize my HDHomeRun TV tuner when away. After installing the drivers it sends out a broadcast to find the tuners. I also hosted a plethora of game servers at another location. I also host LAN's at my house. In order for people to see the servers in their in-game LAN server browser OpenVPN in bridge mode is needed. Your game will send a broadcast out and the game server will reply. If you have any DLNA servers that you want to access remotely you would more than likely need tap mode as well. There are other uses; the ones I mentioned are just the reasons I needed this setup.

    There are some other network considerations when you get down to the IP address settings. Keeping in mind that any remote clients will be on your local LAN you must make sure you set aside a range of IP addresses for the remote client to use. If a remote client gets assigned an ip address that is already in use on your network then it can cause quite a few problems. There are two ways to manage this. Setting aside a range of IP addresses and entering those into the OpenVPN configuration, or allowing your internal DHCP server to assign ip addresses automatically. The latter is not addressed in this guide as of right now, though I want to try it out.





    First Install the OpenVPN Client Export Utility Package
    1) Goto System ---> Packages
    2) Choose "Available Packages Tab"
    http://i.imgur.com/GZpNwDc.jpg

    3) Locate the OpenVPN Client Export Utlity Package and install it by pressing the "+" on the right
    http://i.imgur.com/Hk2Gdkz.jpg

    Setup your Certs
    1) Goto System ---> Cert Manager
    http://i.imgur.com/eF7AdAa.jpg

    2) Goto CA Tab and create a CA by pressing the "+" button
    http://i.imgur.com/TIBRPIG.jpg


    3) Fill in the boxes with the appropriate information, making sure to change method to "Create Internal Certificate Authority". Alternatively you can also import your own. (outside the scope of this guide)
    http://i.imgur.com/pFQNJx2.jpg

    4) Create the server certificate by clicking the "Certificates" tab and pressing the "+" button
    5) Change "Method" to "Create an internal Certificate", and "Certificate Type" to "Server Certificate" Fill in the appropriate information and make sure to change the Certificate Authority to that of the CA you just created in step 3.
    6) Create User Certificates in the same way but instead of choosing "Server Certificate" for Certificate type, make sure to choose "User Certificate"
    *It is recommended that each individual PC that connects to the VPN have their own certificates created.
    **It is also not necessary, but recommened to create a revocation list. Click the Client Revocation tab, then the "+" to add one. Choose the CA you made in step 3.

    Setup the OpenVPN server
    1) Goto VPN ---> OpenVPN
    2) On the Server tab press the "+" button to create an OpenVPN server
    3) Fill in the following settings
    Disabled - Unchecked (Obviously!)
    Server Mode - Remote Access (SSL/TLS)
    Protocol - UDP
    Device Mode - tap
    Interface - WAN
    Port - 1194
    Description - *description of your server*
    TLS Authentication - Check both boxes... this also creates your authentication key
    Peer Certificate Authority - *choose the CA you created earlier*
    Peer Certificate Revocation List - if you made one while setting up the certs specify it here
    Server Certificate - *choose the server certificate you created earlier*
    DH Parameters - 1024
    Encryption algorithm: AES-128-CBC (128-bit)
    Hardware Crypto - options here may differ, but choose a hardware crypto engine if you have one
    Certificate Depth - One (Client+Server)

    ************
    IP settings
    ************
    Ipv4 Tunnel Network - Leave blank, not used in tap/bridge mode
    Ipv6 Tunnel Network - Leave blank, not used in tap/bridge mode
    Bridge DHCP - check
    Bridge Interface - LAN
    Server Bridge DHCP Start - start of your ip address range for remote clients
    Server Bridge DHCP End - end of your ip address range for remote clients
    *DHCP address range should be a range of IP addresses that are within the ip address range of your LAN network.
    Redirect Gateway - uncheck
    IPv4 Local Network - this is the address of your LAN network expressed as a CIDR range, most likely 192.168.1.0/24
    IPv6 Local Network - Leave blank
    Concurrent connections - 2
    Compression - for bandwidth reduction check this box
    Type-of-Service - uncheck
    Inter-client communication - check this box if you want remote clients to be able to access each other
    Duplicate Connections - allows multiple connections from the same client, not recommended but may possibly be needed

    Dynamid IP - if your router's WAN IP changes you should check this
    Address Pool - check
    DNS Default Domain - fill this in if you have one
    DNS Servers - set to your local DNS server

    Press save and your OpenVPN server is created

    Create your Interface and Bridge:
    1) Interfaces ---> (assign)
    2) add an interface by pressing the "+" button
    3) in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
    4) goto Interfaces ---> OPT1
    5) Enable the interface and give it a Description
    6) goto Interfaces ---> (assign)
    7) choose the Bridges tab and then click the "+" button to add a bridge
    8) Hold the CTRL button and highlight both your LAN interface and the renamed OPT1 interface we just created.

    Create a firewall rule allowing traffic on your OpenVPN port for the WAN interface.
    1) Goto Firewall ---> Rules
    2) Choose the WAN tab
    3) Press the "+" on near the top right to add a rule and enter the following information:
    Action: Pass
    Disabled: uncheck
    Interface: WAN
    TCP/IP Vesion: IPv4
    Protocol: The protocol you chose in the OpenVPN server settings, probably UDP
    Source
    not: unchecked
    Type: any
    Address: leave blank
    Destination:
    not: unchecked
    type: WAN address
    Address: blank
    Destination port range: Port your OpenVPN server runs on, probably 1194
    Log: up to you
    Description: optional, give the rule a description

    You're done. The last thing to do is export the client configs. Luckily with v2.1 pfsense has made this stupid easy to do.
    1) VPN ---> OpenVPN
    2) Choose the client Export Tab
    3) You should see an option to export a config for each certificate you created earlier. Hopefully you named your certs something easily identifiable.
    4) Its recommended that for Windows you choose the Windows Installer. This will download and install OpenVPN and the config files.

    You're done. Ping the LAN interface
     
    Last edited: Jun 23, 2014
  2. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
  3. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
  4. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
  5. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
  6. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
  7. akaney

    akaney n00bie

    Messages:
    3
    Joined:
    Jan 23, 2012
    After installing the OpenVPN tap Bridging Fix package, the openvpn setup screen is the same. However if I go through your instructions up to the point where you say to check the bridge dhcp (which I can't do because I don't have that option) and then save the server config, and go back into it, the bridge dhcp box is there, however it can't be changed. Is this something that you ran into at all, or do you have any suggestions on what I can do about it?

    Thanks Much
    Adam
     
  8. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    awwww someone found my guide and took the time to register to ask a question. ill respond to this after work.
     
  9. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    Yes it is something I ran into. What do you have selected for SERVER MODE?

    Do you have REMOTE ACCESS or PEER TO PEER?
     
  10. akaney

    akaney n00bie

    Messages:
    3
    Joined:
    Jan 23, 2012
    It is set as remote access (ssl/tls + user auth)
     
  11. akaney

    akaney n00bie

    Messages:
    3
    Joined:
    Jan 23, 2012
    I found my problem. I changed it to remote access (ssl/tls) and it worked.
     
  12. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    That's what I was alluding to. Thanks for the bump.
     
  13. ppsh

    ppsh n00bie

    Messages:
    1
    Joined:
    Mar 3, 2012
    thank for your post it work perfectelly :)

    More info : Add a rule to openvpn interface to allow traffic and it's ok.

    thank you man ;)
     
  14. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    You're welcome, glad I could help!
     
  15. KoZLop

    KoZLop [H]ard|Gawd

    Messages:
    1,715
    Joined:
    Aug 16, 2003
    Thanks. :)
    I was trying to figure out why my firewall was blocking my openvpn traffic in 2.0.1. This could probably work.
     
  16. nsnidanko

    nsnidanko n00bie

    Messages:
    1
    Joined:
    May 16, 2012
    Followed this guide and hit a brick wall.

    My clients connect to the oVPN server without any problems.
    I don't understand why my clients cannot communicate with my LAN network. I can successfully talk to pfSense's LAN interface but nothing else.

    Funny thing on the client I can see hosts in the ARP table.

    Also client routing table looks good:

    192.168.3.0 255.255.255.0 192.168.3.22 192.168.3.200 30
    where, 192.168.3.22 is GW (address assigned on pfSense LAN interface) and 192.168.3.200 is the address client get from OpenVPN

    I've checked firewall: both OpenVPN and OPT1 interface have the following rule:
    permit any any, so wide open.

    From the pfSense itself I can access my LAN from LAN and OPT1 interfaces.

    Any help would be appreciated.

    Thanks,
    Naz
     
    Last edited: May 17, 2012
  17. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    hmm interesting. I'm currently working through something similar in my troubles to setup a site to site pfsense openvpn guide. I can see the client connect and it grabs an IP. I however cannot get traffic to cross.

    I'll update if i find anything. Make sure to subscribe to this thread.
     
  18. Numbski

    Numbski n00bie

    Messages:
    3
    Joined:
    May 22, 2012
    Glad to see someone picked up on the work I did back in 2006 and is getting it supportable under the latest pfSense.

    http://forum.pfsense.org/index.php/topic,1990.0.html

    In truth, I've put off upgrading for-freaking-ever because I saw that my way of doing it apparently no longer worked.

    I'm going to attempt to build myself a new firewall this weekend. I'll give your instructions a go then.
     
  19. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    Thanks for joining and letting us know. Please report back with your findings.

    Also if you run across anything to answer nsnidanko's question above please share.

    I'm also currently trying to get a site 2 site setup and am having a similar problem to his. The client site connects and gets an IP from the pool, but no traffic goes across. My firewall rules are wide open.

    Glad people keep bumping this thread, makes me feel like i did something worth while :D
     
  20. Numbski

    Numbski n00bie

    Messages:
    3
    Joined:
    May 22, 2012
    On the site-to-site, if you're bridged then I would think neither side should get an IP. It's like running a cross-cable between two switches at that point, isn't it?

    So I understand what you're doing - bridging tapX to LAN on both sides? Basically make each side's LAN network a single layer 2 network. Only thing I can think of is to make sure client-to-client is enabled if that's applicable.

    From the command line while this failure's happening, could you run an ifconfig bridge0 and paste it up here? Make sure neither is in a BLOCKING state, and make sure that STP is enabled for safety's sake, but not on the tap interface itself.
     
  21. Numbski

    Numbski n00bie

    Messages:
    3
    Joined:
    May 22, 2012
    So I reinstalled my firewall, and more-or-less followed these instructions.

    The way I'm set up is I have an allow any from LAN to world. I have allow ANY/ANY set on my bridge, on the OpenVPN interface that pfSense generates, *and* on teh interface these instructions generate. So far, traffic is flowing just fine.

    About the only flaw I see is that ideally, the LAN interface shouldn't have an IP address assigned, and the bridge interface should. The LAN and pfSense interfaces should be set allow any/any, and the filter rules should be set on the bridge. Right now I'm set to where actual rules are set on the LAN interface. Doesn't appear to be hurting anything, but "real soon" I should go back and make that right.
     
  22. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    thanks. i need to look into this. I just tried to setup site to site vpn again over the weekend and struggled.

    Ended up going with Shared Key method instead and it was magnitudes easier. I may have to recreate this in a lab instead.
     
  23. VanFanel89

    VanFanel89 2[H]4U

    Messages:
    2,779
    Joined:
    Apr 21, 2004
    Great write-up! A bit of an issue on my end though... none of my boxes get a DHCP address :(

    Any ideas?
     
  24. Muffler

    Muffler n00bie

    Messages:
    1
    Joined:
    Mar 10, 2012
    Thank you for this great guide! I have been trying to get this to work for some days now, but when I found this guide it only took me minutes to succeed with my VPN-connection! Now at last I get it to connect and authenticate the key etc etc. It's been a learning experience for me to say the least :)

    The connection is working finally but I have problems!

    I want to direct ALL traffic through the VPN. I've added 'push "redirect-gateway def1";push "dhcp-option DNS 192.168.0.1"' to the advanced configuration of the OpenVPN-server and Firewall rules to allow all on all interfaces except WAN, witch have port 1194 directed to WAN.
    On the cIient I get ip on the vpn-interface (192.168.0.151) but the status of DHCP is 192.168.0.0, the DNS is correct at 192.168.0.1 though. I can't ping any other machine on the real LAN.

    Regards
    Daniel
     
  25. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    I wish i could help with that. Unfortunately that exceeds my pfsense knowledge without digging into it deeply myself.


    On a side note. I just built a new pfsense and due to hardware had to use the v2.1 beta. I'll soon be testing this site to site setup to make sure its still functional.
     
  26. RocketTech

    RocketTech 2[H]4U

    Messages:
    2,386
    Joined:
    Oct 7, 2009
    I'm looking to do the same thing. I came across instructions for 1.2 here:

    I haven't had a chance to try it yet, maybe this weekend.
     
  27. jbeezer

    jbeezer n00bie

    Messages:
    16
    Joined:
    Apr 12, 2004
    I just wanted to say thanks for this writeup. I had been trying to get OpenVPN to run in TAP mode for a couple days now. After getting close with some ifconfig-noexec options (so that the ifconfig command wouldn't fail) and a tunnel network inside of my LAN network, etc, etc, I stumbled upon this guide and got it work the 2nd time.

    I noticed that you forgot to mention the Local Network field in the tunnel network section. Initially it didn't work because I was putting my local network into this field, however once I left this blank, then it worked fine.
     
  28. clahti

    clahti n00bie

    Messages:
    2
    Joined:
    Nov 28, 2012
    Hey guys:

    I have setup two pfsense firewalls from scratch using this guide for OpenVPN bridging. I am having the same issue at the end of the day as another user in this thread, namely the TAP interface is created on my test linux host and I can ping the LAN interface address however I cannot access other servers on the same subnet. I just built pfsense and carefully followed the howto guide, however only being able to see the pfsense firewall is pretty useless. I need to get this going as soon as possible, I will actually end up having 10 pfsense OpenVPN endpoints eventually but need to get the first one working. I can post configs, let me know what you need.

    There is one slight deviation from the guide, my WAN IP is on a private network 10.11.105.x/24 and has a 1-TO-1 mapping to a public IP address on our main datacenter firewall. I cannot grant access to the public network on the pfsense firewall, but all any->any firewall rules have been added and "block private networks" has been turned off everywhere. Please let me know what more information you need to help troubleshoot this, I feel I am very close!

    Thanks in advance.

    /Chris
     
  29. clahti

    clahti n00bie

    Messages:
    2
    Joined:
    Nov 28, 2012
    Ok, word to the wise, if you are running pfsense in VMWare you MUST change the vSwitch "Promiscuous Mode" associated with your pfsense networks from reject to accept. If you do not do this then the only host the OpenVPN bridged client will see is the pfsense server itself. My google-god coworker found this for reference:

    http://www.jeremycole.com/blog/2010/03/11/openvpn-bridge-under-vmware-esxi/

    This howto guide works perfectly otherwise, thanks!!!

    /Chris
     
  30. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    Thanks to all who have contributed to my guide. I do understand that is a slight flaw in the original guide so I'm updating the OP to direct everyone to read through the thread. Unfortuantely I've been extremely busy with moving to try to test out all the suggestions and I dont see having the time to sit down and try it any time soon. I also upgraded my main pfsense box to 2.1 beta so I'm not sure if the guide will work word for word anymore.
     
  31. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    Just installed pfsense 2.1 and will be going through this guide to correct any mistakes.
     
  32. cordesc

    cordesc n00bie

    Messages:
    1
    Joined:
    Nov 17, 2012
    Thank you for the thread. I look forward to trying this soon. Are you happy with 2.1 so far?

    thanks,

    chris
     
  33. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    2.1 is ok so far. I was forced to use it because my hardware is too new for 2.0.2. I'm not overly thrilled about having to use a beta. I've never had good luck with their inplace updates for nightly builds, so I try to stick with one that seems stable.

    I should be updating this guide as well as expanding on it this weekend.
     
  34. rekd0514

    rekd0514 Gawd

    Messages:
    721
    Joined:
    Nov 24, 2007
    is openvpn bridging supposed to just be the simple/easy way of using OpenVPN in pfsense? I have tried setting up OpenVPN a few times but always gave up since it seemed to get too complicated. I want a simple setup so I can use OpenVPN for laptops, tablets, and phones.
     
  35. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    There are two modes, tap (bridging) and tun (tunneling).

    In bridge mode both sites are on the same subnets and broadcasts are able to traverse the connection.

    In tunnel mode its all routed. there is another network between both devices.

    My main purpose for doing bridging was so that my HDHomerun TV tuner could stream video over it, but i've moved onto other things.

    I want to change this overall to a pfsense OVPN guide that discusses many configuratons... bridge, tunnel, multi-site, etc....
     
  36. rekd0514

    rekd0514 Gawd

    Messages:
    721
    Joined:
    Nov 24, 2007
    It looks like Android only supports tunneling mode at this point. I have to try and get that set up one of these days so I can use wifi in public if needed. I may have to use your new updated guide once it's completed. ;)
     
    Last edited: Jan 12, 2013
  37. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    I'm working on the guide as we speak actually. but then this broncos/ravens game got my attention.

    The new guide is going to include screen shots as well as giving you information to connect to my lab pfsense for testing purposes. Of course once connected you wont be able to do anything other than ping the LAN interface. But it will be good for connection testing.
     
  38. retro

    retro Gawd

    Messages:
    604
    Joined:
    Jun 12, 2007
    Followed this guide, and all seemed to go well. However trying to connect comes up with this error:

    2013-01-28 00:46:35 EVENT: ASSIGN_IP
    2013-01-28 00:46:35 TUN Error: tun_builder_error: one of ifconfig or
    ifconfig-ipv6 must be specified
    2013-01-28 00:46:35 EVENT: TUN_SETUP_FAILED tun_builder_error: one of
    ifconfig or ifconfig-ipv6 must be specified [ERR]
    2013-01-28 00:46:35 EVENT: DISCONNECTED
    2013-01-28 00:46:35 Raw stats on disconnect:
    BYTES_IN : 9895
    BYTES_OUT : 4288
    PACKETS_IN : 51
    PACKETS_OUT : 43
    TUN_SETUP_FAILED : 1
    2013-01-28 00:46:35 Performance stats on disconnect:
    CPU usage (microseconds): 143615
    Network bytes per CPU second: 98757
    Tunnel bytes per CPU second: 0
    2013-01-28 00:46:35 ----- OpenVPN Stop -----
    2013-01-28 00:46:35 EVENT: DISCONNECT_PENDING



    Any ideas?

    I should mention that I am connectiong through ios. When I change it to tun instead of tap, and fill in tunnel network as needed, it connects but I cannot see any network resources (specifically an airvideo server)
     
    Last edited: Jan 27, 2013
  39. awesomo

    awesomo Gawd

    Messages:
    528
    Joined:
    Mar 20, 2010
    @jadams So why TAP and not TUN?

    When using tap, I can think of a few downsides over tun:
    1. You add extra overhead of the frame being sent down the link, wasted bandwidth
    2. You suddenly have a broadcast domain over the link shared with your entire network, usually more wasted bandwidth unless you have a damn good reason to need it.
    3. Static routes in pfSense do not play well with tap links
    4. Quagga OSPF does not play well with tap links, if one goes down, good luck having it re-establish reliably without a complete restart of pfSense.

    If there is some real advantage to using TAP that I am overlooking, I'd like to know. From all of the reading and testing I have done, TUN is preferable in 99% of situations.
     
  40. jadams

    jadams [H]ardness Supreme

    Messages:
    4,497
    Joined:
    Mar 14, 2010
    Simply preference. I had some things that I wanted to be on the same subnet at different locations which would respond to broadcasts just as you said. My main intention was trying to stream live tv from my hdhomerun but I never did get around to testing that.

    For what its worth I am currently using tun.

    Eventually... Probably starting inmarch I'll turn this thrad into more of an overall openvpn pfsense guide encompassing many different configurations.