Thursday, November 17, 2011

Setup & Configuration Of OpenVPN On Pfsense 2.0 RC3

SkyHi @ Thursday, November 17, 2011
With the recent release of Pfsense 2.0 there has been a significant number of improvements to the OpenVPN component.  In previous versions of Pfsense, the client, CA and server certificates had to be created on a client machine and then copied across to the relevant configuration panes in OpenVPN. The client configuration was not bundled as a package for download directly from the Pfsense web GUI, and instead resided on the workstation where the certificates were originally created.  For subsequent OpenVPN clients to be created the process would have to be re-run each time on the same client machine.
This process is now covered by the Pfsense 2.0 web GUI. The full list of OpenVPN changes are as follows:-
  • OpenVPN wizard guides through making a CA/Cert and OpenVPN server, sets up firewall rules, and so on. Greatly simplifies the process of creating a remote access OpenVPN server.
  • OpenVPN filtering – an OpenVPN rules tab is available, so OpenVPN interfaces don’t have to be assigned to perform filtering.
  • OpenVPN client export package – provides a bundled Windows installer with certificates, Viscosity export, and export of a zip file containing the user’s certificate and configuration files.
  • OpenVPN status page with connected client list — can also kill client connections
  • User authentication and certificate management
  • RADIUS and LDAP authentication support
In this guide I will outline creating a new OpenVPN server with local user authentication under Pfsense 2.0 RC3.  If you have upgraded from Pfsense 1.2.3 (as is the case for myself) and already have OpenVPN configured, I would suggest removing the existing server and starting from scratch to avoid configuration issues.  I will also cover the installation of the OpenVPN client on Windows 7, Snow Leopard 10.6.8 and Ubuntu 11.04
Download & Install The OpenVPN Client Export Package
The first step is to obtain the client export package, so that we can quickly export all of the required configuration files for our OpenVPN clients.
Login to your Pfsense 2.0 GUI and navigate to System > Packages.  Scroll down and select ‘OpenVPN Client Export Utility’ and run through the installation.
Remove Legacy OpenVPN Server And Certificates
I would highly recommend removing your existing OpenVPN configuration prior to running through the setup of in this guide. 
Firstly navigate to System > Cert Manager. On the ‘CAs’ pane remove any existing certificates.  Once completed navigate to the’Certificates’ pane and remove any existing certificates. (Do not remove the ‘Webconfigurator default’ certificate)
Finally navigate to VPN > OpenVPN and remove your existing server configuration.
Create New OpenVPN Certificates
We’re now ready to create the required certificates for OpenVPN to function with local user authentication.  Navigate to System > Cert Manager.  On the ‘CAs’ pane choose to create a new certificate and ensure you choose ‘Create an internal Certificate Authority’ in the drop-down box, like so.

Fill out all the required fields with your organization specific information, choosing a custom ‘internal-ca’ name.  Once completed, click ‘Save’ to create the CA.
Once completed, click the first down arrow icon to the right of your newly created CA and choose ‘Export CA Cert’ to download to your client machine.
Once completed navigate to the ‘Certificates’ pane and create a new certificate.  Once again choose ‘Create an Internal Certificate Authority’ in the drop-down box. You’ll notice some of the fields will have been auto-populated.  Ensure you fill in any remaining details and ensure you specify the same common name as inputted earlier. Once completed click ‘Save’ to create the certificate.
Create A New OpenVPN User And Client Certificate
We’ll now create our first OpenVPN client. Firstly navigate to System > User Manager.  Create a new user and fill out the required fields as per below:-

Once completed, click ‘Save’ to finish.  Now click on the edit button to the right of the newly created user and scroll down to the ‘User Certificates’ section and click the add button.
Run through the client certificate fields, entering all the required information.  Ensure you specify a different common name to what was entered for your CA earlier.  This should be specific to the client.  Once completed click ‘Save’ to finish.

On the edit user pane, click the two down arrow icons and choose ‘export private key’ and ‘export client cert’ to download both files.
Create New OpenVPN Server & Configure
We’re now ready to create our OpenVPN server.  Firstly navigate to VPN > OpenVPN.  The navigate to the ‘Wizard’ pane to launch the configuration process.  Under ‘Type of Server’, choose ‘Local user access’ and click ‘Next’.
Under ‘Choose A Certificate Authority’ you should see your previously created CA as the only choice. Simply click ‘Next’ to continue.  On the following page the server certificate we created earlier should be listed.  Click Next to continue.
On the following page fill out your details as per the following screens. Ensure the OpenVPN server is set to listen on the WAN interface.  You will need to specify a tunnel network address range. You will need to specify an alternative address range to your local network address range, otherwise OpenVPN will not function correctly.  Choose any network address range that is in the non-routable class. ( – or – or – Ensure the host ID size is specified in compliance with CIDR notation.

Once completed ensure the automatic firewall and NAT rules are created (both boxes are ticked by default) before clicking ‘Finish’
Export Client Configuration
We’re now ready to export our OpenVPN client configuration. Navigate to VPN > OpenVPN. Click on the ‘Client Export’ tab and scroll down.  You should see the user we created earlier. (If you don’t, this is usually down to a certificate mismatch somewhere along the line)
Choose the ‘Configuration archive’ option next to the user to download an archive with all required files for our client, as per below.

Once completed extract the archived files to a directory along with the files we extracted earlier. The contents of the directory should look like the following:-

These files should be moved across to your OpenVPN configuration directory (If running OpenVPN on Windows)
Installing And Configuring An OpenVPN Client In Windows 7
In order to connect to the Pfsense 2.0 OpenVPN server, you will need to install an OpenVPN client.  The official client works very well under Windows 7 and is updated fairly frequently.
Firstly download the latest installer (as of writing) from here. Once downloaded run through the installer choosing the default options.  You will then need to copy your previously downloaded configuration files to C:\Program Files\OpenVPN\config
Once completed, simply launch the OpenVPN client and choose ‘Connect’.  The application will turn green once it has connected successfully to your gateway.  If your ISP assigns you with a dynamic IP address (most do) you will need to use a service such as DynDNS to assign a hostname for use with OpenVPN.  You will need to edit your OpenVPN .ovpn file in your configuration directory to reflect your Dynamic DNS hostname as per below:-

Notice the dynamic DNS hostname inserted in the ‘remote’ section including the default OpenVPN port number.
Once you are connected, you should see if you can ping your default gateway and other network hosts to ensure the VPN tunnel is working as expected.  If you specified a DNS server during the initial OpenVPN server setup, you can ping via DNS name.  If this is not the case I would suggest editing your hosts file on each client with the relevant IP addresses and hosts that they need to access.
If the connect is successful the connection log windows should look like the following:-

If you are running in a domain environment with home network drives automatically mapped upon login via AD, then you should be able to access your mapped network drive as usual.  If you are not running in a domain environment, you can map your drive by right clicking on ‘Computer’ > ‘Map Network Drive’ and then specifying the path to the share and your network credentials.
Alternatively you can create a batch file to map the drive as per below:-
net use k: \\server\share /user:domain\username /persistent:yes
Substituting with an available drive letter and the server and share name you want to connect to.  If you are using AD authentication, specify the domain name and username.  The /persistent:yes switch will ensure the drive is remapped after a reboot.
Installing & Configuring An OpenVPN Client On Mac OS X Snow Leopard
I would recommend using the excellent freeware OpenVPN client Tunnelbrick, which works well on OSX 10.6.8.  Firstly navigate to the TunnelBrick download page here and download the latest release.  Once completed mount the .dmg file and run through the installation.
When the installation completes, you will need to copy your OpenVPN client configuration files to/Users/username/Library/Application Support/Tunnelbrick/Configurations
Once completed, open Tunnelbrick and right click and choose ‘Connect’ (Your OpenVPN configuration entry should be listed)
If you would like to auto-mount a network drive after logging into OSX, simply click ‘Go’ on the Finder menu, then ‘Connect to server’ and then type in the network path as per below:-
and click ‘OK’ to complete.  Enter your network credentials when prompted.  If you would like to auto-mount the network drive during the login process, navigate to ‘System Preferences’ > ‘Accounts’ choose your username and then click on ‘Login Items’   Drag and drop the mounted network drive from your desktop to the login items window.
Installing & Configuring An OpenVPN Client On Ubuntu Linux 11.04
Ubuntu 11.04 includes full OpenVPN functionality, and has a built-in client accessible from the Network Indicator icon > VPN Connections.  Unfortunately this did not automatically add the default route successfully once the VPN tunnel was established when using a Vodafone Mobile Connect dongle.  Therefore I opted for a dedicated GUI based client (GoPenVPN)
Firstly we’ll install the pre-requisites.  Open up a terminal and type the following:-
sudo apt-get install libglib2.0-dev libgtk2.0-dev libglade2-dev libgnome-keyring-dev gksu subversion build-essential autogen automake autoconf intltool
Once completed, we’ll download the GOPenVPN source, like so:-
svn co gopenvpn
Once completed, change to your GoPenVPN directory:-
cd gopenvpn/trunk/gopenvpn/
then type:-
And run the autogen script:-
and then:-
Now we’ll run through configure, make and finally install:-
sudo make install
Once completed, copy your OpenVPN client configuration files to /etc/openvpn.  I would suggest deleting the existing configuration files first from the /etc/openvpn directory.  You will to do this via the command line using sudo as the ownership permissions are set to ‘root’  Change to the openvpn directory via the terminal and run the following:-
sudo rm filename
Substitute with the existing files in the openvpn directory in order to remove all of them.
Finally, copy across your configuration files as per below:-
sudo mv /vpnconfigfolder * /etc/openvpn
Once completed you can launch the GOpenVPN client from the terminal, like so:-
However, I would suggest adding the client to your startup process, so the icon will appear in your Gnome/KDE panel.
If you are running Gnome, navigate to System > Preferences > Startup Applications. Click on ‘Add’ and ensure your item looks like the following:-

The command should point to /usr/local/bin/gopenvpn. Click ‘Save’ once completed.
To ensure GoPenVPN runs without requiring root permission, bring up the terminal and type the following:-
Scroll to the bottom of the file and insert the following:-
%username ALL=NOPASSWD: /usr/local/bin/gopenvpn
Substitute ‘username’ with the username you are logged in as.
You are now ready to connect.  Simply right click on the GOPenVPN icon in the Gnome panel and choose ‘connect’  Once connected the icon will turn green.  The connection window will look like the following:-

To auto-mount a network drive under Ubuntu, I use ‘gigolo’ and handy front-end for network connections. I much prefer this over using Nautilus.
To install gigolo, bring up a terminal and type the following:-
sudo apt-get install gigolo
Once completed, gigolo can be launched from ‘Applications’ > ‘System Tools’ > ‘Gigolo’.
Once launched, create a new bookmark with your home folder/network drive information and click ‘OK’.
Finally, right click on the ‘Gigolo’ icon in the Gnome tray and choose ‘Preferences’. Set the ‘Bookmark auto-connect interval’ to ’10′ and then click the ‘interface’ tab and ensure it looks like the following:-

Once completed, click ‘Close’
We have now successfully setup GOPenVPN on Ubuntu 11.04, and set gigolo to auto-mount a network drive on login.
This concludes our guide on setting up a Pfsense 2.0 RC3 OpenVPN server and the client installation process on Windows 7, Snow Leopard and Ubuntu 11.04
In a future guide I will go over the setup and configuration of Vodafone’s Mobile Connect dongle on all three operating systems for full OpenVPN compatibility.