Training Lab 6: OpenVPN

This lab goes through example configurations of OpenVPN for site-to-site and remote access.

We’re going to configure OpenVPN to connect the HQ and branch networks. HQ will run the server, and the branch will be the client.

There is no functional difference in whether HQ or branch runs the server side. Most often people put the server instances on the main location’s end. If one end has a dynamic IP and one static, run the server on the static IP side. If one end is behind NAT, that end should be the client. In this case, the server side will be on the fw1-hq firewall.

First, since we have an IPsec VPN configured here already, IPsec needs to be disabled. On both fw1-HQ and fw1-branch, browse to VPN > IPsec. Put a check mark by each IPsec tunnel and click Delete P1s. Click Save, then Apply Changes.

OpenVPN makes use of a certificate infrastructure in authenticating the session as well as routing traffic to and from member sites. On the server we must create a new Certificate Authority (CA), as well as server and client certificate/key pairs. This will be done on fw1-hq.

Navigate to System > Cert Manager and click the green +Add button to add a new CA.

Field	Value
Descriptive Name	S2SCA
Method	Create an Internal Certificate Authority
Randomize Serial	(checked)
Key Type	RSA 2048
Digest Algorithm	sha256
Lifetime	3650
Common Name	S2SCA

(Leave the rest blank and click Save.)

Next, click on the Certificates tab, and click the green +Add/Sign button near the bottom.

Field	Value
Method	Create an internal server certificate
Descriptive Name	VPNserver
Certificate Authority	S2SCA
Key Type	RSA 2048
Digest Algorithm	sha256
Lifetime	398
Common Name	VPNserver
Certificate Type	Server Certificate

Scroll down and click Save.

While still on the Certificates tab, click the green +Add/Sign button near the bottom to create the client certificate.

Field	Value
Method	Create an internal certificate
Descriptive Name	VPNclient
Certificate Authority	S2SCA
Key Type	RSA 2048
Digest Algorithm	sha256
Lifetime	3650
Common Name	VPNclient
Certificate Type	User Certificate

Scroll down and click Save.

The next task is to export the certificates and keys which the client requires when connecting to the OpenVPN server.

1. Navigate to System > Cert Manager > CAs and find the S2SCA. Click the export button to save the CA certificate to the downloads folder on HQ-Client.
2. Next, click on the Certificates tab and scroll down until you see the VPNclient certificate entry. Click the export button to save the certificate data and the key data to the Downloads folder on HQ-Client.

Browse to VPN > OpenVPN on fw1-HQ. On the Server tab, click +Add to add a new server instance.

Field	Value
Server Mode	Peer to Peer (SSL/TLS)
Description	HQ to Branch VPN
TLS Configuration	(checked)
Automatically generate TLS key	(checked)
Peer Certificate Authority	S2SCA
Server Certificate	VPNserver
IPv4 Tunnel Network	172.17.6.0/24
IPv4 Local Network(s)	172.17.1.0/24, 172.17.2.0/24, 172.18.1.0/24
IPv4 Remote Network(s)	172.18.1.0/24
Inactive	0 (connections can stay up indefinitely)

Click Save at the bottom, then click the edit icon to edit the server you just created. Highlight and copy the entire contents of the TLS Key box. Paste it into a file called TLS.key.

This TLS key will be needed on the client side of the connection.

The purpose of the Client-Specific Override (CSO) is to tie a client’s subnet to their certificate. Navigate to VPN > OpenVPN and click the Client Specific Overrides tab. Click the green +Add button.

Field	Value
Server List	HQ to Branch VPN
Common Name	VPNclient
IPv4 Remote Network	172.18.1.0/24

Leave everything else blank or default, scroll down and click Save.

Now we need to add a firewall rule to permit the outside portion of the VPN, from the client to the server. On fw1-HQ, browse to Firewall > Rules > WAN. Click Add.

Field	Value
Action	Pass
Interface	WAN
Protocol	UDP
Source	203.0.113.10
Source port	any
Destination	WAN address
Destination port	1194
Description	allow branch OpenVPN site to site

Then click Save and Apply Changes.

Traffic within OpenVPN connections is filtered by the firewall rules on the OpenVPN tab. Browse to Firewall > Rules > OpenVPN. Click Add.

Field	Value
Interface	OpenVPN
Protocol	Any
Source	Network, 172.18.0.0/16
Destination	any
Description	allow branch network

Click Save and Apply Changes.

The server-side configuration is now complete.

Before we can create the client side of the VPN, we must first import the CA and Client Certificate and Keys into the fw1-branch firewall.

Click on System > Cert Manager and click the green +Add button.

Field	Value
Descriptive Name	S2SCA
Method	Import an existing Certificate Authority
Certificate Data	Paste contents of S2SCA.crt

Highlight all the contents of the S2SCA.crt file, and paste it into the Certificate Data field on fw1-branch, and click Save.

Click on the Certificates tab and click the green +Add/Sign button near the bottom to import your Client Certificate.

Field	Value
Method	Import an existing certificate
Descriptive Name	VPNclient
Certificate Data	Paste contents of VPNclient.crt
Certificate Key	Paste contents of VPNclient.key

Click Save.

Navigate to VPN > OpenVPN and click on the Clients tab. Click the green +Add button.

Field	Value
Server Mode	Peer to Peer (SSL/TLS)
Device Mode	tun
Server host or address	192.0.2.2
Description	Branch to HQ VPN
Automatically generate a TLS key	UNCHECKED
Peer Certificate Authority	S2SCA
Client Certificate	VPNclient

(Here, you will edit the OpenVPN server configuration on fw1-hq, and copy the TLS key data from that server configuration into this client’s TLS key box. You may have saved this file on your HQ-Client as TLS.key.)

Scroll down and click Save.

Add a firewall rule to permit traffic within the VPN, same as the other side but changing the source to HQ’s 172.17.0.0/16.

Field	Value
Action	Pass
Interface	OpenVPN
Protocol	Any
Source	172.17.0.0/16
Destination	any
Description	Allow HQ

Save and Apply Changes.

On fw1-branch, browse to Status > OpenVPN. There you should see the status as up. If not, skip to the troubleshooting section.

Testing:

From HQ-client, try to ping fw1-branch and branch-client:

training@hq-client:~$ ping -c 3 172.18.1.1
PING 172.18.1.1 (172.18.1.1) 56(84) bytes of data.
64 bytes from 172.18.1.1: icmp_seq=1 ttl=63 time=2.40 ms
...
--- 172.18.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 2.406/3.841/4.843/1.043 ms

training@hq-client:~$ ping -c 3 172.18.1.100
PING 172.18.1.100 (172.18.1.100) 56(84) bytes of data.
64 bytes from 172.18.1.100: icmp_seq=1 ttl=62 time=4.26 ms
...
--- 172.18.1.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.783/4.309/4.877/0.447 ms

Then from branch-client, try to ping HQ-client and server1:

training@branch-client:~$ ping -c 3 172.17.1.100
PING 172.17.1.100 (172.17.1.100) 56(84) bytes of data.
64 bytes from 172.17.1.100: icmp_seq=1 ttl=62 time=3.73 ms
64 bytes from 172.17.1.100: icmp_seq=2 ttl=62 time=5.21 ms
64 bytes from 172.17.1.100: icmp_seq=3 ttl=62 time=5.14 ms
--- 172.17.1.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.730/4.698/5.219/0.685 ms

training@branch-client:~$ ping -c 3 172.17.2.10
PING 172.17.2.10 (172.17.2.10) 56(84) bytes of data.
64 bytes from 172.17.2.10: icmp_seq=1 ttl=62 time=4.02 ms
64 bytes from 172.17.2.10: icmp_seq=2 ttl=62 time=4.01 ms
64 bytes from 172.17.2.10: icmp_seq=3 ttl=62 time=5.19 ms
--- 172.17.2.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 4.011/4.408/5.192/0.554 ms

You can also try browsing to server1 from branch-client: http://172.17.2.10

If the client side status doesn’t show as up, check the troubleshooting section of the OpenVPN chapter in the book for guidance. The most likely causes are an incorrect or missing firewall rule on the WAN of the server (port 1194 rule created above). Check fw1-HQ firewall logs for any blocks. If it’s not getting blocked, and connectivity between the sites works in general, something in the OpenVPN server or client configuration is the likely cause. Double check your configuration on both the client and server, and ensure the shared key was pasted over correctly.

In this section we’re going to set up an OpenVPN remote access server for remote mobile clients.

On fw1-HQ, browse to VPN > OpenVPN, and click the Wizard tab.

Choose Local User Access and click Next.

Fill in these values as desired. The locale information has no functional impact and generally isn’t visible anywhere unless you go looking for it.

Again, fill in these values as desired.

Most things can be left at defaults here. The port must be changed, since we’re already using port 1194 for the site-to-site VPN server.

Field	Value
Local Port	1195
Description	Remote Access VPN
Tunnel Network	172.17.4.0/24
Local Network	172.16.0.0/12
DNS Server 1	172.17.1.1

Leave everything not listed above at defaults and click Next.

The last step of the wizard prompts whether you want to add a rule to allow traffic from clients to the OpenVPN server, and allow traffic inside the VPN from clients when connected. Check both boxes and click Next.

Click Finish on the last page.

The configuration is now complete. The last screen reminds you to install the OpenVPN Client Export package if you’d like to use it. It’s already pre-installed on this system to save time. Click Finish.

Browse to Firewall > Rules to see the rules added by the wizard. On the WAN tab, you’ll see the rule allowing traffic to reach the OpenVPN server instance. Then click the OpenVPN tab to see the rule added to permit traffic from the connected clients.

This may be overly-permissive for real world scenarios since it allows all traffic coming in via OpenVPN from any source to any destination. In a real world setup, you may need to restrict this rule.

Although this is rarely necessary, some older OpenVPN clients, like the one installed on your remote-host, will require some extra configuration in the OpenVPN server. Click the Edit button under the Remote Access VPN, and scroll down to the bottom of the screen. Place this into the Custom Options box and Save:

tls-version-min 1.0;
tls-cipher DEFAULT:@SECLEVEL=0

Users need a certificate from the RemoteVPNCA to connect. We’ll add a certificate to the vpntest account created during the IPsec lab. Browse to System > User Manager, and edit the vpntest user. Then click the Add button next to User Certificate to create the certificate.

Choose method Create an internal certificate. Both Descriptive name and Common Name should be set to the username. The other fields can be left to defaults.

Field	Value
User	vpntest
Certificate Method	Create an internal certificate
Descriptive Name	vpntest
Common Name	vpntest

Click Save. Back at the user edit screen, you’ll see the user’s certificate. Click Save to save the user changes.

The OpenVPN Client Export utility eases the process of client configuration. It’s a package that comes pre-installed on the lab VMs, but will need to be installed under System > Packages on your other systems.

Browse to VPN > OpenVPN, and click the Client Export tab.

For our lab purposes, all other settings can be left at their defaults. Scroll down to the bottom to find the vpntest user’s client export options.

For Windows systems, the Windows installer is what you’ll want. Choose x86 for 32 bit versions of Windows and x64 for 64 bit versions. The Viscosity bundle is for Windows or Mac OS X clients running the Viscosity client. The inline configuration options are most commonly used for iOS and Android clients.

The Standard Configuration Archive option downloads a zip containing the user’s certificate, TLS key for the server, and OpenVPN config file.

Here you will see the remote access server just created in the wizard. Because the RemoteHost’s VPN client is older, we need to scroll down the page and make sure to put a check mark on Legacy Client.

In this lab environment, the only machine that’s available in the circumstance of a typical client out on the Internet is the remote-host VM. First, add it to the RemoteAdmin alias on fw1-HQ so you can log into fw1-HQ from that host to ease getting the OpenVPN configuration onto the client. Browse to Firewall > Aliases, and edit the RemoteAdmin alias. Add 100.64.0.50/32 to that alias, save, then apply changes.

Now connect with VNC to 100.64.0.50 (remote-host) to begin the client-side setup. Bring up its web browser and browse to https://192.0.2.2. Log in and browse to VPN > OpenVPN > Client Export tab. Export the Configuration Archive option for the vpntest user.

Make a folder called OpenVPN in your Documents folder, and save the zip file there. Right click the zip file and choose Extract Here.

Click the Network Manager icon → VPN Connections → Configure VPN.

Click Add and scroll down to Import a Saved Configuration.

Navigate to the folder where the OpenVPN configuration archive was extracted. Click on the .ovpn file and choose Open.

Fill in the username and password portions of the next screen, and click Save.

You may get prompted to choose a password for a new keyring. If so, just enter “password” in both blanks and click Continue and then Close.

Now connect to the OpenVPN server by clicking on the Network Manager → VPN Connections and choosing your VPN configuration.

Enter your password and click Ok.

Now you should verify you can reach things on the HQ LAN and DMZ networks. Try HQ-client at 172.17.1.100, server1 at 172.17.2.10 and server2 at 172.17.2.20.

Once you have verified that the OpenVPN connection is functioning as expected, please disconnect the OpenVPN session on the remote host.

This concludes Lab 6.

Source: Netgate pfSense Training Material — FUND001-LIVE-Lab6-OpenVPN.pdf © 2021 Rubicon Communications, LLC (Netgate)