OpenVPN Bridge with pfSense 2.0.1


I) Goal
Securely connect remote Ethernet LAN segment through L2-VPN (bridge) over Internet.

Some info: The difference between a tun and tap device is this: a tun device is a virtual IP point-to-point device and a tap device is a virtual ethernet device.
So getting back to the "long cable" analogy, using a tun device would be like having a T1 cable connecting the computers and using a tap device would be like having an ethernet network connecting the two computers. People who are running applications that need the special features of ethernet (which won't work on an IP-only network) will often bridge their physical local ethernet with a tap device (using a utility such as brctl on Linux), then VPN the tap device to another similar setup at the other end. This allows OpenVPN to route ethernet broadcasts and non-IP protocols such as Windows NetBios over the VPN. If you don't need the special features of ethernet (such as bridging capability), it's better to use a tun device.

http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html

II) Objective
Host A will be connected in the same LAN 10.10.10.0/24 through unsecure Internet.
Users will be authorized with pair: encrypted key + username/password.

III) pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.
Will be used OpenVPN with Web configuration only (no CLI).
Installing pfSense is not so hard so it is skipped.

IV) pfSense configurationinclude:
- Generate CA, OpenVPN Server, OpenVPN Clients certificates/key
- Setting OpenVPN Server (demon) as tap (Layer2 bridge)
- Create and setup Bridge interface
- Setup Firewall
- Setup Client

1) Create certificates and keys

1.1) Set up your own Certificate Authority (CA)
1. Login to the web admin
2. System --> Cert Manager
3. Tab CAs, hit plus button
4. Descriptive name: MyCompany-CA
5. Method: Create an Internal Cert Auth
6. Distinguished name: MyCompany-CA
7. SAVE

1.2) Generate OpenVPN SERVER certificate
1. System --> Cert Manager
2. Tab Certificates, hit plus button
3. Method: Create an Internal Certificate
4. Descriptive name: MyCompany-CA-pfsense
5. Certificate authority: MyCompany-CA
6. Key length: 2048
7. Certificate Type: Server Certificate
8. Distinguished name: MyCompany-CA-pfsense
9. Fill in the information below
10. SAVE
 
1.3) Create users and generate keys for OpenVPN CLIENTS
1. System --> User Manager
2. Tab Users, hit PLUS button (Add)
3. Disabled: uncheck
4. Username: user1
5. Passwor: **********
6. Group Memberships: (possible create vpn group and add in it)
7. Certificate: check
8. Descriptive name: user1_cert
9. Certificate authority: internal-ca
10. All remains defaults and SAVE

2) pfSens packages

Tunnel/bridge diff.

2.1) OpenVPN tap Bridging Fix
1. System ---> Packages
2. Click the Available Packages Tab
3. Install OpenVPN tap Bridging Fix package
4. Install OpenVPN Client Export Utility package

3) OpenVPN Server Configuration

1. Main manu --> VPN --> OpenVPN
2. Tab SERVER, hit plus button (add)



4) Bridge interface config

Next thing we have to do is create a bridge.
When clients connect to the OpenVPN server it is connecting to the OpenVPN interface.
We must bridge that interface with the LAN.

To do this:
1. goto Interfaces ---> Assign
2. Press the + button to add an interface
3. It will probably show up as OPT1, in the drop down box choose your OpenVPN instance
4. goto Interfaces ---> OPT1
5. Enable the Interface
6. Give it a better description
7. Leave the rest default.
8. Save
9. While still in the Interfaces ---> Assign click the Bridges tab
10. Press the plus button to create a bridge.
11. Choose TWO interfaces you want to bridge (your LAN, and the interface we just made for your OpenVPN server) by clicking on them using the CTRL button, give it a description and SAVE.

5) Firewall settings

Firewall --> Rules
WAN: | Pass | WAN | UDP | Source: any | Dest: WAN Addr |     SAVE
OPT1: | Pass | OPT1 | any | Source: any | Dest: any |     SAVE
OpenVPN: | Pass | OpenVPN | any | Source: any | Dest: any |     SAVE

6) Client export

Now we need to get clients connected

The easiest way is to install the OpenVPN Client Export Package. Using the steps outline to install the tap fix install the OpenVPN Client Export Package.

Once that is finished we can export the config files used by clients

1. go back to VPN ---> OpenVPN
2. Click the Client Export Tab
3. If you did everything correctly you should see export Options for the Server and that of any user you created.
4. Choose your OpenVPN server in Remote Acccess Server
5. You can choose to export the config using your WAN IP or a dyndns hostname if you have that setup
6. Leave everything else default
7. Choose the user you want to export and choose the Configuration Archive.

7) Client PC

Next steps are done the remote PC's

1. Download OpenVPN: http://swupdate.openvpn.org/communit....2-install.exe
2. Install OpenVPN
3. Naviate to where you just installed OpenVPN. In that folder should be a config folder.
4. The contents of the config archive we just downloaded go in this folder.
5. Load up the OpenVPN GUI
6. It will place an icon in the System Tray
7. Right click the icon and choose connect.
8. DONE!



links: http://hardforum.com/showthread.php?t=1663797

No comments :

Post a Comment