Friday, March 31, 2017

Setting Up PFSENSE with OPENVPN using User Authentication

PFSense is a great firewall solution.  It is flexible, easy to customize and comes with built in VLAN and VPN support.  Now I am going to document this for setting up a User Authenticated Open VPN Server in PF using the local database that is in PFSENSE.  This will have to be modified for larger organizations; but would be great for smaller and mid-range shops.  This is the least secure way to set this up but is the easiest to setup.

A couple of things to note.

The PFSense OPENVPN client wizard automatically makes the routing for the WAN which is what is used in most setups as most organizations use one firewall.  If you re-run the export wizard and if you made a change to the rule it will reset any changes you made to the WAN.

If you are using PFSENSE with CARP FAILOVER, you must select the CARP address and change any firewall ports/forwards and NAT/Outbound rules.  On your OPENVPN Server make sure the interface is set to your CARP address as well.

Before you proceed you should install the openvpn-client-export package as seen below.




What this tool does is it adds a client export utility which really just allows you to download a .ovpn of your firewall connection for the Open VPN client.  It makes it really easy to make the .ovpn file you need to use with the Open VPN client.


PFSense supports 3 Server Modes for OPENVPN


The OpenVPN Server Mode allows selecting a choice between requiring Certificates, User Authentication, or both. The wizard defaults to Remote Access (SSL/TLS + User Auth). The possible values for this choice and their advantages are:
  • Remote Access (SSL/TLS + User Auth)
    • Requires both certificates AND username/password
    • Each user has a unique client configuration that includes their personal certificate and key.
    • Most secure as there are multiple factors of authentication (TLS Key and Certificate that the user has, and the username/password they know)
  • Remote Access (SSL/TLS)
    • Certificates only, no auth
    • Each user has a unique client configuration that includes their personal certificate and key.
    • Useful if clients should not be prompted to enter a username and password
    • Less secure as it relies only on something the user has (TLS key and certificate)
  • Remote Access (User Auth)
    • Authentiation only, no certificates
    • Useful if the clients should not have individual certificates
    • Commonly used for external authentication (RADIUS, LDAP)
    • All clients can use the same exported client configuration and/or software package
    • Less secure as it relies on a shared TLS key plus only something the user knows (Username/password)

More in depth documentation can be found here at https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server#Authentication

This tutorial will help you setup a Remote Access (User Auth) setup.  There are a few things you need to setup before you begin.
  1. Have a user setup that you plan on using for OPENVPN
  2. Setup up a Certificate
  3. Run the OPEN VPN Wizard
  4. Open Your Firewall ports and setup your routing properly.

STEP 1.  Create a OPENVPN User

I would highly recommend using something separate from the built in account; not only is it best practice it would be stupid to use default account.  Depending on your setup if your using groups etc, you will need to add permissions for what you want.  To just access the network you don't need to have the user setup as a member of the Admins group.  Now you can restrict their access to gui controls in the firewall etc. Just remember this user has access to the firewall so lock it down as best you can.  PFSense supports LDAP and Radius as well as local database.  We will be using the local database installed in PFSense which is used for user management.






STEP 2 - Create your Certificate

You could setup letsencrypt though there is no really good way of automating the renewal of the TLS Certificate every 90 days yet.  For our purposes we are going to use a self-signed certificate.  Create a internal Certificate Authority which is used for self signing.  I used the default a 2048 bit key length with a sha256 digest.  We are creating the Certificate (which is shared for all remote user access) so that the tunnel is encrypted.  The default lifetime of the Cert is 10 years.



Here is a sample of what the cert should look like.




And you should create an internal Certificate Revocation List.  This will allow you to revoke the certificate incase you lose control of the private key.





STEP 3 - OPENVPN Wizard

This is basically a fill in the blank wizard.  When you finish it will generate a OPENVPN server and exported client settings.  This is the easiest way to create the .ovpn file and recommend using it and making changes to the .ovpn file after the fact.







The tunnel network is the network that the client is using to connect to the network you want to access.  An example is the client using the OpenVPN client would have an ip address on the virtual network 192.168.2.0/24 and is trying to the actual LAN network of 192.168.1.0/24.  So the client would get an IP of 192.168.2.3 and would be able to access the NAS on 192.168.1.50.  You may need to add the push "route 192.168.1.0 255.255.255.0" in the advanced section otherwise the routing may not work as expected.  I have found for the most part this is required and further down if your using this to VPN into an Active Directory Network and want to access DFS shares you will also have to push out DNS settings.



After the wizard is completed you will see your VPN Server like in the image below.




You will want to go into the settings and make a few changes.



You will want to make sure that the server mode is set to Remote Access (User Auth) and your interface is what it needs to be WAN or CARP Typically.

You will then want to go to the client Export option. (This is a plugin in PFSense so make sure you install it first.)
Here you can download all your OPENVPN Config Options





4. Confirm your Firewall Ports and Routing are working properly.

Your firewall rules should look something like this.







The exported OpenVNC settings file looks something like this.



persist-tun


persist-key

cipher AES-256-CBC

auth SHA256

tls-client

client

remote X.X.X.X YYYYY udp

lport 0
auth-user-pass
ns-cert-type server
comp-lzo adaptive

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
setenv CLIENT_CERT 0
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
key-direction 1



UPDATE:

If you want access to DFS Shares though AD, you will want to push all traffic through the VPN.  Check the Redirect Gateway.  The default is 10 Concurrent Connections.

I've also set the DNS Server Enable pointing to the DNS for the AD Controllers and I've also enabled Block Outside DNS, and Force DNS cache update.

I've also added a few additional options for custom options for the DNS Server.

push "route xxx.xxx.xxx.0 255.255.255.0"
push "dhcp-option DNS xxx.xxx.xxx.xxx"

You may also have to update your Active Directory settings to enable slow-link mode. (see below)




Once you connect to your VPN you will be working in offline mode because your not connected to the domain right away.  If you click the work online on the client the DFS shares will come right up.


How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...