OpenVPN configuration in PFSense.

Jan 27, 2019 | Linux, Server administration, Technology, Windows | 0 comments

I spent about six hours this weekend installing PFSense, configuring the firewall and setting up OpenVPN. Here’s a quick run through of the problems and the solutions.

LAN to WAN access

I’m not using VLan’s.  The main purpose of running PFSense is I wanted to have traffic filtered through a reasonably decent firewall sitting on a virtual machine.  All the servers that I’m going to use are on the one hyper-V host.   I don’t want to open up a lot of ports going to these services for both general front end access and back end administration.

With the use of a VPN for back end administration, I’ll have three networks in total to set up.

  • WAN interface.
  • LAN network
  • VPN client network.

At the start, prior to configuring OpenVPN, routing between the WAN to the LAN was fine.  But after the configuration of OpenVPN I had problems with routing from the LAN out to the WAN.

I wish I could say I found a solution to this. But I didn’t.  When I fixed the routing issue, I then lost all access to the LAN.  So I restored the factory defaults and began configuration again.

The second time I configured PFSense the routing issues I had were not encountered.

Certificates

When configuring OpenVPN, I had problems generating the client. The first time It said I had no RCL.  Second time I had no user cert and the third time the server cert wasn’t from a trusted CA.

Here’s what I did to fix all of that:

  • Created a new user. This user doesn’t have admin access. This is a good idea for VPN use anyway. This new user has a user certificate assigned.  This user certificate is created from the CA on the server.
  • I don’t know why but the server certificate created by the OpenVPN server wizard wasn’t signed by the Route CA on the server. I also couldn’t delete that certificate. Instead, I just created a second server certificate and in the properties of the server, I selected that new certificate.
  • No CRL. IF a CRL is required by the OpenVPN server, I’m not sure why it wasn’t created by the wizard. But in the properties of the OpenVPN server, a handy link is provided to bring you right to the CRL tab under the Certificate options.

All of these items were easy to fix.  They seem like bugs in the OpenVPN server creation process.

Routing

This one took a while to fix.   I was able to access the PFSense LAN address from VPN clients but I couldn’t access any other devices on the PFSense LAN.

  • Using netstat -r in Windows confirmed that the route was added.
  • There were no firewall rules blocking traffic. But on the up side, I also added tighter  rules to specifically allow the traffic that was needed between VPN devices and the LAN.

I thought it was strange that I could access the LAN devices from the PFSense console.  So after a lot of thinking, I finally decided to add the routes from the other direction.  From the LAN devices to the OpenVPN network.  There’s a way of doing this in OpenVPN I’m sure however if explicitly configuring the routes on the LAN devices, try one of these two commands.

For Windows:
route add 10.0.1.0 mask 255.255.255.0 [PFSenseLANGateway]

For Linux:
ip route add 10.0.1.0/24 via [PFSenseLANGateway]

Finally. It’s all working.

I used PFSense a lot about eight years ago. I had problems at the time running it in a VM. Now though I’m delighted that I’ve started using it again. I love the UI and it’s all very logical.  I look forward to using the lode balancer functionality soon as well.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.