pfSense 2.3 remote access via OpenVPN

Published 5 March 2016.

Introduction

A typical home setup may involve running many services which a user may want to gain access to when away from the home, a common use is to view Plex media server content. It is possible to open a myriad of firewall ports and provide WAN access to all of your local services them but to my mind exposing more than is absolutely necessary is increasing the risk of a network intrusion. I prefer to provide a single VPN tunnel into my home network to access all local services.

This guide will take you through configuring pfSense and also a iOS device to enable access any internal servers remotely, including plex.

Fundamentals

Most consumer internet connections provide service via a dynamic IP address which changes from time to time, Verizons is one of these. To ensure we can always access our network we need to setup a Dynamic DNS service which will keep a DNS name up to date with any changes.

For the purpose of this guide, I’ve created a test DNS entry in my Route53 DNS service for access.nguvu.org which points to my entry address. Depending on who you use to manage your DNS records with your settings may vary.

Dynamic DNS

Navigate to Services > Dynamic DNS

Click Add
Service Type: Route53
Interface to monitor - WAN
Hostname: access.nguvu.org
MX: Blank
Wildcards: [ ]
Verbose logging: [ ]
Username: Route53 user Access Key ID
Password: Route53 user Secret Access Key
Password Confirm: Route53 user Secret Access Key again
Zone ID: Zone ID that you received when you created your domain in Route 53
TTL: 300
Description: Test access to home WAN
Click Save & Force Update

DDNS setup

If everything is correct, your Dynamic DNS record should be updated to that of your WAN interface. We will use this record in our VPN tunnel connection settings later.

DDNS setup

Create ‘roadwarrior’ certificate authority

We need a certificate authority to validate devices attemtping to gain access.
Navigate to System > Cert Manager > CAs

Click +Add

Create / Edit CA

Descriptive Name = Roadwarrior_CA
Method = Create an Internal Certificate Authority

Internal Certificate Authority

Key Length = 4096
Digest Algorithm = SHA256
Lifetime (Days) 3650
Country Code = Your country
State or province = Your State
City = Your City
Organization = Your Organisation
e-mail Address = Your email
Common Name = internal-ca
Save

Verify your certificate authority looks like this when done

Certificate Authority

Create ‘roadwarrior’ certificate

Navigate to System > Cert Manager > Certificates

Click Add

Select Create an internal certificate

Add a new certificate

Descriptive name: Roadwarrior_cert

Internal Certificate

Certificate authority = Roadwarrior_CA
Key Length = 4096
Digest Algorithm = SHA256
Certificate = Server certificate
Lifetime (Days) 3650
Country Code = Your country
State or province = Your State
City = Your City
Organization = Your Organisation
e-mail Address = Your email
Common Name = roadwarrior_cert
Alternative names = FQDN or Hostname “pfsense.local.lan”
Save

Verify your certificate looks like this when done

OpenVPN Certificate

Create a certificate revocation list

You’ll need a revocation list for if/when you need to expire any certificates you create. Although technically this isnt required to get this system up and running its pretty trivial so we may as well.

Navigate to System > Certificates > Certificate Revocation

Create new revocation list

Next to Roadwarrior_CA, Click on Add or Import CRL
Descriptive name = Roadwarrior_CRL
Certificate Authority: Roadwarrior_CA

Internal Certificate Revocation List

Lifetime Days = 9999
Serial 0
Click Save

Create the OpenVPN server

Now we’ll create the OpenVPN server which remote devices will connect to. We will change from the default pot of 1194 to 443 as this port is often closed on remote networks.

Navigate to VPN > OpenVPN > Server

Click +Add

General Information

Disabled = [ ]
Server Mode = Remote Access (SSL/TLS)
Protocol = UDP
Device mode = tun
Interface = WAN
Port = 443
Description = Roadwarrior VPN

Cryptographic settings

TLS Authentication = [x]
Automatically generate a shared TLS authentication key = [x]
Peer certificate authority = Roadwarrior_CA
Peer certificate revocation list = Roadwarrior_CRL (CA: Roadwarrior_CA)
Server certificate = Roadwarrior_cert (Server Yes, CA: Roadwarrior_CA, In Use)
DH Parameter (bits) = 2048
Encryption Algorithm = AES-256-CBC (256-bit)
Auth Digest algorithm = SHA1 (160bit)
Hardware crypto = Intel RDRAND engine - RAND
Certificate Depth = One (Client + Server)

Tunnel Settings

IPv4 Tunnel = 192.168.100.0/24
IPv6 Tunnel = blank
Redirect Gateway = [x] Force all client generated traffic through the tunnel.
IPv4 Local Networks = blank
IPv6 Local Networks = blank
Concurrent Connections = 10
Compression = Enabled with adaptive compression
Type-of-service = [ ]
Inter-client communication = [ ]
Duplicate Connection = [ ]
Disable IPv6 = [x]

Client Settings

Dynamic IP = [x]
Address Pool = [x]
Topology = Subnet - One IP address per client in common subnet
DNS default domain = [x]
DNS default domain = local.lan
DNS server enable = [x]
DNS Server 1 = 192.168.100.1
Force DNS cache update = [ ]
NTP Server enable = [ ]
Netbios enable = [ ]
Enable custom port = [ ]

Advanced Configuration

Custom options = blank

Wireless networks often produce a lot of duplicate packets. Set mute-replay-warnings in the custom options box if you need to mute those warnings.

Verbosity level = 3
Save

Assign OpenVPN interface

We can now create an interface based on the OpenVPN server we just created.

Navigate to Interfaces > Assign

Select ‘ovpns4 (Roadwarrior VPN)’
Click Add

OpenVPN Interface

Click on the OPTx interface next to Roadwarrior VPN Network port

Enable = [√]
Description = RW_VPN
IPv4 Configuration Type = None
IPv6 Configuration Type = None
Mac controls : Blank
MTU = blank
MSS = blank
Block private networks = [ ]
Block bogon networks = [ ]
Save

Assign OpenVPN server routing

Navigate to System > Routing

Click ‘copy’ icon next to RW_VPN_VPNV4 gateway

Name = RW_VPN
Description = Interface RW_VPN Gateway
Save & Apply

OpenVPN Interface

Set RW_VPN firewall rules

This section uses a few aliases which I used in my pfSense 2.3 baseline configuration, refer to that guide if this doesn’t make sense to you.
Setup the rules on the OpenVPN server interface to allow for the following access

Allow ping for network debugging
Allow access to my local subnets (LOCAL_SUBNETS) only on approved ports (Allowed_OUT_ports_LAN)
Allow internet access via my VPN gateway group only on approved ports (Allowed_OUT_ports_WAN)

Navigate to Firewall > RW_VPN

Allow Pings for network diagnostics

Click ‘↴+’
Action: Pass
Disabled = [ ]
Interface: RW_VPN
Address Family: IPv4
Protocol: ICMP
ICMP Type = Any
Source: RW_VPN net
Destination: Any
Log: [ ]
Description: RW_VPN: Pass ICMP
Click [Save]

Allow traffic to local subnets (LOCAL_SUBNETS alias) on permitted ports only (Allowed_OUT_ports_LAN alias).

Click ‘↴+’
Action: Pass
Disabled = [ ]
Interface: RW_VPN
Address Family: IPv4
Protocol: TCP/UDP
Source: RW_VPN net
Destination:
- invert match: [ ]
- Single host or alias
- LOCAL_SUBNETS
Destination Port Range:
- From: Other
- Custom: Allowed_OUT_ports_LAN
- To: Other
- Custom: Allowed_OUT_ports_LAN
Log: [ ]
Description: RW_VPN: Pass approved LAN
Click [Save]

Pass approved internet bound traffic out the VPN gateway

Click ‘↴+’
Action: Pass
Disabled = [ ]
Interface: RW_VPN
Address Family: IPv4
Protocol: TCP/UDP
Source: RW_VPN net
Destination:
- Invert Match: [√]
- Single host or alias
- Address: LOCAL_SUBNETS
Destination Port Range:
- From: Other
- Custom: Allowed_OUT_ports_WAN
- To: Other
- Custom: Allowed_OUT_ports_WAN
Log = [ ]
Description: RW_VPN: Pass approved internet via VPN_GRP
Click Advanced Options
Gateway: VPN_Group
Click [Save]

Default Block & log IPv4

Click ‘↴+’
Action: Reject
Disabled = [ ]
Interface: RW_VPN
Address Family: IPv4
Protocol: any
Source: Any
Destination: Any
Log: [√]
Description: RW_VPN: Default reject IPv4
Click [Save]

Block default IPv6

Click ‘↴+’
Action: Reject
Disbaled = [ ]
Interface: RW_VPN
Address Family: IPv6
Protocol: any
Source: Any
Destination: Any
Log: [ ]
Description: RW_VPN: Default reject IPv6
Click [Save]

Your RW_VPN interface should look this this when done.

RW_VPN FW Rules

Allow OpenVPN access for the WAN port

We will now open a port on our firewall to allow access to the OpenVPN server which is running on port 443.

Navigate to Firewall > WAN

Select ↑Add

Action: Pass
Disabled = [ ]
Interface: WAN
Address family: IPv4
Protocol: UDP
Source: Any
Destination:
- Invert match = [ ]
- Address: WAN address
Destination Port Range:
- From: HTTPS (443)
- To: HTTPS (443)
Log: [ ]
Description: WAN: Allow RW_VPN
Save & Apply

WAN firewall rules

Your WAN interface should look this this when done.

WAN firewall rules

Allow DNS resolution

Navigate to Services > DNS Resolver

Under Network interfaces dropdown, add RW_VPN to the selection choice.

Update aliases

I use the LOCAL_SUBNETS alias to define traffic which is classed as internal or external so we need to add our new RW_VPN address range to this address to ensure we match traffic against the appropriate firewall rules.

Navigate to Firewall > Aliases

Click the pencil icon next to the LOCAL_SUBNETS alias to edit the list

Add the RW_VPN address range, i.e

192.168.100.0 / 24 “RW_VPN”

Click Save & Apply

Your LOCAL_SUBNETS alias should look this this when done.

Subnet alias

Create a client certificate

I’ll show you how to create a client certificate for an iOS device. Although you can set OpenVPN up to accept the same certificate from multiple clients its a less secure solution and not my preferred option. This option allows you to specify a certificate per user and/or per client and provides the ability to expire one at any time.

Navigate to System > Cert Manager > Certificates

Click Add

Method = Create an internal certificate
Descriptive name: nguvu_iphone_cert

Internal Certificate

Certificate authority = Roadwarrior_CA
Key Length = 4096
Digest Algorithm = SHA256
Certificate = User certificate
Lifetime (Days) 3650
Country Code = Your country
State or province = Your State
City = Your City
Organization = Your Organisation
e-mail Address = Your email
Common Name = memorable name for this certificate, e.g nguvu_iphone
Alternative names = FQDN or Hostname “nguvu_iphone”
Save

Your certificate should look this this when done.

iphone openvpn certificate

Export the certificate

To get the certificate into your client device we’ll make use of the OpenVPN-client-export wizard.

Navigate to System > Packages >Available packages

Click Install next to the OpenVPN-client-export to install the utility.

install export wizard

You’ll see the window populate with a progress report…

>>> Installing pfSense-pkg-openvpn-client-export... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
Updating database digests format: . done
The following 4 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	pfSense-pkg-openvpn-client-export: 1.3.6_1 [pfSense]
	zip: 3.0_1 [pfSense]
	p7zip: 15.09 [pfSense]
	openvpn-client-export: 2.3.10 [pfSense]

The process will require 14 MiB more space.
7 MiB to be downloaded.
Fetching pfSense-pkg-openvpn-client-export-1.3.6_1.txz: .. done
Fetching zip-3.0_1.txz: .......... done
Fetching p7zip-15.09.txz: .......... done
Fetching openvpn-client-export-2.3.10.txz: .......... done
Checking integrity... done (0 conflicting)
[1/4] Installing zip-3.0_1...
[1/4] Extracting zip-3.0_1: .......... done
[2/4] Installing p7zip-15.09...
[2/4] Extracting p7zip-15.09: .......... done
[3/4] Installing openvpn-client-export-2.3.10...
[3/4] Extracting openvpn-client-export-2.3.10: .......... done
[4/4] Installing pfSense-pkg-openvpn-client-export-1.3.6_1...
[4/4] Extracting pfSense-pkg-openvpn-client-export-1.3.6_1: ...... done
Saving updated package information...
done.
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Writing configuration... done.
>>> Cleaning up cache... done.
Success

Once it has finished, Navigate to VPN > Client Export

We will use the Dynamic DNS record we setup at the beginning of this guide to ensure we can always reach our network regardless of any updates to IP address.

Set up the options as follows:

Remote Access Server = Roadwarrior VPN UDP:443
Host name Resolution = access.nguvu.org (or your DNS record)
Verify Server CN = Automatic - Use verify-x509-name (OpenVPN 2.3)+ where possible
Use Random local port = [x]
Microsoft certificate storage [ ]
Password protect certificate = [ ]
Use a proxy = [ ]
Management interface = [ ]
Advanced = empty

There will be several options displayed alongside each certificate for exporting in various formats. The one we are looking for is the inline configuration for the OpenVPN Connect client.

Click on OpenVPN connect (Android or iOS)

A certificate file will be downloaded to your desktop which we can now transfer across to our iOS device.

Client software install

The OpenVPN connect application provides OpenVPN functionality for a number of platforms. Install this on your device to provide the means to process .ovpn files.

In terms of getting the .ovpn file to your device, there are numerous ways to handle this. You can email the file to yourself, transfer it via a cloud service such as Dropbox however please be aware that this file contains all the details needed to access your network and hence its worthwhile taking extra care in how you transfer it to prevent it being compromised. A few methods which provide a secure method include SpiderOak which is an encrypted Dropbox alternative, iTunes or my favourite, Instashare which facilitates direct transfers from Mac > iOS devices.

In my case, once I have dragged the .ovpn file to my instashare folder the file appears on my iOS device.

instashared

I can now copy the file into the OpenVPN Connect Application which will begin the import process

instashare import

OpenVPN will open and prompt you to import the certificate. Click the green + symbol to add it to your device.

instashared

Once imported, you can toggle the connection switch to initiate an connection.

instashared

If everything has gone correctly, you should see the display change to connected with associated IP, port and protocol details below

instashared

You can debug any errors or validate the connection is correct by inspecting the log by expanding the Connected box with the ‘>’ arrow.

instashared

Here’s my log relating to this connection example for reference

2016-03-05 19:07:05 EVENT: RESOLVE
2016-03-05 19:07:06 LZO-ASYM init swap=0 asym=0
2016-03-05 19:07:06 Contacting 71.***.***.***:443 via UDP
2016-03-05 19:07:06 EVENT: WAIT
2016-03-05 19:07:06 SetTunnelSocket returned 1
2016-03-05 19:07:06 Connecting to access.nguvu.org:443 (71.***.***.***) via UDPv4
2016-03-05 19:07:06 EVENT: CONNECTING
2016-03-05 19:07:06 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2016-03-05 19:07:06 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2016-03-05 19:07:06 VERIFY OK: depth=1
cert. version    : 3
serial number    : 00
issuer name      : C=US, ST=My State, L=My City, O=My org, emailAddress=info@nguvu.org, CN=internal-ca
subject name      : C=US, ST=My State, L=My City, O=My org, emailAddress=info@nguvu.org, CN=internal-ca
issued  on        : 2016-03-02 01:32:46
expires on        : 2026-02-28 01:32:46
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true
key usage        : Key Cert Sign, CRL Sign

2016-03-05 19:07:06 VERIFY OK: depth=0
cert. version    : 3
serial number    : 02
issuer name      : C=US, ST=My State, L=My City, O=My org, emailAddress=info@nguvu.org, CN=internal-ca
subject name      : C=US, ST=My State, L=My City, O=My org, emailAddress=info@nguvu.org, CN=Roadwarrior_cert
issued  on        : 2016-03-02 02:08:49
expires on        : 2026-02-28 02:08:49
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
subject alt name  : pfsense.local.lan
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication, ???

2016-03-05 19:07:07 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2016-03-05 19:07:07 Session is ACTIVE
2016-03-05 19:07:07 EVENT: GET_CONFIG
2016-03-05 19:07:07 Sending PUSH_REQUEST to server...
2016-03-05 19:07:07 OPTIONS:
0 [dhcp-option] [DOMAIN] [local.lan]
1 [dhcp-option] [DNS] [192.168.100.1]
2 [redirect-gateway] [def1]
3 [route-gateway] [192.168.100.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [60]
7 [ifconfig] [192.168.100.2] [255.255.255.0]

2016-03-05 19:07:07 LZO-ASYM init swap=0 asym=0
2016-03-05 19:07:07 EVENT: ASSIGN_IP
2016-03-05 19:07:07 TunPersist: saving tun context:
Session Name: access.nguvu.org
Remote Address: 71.***.***.***
Tunnel Addresses:
  192.168.100.2/24 -> 192.168.100.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
  192.168.100.1
Search Domains:
  local.lan

2016-03-05 19:07:07 Connected via tun
2016-03-05 19:07:07 EVENT: CONNECTED @access.nguvu.org:443 (71.***.***.***) via /UDPv4 on tun/192.168.100.2/
2016-03-05 19:07:07 SetStatus Connected

Verification of functionality and performance

Navigate to >Status > OpenVPN

Verify the OpenVPN tunnel is connected as expected

Server Connections

Expiring keys

At some stage you will want to expire a certificate.

Navigate to System > Cert Manager > Cert Revocation

Click Edit CRL next to Roadwarrior_CRL

Select the certificate you want to expire, and a reason why and select ‘Add’

Revocation

The certificate will now be revoked and access denied. It is possible to reinstall the certificate by deleting the revocation with the blue ‘x’ on the right of the screen.

Revocation