introduction
Basic problem:
Let's say we have a company with multiple geographic locations.
Each geographical site has its own Internet link.
In terms of French legislation, we are obliged to authenticate and archive the activity of our users.
To do this, we decided to install a PfSense server on each site.
All of our administrators are at the main site level. So our administrators need to be able to remotely access every PfSense Distant server.
We will therefore set up a VPN link between our main site and our isolated sites. This will allow us to:
– to be able to manage our remote sites in a secure manner
– to have a possible data exchange between our Internet LANs (centralized log registration, integration of our remote computers into a single domain, etc.)
With a PfSense server, we can set up several types of VPNs:
– IPSec (requires 2 FIXED WAN IP)
– L2TP (requires 2 IP WAN fixed)
– OpenVPN (requires a single fixed WAN IP)
– PPTP (requires 2 FIXED WAN IP)
In our case, we will start on setting up an OpenVPN.
What for? Because this VPN has the advantage of operating in client/server mode and therefore requires only one WAN FIXED IP on one of our sites.
Since we will connect several OpenVPNs on our main site, the best way is to put the public IP address of our main site in fixed.
Any ISP offers this service (usually paid).
Setting up our OpenVPN link
To do this, we will set up this last step by step.
In order to better understand how to set it up, we will start at the level of our administration post (located on the server part).
PfSense configuration of the main site
Setting up the OpenVPN
So far, nothing complicated. We have a Lan that is going to be NATé via the WAN IP of our box so he can browse the internet.
The first thing to do on our PfSense is to create our "Server" part.
To do this, we need to go to the "VPN – OpenVPN" tab.
In the "Server" tab, we'll click on the small "O" to create our OpenVPN server.
The parameters to be set up are:
Server Mode: Peer to Peer (Shared Key).
To mount our VPN, we'll use a shared key.
This secret will be common to all our customers as well as to our server. We're going to have to copy and paste it every time we set up an OpenVPN connection.
This secret is automatically generated by the server.
Interface: WAN interface.
IPv4 Tunnel Network: Put a network address type 10.10.10.0 /24 (this network is a private Class A network).
The OpenVPN tunnel needs this information to work, we just need to be careful that the chosen network is large enough to accommodate all our OpenVPN customers and that it is not used anywhere else.
Once the setting is complete, click "Save."
Our OpenVPN server is set up!
All that remains is to intervene on our firewall in order to let the flows we need pass through.
Setting up the Firewall
To do this, go to the "Firewall and Rules" tab.
You can see that each interface has a firewall.
By default, no one can use our tunnel and all VPN connection requests from outside are blocked by the WAN firewall. So we're going to allow these flows.
At the OpenVPN firewall:
At the WAN firewall:
Setting up our Internet access
By default, a box refuses any requests for a connection from outside because it does not know to whom this request is intended (since the box makes nAT).
We will therefore indicate to the box that if a VPN connection request comes from outside, on the default port used by OpenVPN (UDP 1194), it will have to redirect it to our Pfsense.
To do this, we will set up port-forwarding (port redirection).
Given the number of different boxes on the market, it is best to do a Google search with the box reference as well as the word "port-forwarding".
PfSense configuration of our isolated sites
Setting up the OpenVPN
The first thing to do on our PfSense is to create our "Customer" part (you'll find the setup in the image below).
Server host or address
You'll have to put the IP address of the OpenVPN server as seen on the Internet. This will be the IP address of the WAN paw of the "mother house" box.
How do I get this address? You have to go to the site www.mon-ip.com from a post of the parent company and the trick is done!
Key Shared
Copy and paste the shared secret of the server here.
IPv4 Tunnel Network
Put the same Network as the server.
All that remains is to intervene on our firewall in order to let the streams we need pass!
Setting up the Firewall
To do this, go to the "Firewall and Rules" tab.
As it is the customer who has to request a connection, there is no need to add a rule to the WAN firewall. We will only intervene on the OpenVPN firewall to add the same rules as the server part:
Setting up our INTERNET access
There is no action to be taken on the Internet BOXES of our isolated sites as they are in "Client" mode. They are the ones who make the request to open the OpenVPN tunnel.
Testing for good functioning
To test your VPN connection, try accessing the remote PfSense administration page from a post on the main site.
If this doesn't work, we'll have to check the logs of our firewalls or if one of our feeds hasn't been blocked.
This rule plan can help you in your search for a breakdown:
Hoping you enjoyed this article!
Don't hesitate to let me know!!
FingerInTheNet.com
