Non classé


introduction

Basic problem:

Let's say we have a company with multiple geographic locations.

Each geographical site has its own Internet link.

In terms of French legislation, we are obliged to authenticate and archive the activity of our users.

To do this, we decided to install a PfSense server on each site.

All of our administrators are at the main site level. So our administrators need to be able to remotely access every PfSense Distant server.

We will therefore set up a VPN link between our main site and our isolated sites. This will allow us to:

– to be able to manage our remote sites in a secure manner
– to have a possible data exchange between our Internet LANs (centralized log registration, integration of our remote computers into a single domain, etc.)

 

With a PfSense server, we can set up several types of VPNs:

IPSec (requires 2 FIXED WAN IP)
L2TP (requires 2 IP WAN fixed)
OpenVPN (requires a single fixed WAN IP)
PPTP (requires 2 FIXED WAN IP)

 

In our case, we will start on setting up an OpenVPN.

What for? Because this VPN has the advantage of operating in client/server mode and therefore requires only one WAN FIXED IP on one of our sites.

 

Since we will connect several OpenVPNs on our main site, the best way is to put the public IP address of our main site in fixed.

Any ISP offers this service (usually paid).

OpenVPN under Pfsense 1

 

 

 

Setting up our OpenVPN link

To do this, we will set up this last step by step.

In order to better understand how to set it up, we will start at the level of our administration post (located on the server part).

 

 

PfSense configuration of the main site

 

Setting up the OpenVPN

OpenVPN under Pfsense 2So far, nothing complicated. We have a Lan that is going to be NATé via the WAN IP of our box so he can browse the internet.

The first thing to do on our PfSense is to create our "Server" part.

To do this, we need to go to the "VPN – OpenVPN" tab.

In the "Server" tab, we'll click on the small "O" to create our OpenVPN server.

 

 

The parameters to be set up are:

OpenVPN under Pfsense 3

 

Server Mode: Peer to Peer (Shared Key).

To mount our VPN, we'll use a shared key.

This secret will be common to all our customers as well as to our server. We're going to have to copy and paste it every time we set up an OpenVPN connection.

This secret is automatically generated by the server.

Interface: WAN interface.

IPv4 Tunnel Network: Put a network address type 10.10.10.0 /24 (this network is a private Class A network).

The OpenVPN tunnel needs this information to work, we just need to be careful that the chosen network is large enough to accommodate all our OpenVPN customers and that it is not used anywhere else.

Once the setting is complete, click "Save."

Our OpenVPN server is set up!

All that remains is to intervene on our firewall in order to let the flows we need pass through.

 

Setting up the Firewall

To do this, go to the "Firewall and Rules" tab.

You can see that each interface has a firewall.

By default, no one can use our tunnel and all VPN connection requests from outside are blocked by the WAN firewall. So we're going to allow these flows.

 

At the OpenVPN firewall:

OpenVPN under Pfsense 4

 

At the WAN firewall:

OpenVPN under Pfsense 5

 

 

Setting up our Internet access

OpenVPN under Pfsense 6By default, a box refuses any requests for a connection from outside because it does not know to whom this request is intended (since the box makes nAT).

We will therefore indicate to the box that if a VPN connection request comes from outside, on the default port used by OpenVPN (UDP 1194), it will have to redirect it to our Pfsense.

To do this, we will set up port-forwarding (port redirection).

Given the number of different boxes on the market, it is best to do a Google search with the box reference as well as the word "port-forwarding".

 

 

PfSense configuration of our isolated sites

 

Setting up the OpenVPN

OpenVPN under Pfsense 7

The first thing to do on our PfSense is to create our "Customer" part (you'll find the setup in the image below).

 

 

 

 

 

OpenVPN under Pfsense 8

 

Server host or address 

You'll have to put the IP address of the OpenVPN server as seen on the Internet. This will be the IP address of the WAN paw of the "mother house" box.

How do I get this address? You have to go to the site www.mon-ip.com from a post of the parent company and the trick is done!

Key Shared

Copy and paste the shared secret of the server here.

IPv4 Tunnel Network

Put the same Network as the server.

All that remains is to intervene on our firewall in order to let the streams we need pass!

 

Setting up the Firewall

To do this, go to the "Firewall and Rules" tab.

As it is the customer who has to request a connection, there is no need to add a rule to the WAN firewall. We will only intervene on the OpenVPN firewall to add the same rules as the server part:

OpenVPN under Pfsense 9

 

Setting up our INTERNET access

There is no action to be taken on the Internet BOXES of our isolated sites as they are in "Client" mode. They are the ones who make the request to open the OpenVPN tunnel.

 

 

Testing for good functioning

To test your VPN connection, try accessing the remote PfSense administration page from a post on the main site.

If this doesn't work, we'll have to check the logs of our firewalls or if one of our feeds hasn't been blocked.

This rule plan can help you in your search for a breakdown:

OpenVPN under Pfsense 10

 

 

Hoping you enjoyed this article!

Don't hesitate to let me know!!

FingerInTheNet.com

Leave a Reply

Your email address will not be published. Required fields are marked *

four − 2 =

%d bloggers like this: