Differences

This shows you the differences between two versions of the page.

--- pfsense:vpn:openvpn:configure_an_openvpn_server [2021/01/06 18:09] – peter
+++ pfsense:vpn:openvpn:configure_an_openvpn_server [2021/02/19 11:19] (current) – peter
@@ Line 1: / Line 1: @@
 ====== PFSense - VPN - OpenVPN - Configure an OpenVPN Server ======
+[[PFSense:VPN:OpenVPN:Configure an OpenVPN Server:Add access for clients to a different internal network|Add access for clients to a different internal network]]
 [[PFSense:VPN:OpenVPN:Configure an OpenVPN Server:Manually|Manually]]
 [[PFSense:VPN:OpenVPN:Configure an OpenVPN Server:Using a Wizard|Using a Wizard]]
-Navigate to **VPN -> OpenVPN -> Servers**.
-Click on **Wizard**.
-<WRAP info>
-**NOTE:**  This will allow us to easily create our CA (Certification Authority), the Server Certificate and the configuration of the VPN Server;
-These components can also be created individually if required.
-</WRAP>
-  * Select **Local User Access**.
-Now create the CA, as a necessary parameter we must enter a **Descriptive name** that will allow us to identify it, while all the other parameters can be left by default.
-  * Key length: **2048 bit**.
-  * Lifetime:  **3650**.  (10 years).
-Create the Server Certificate to be associated with our VPN server, as per the CA will require a **Descriptive name** and leave the other default parameters.
-  * Key length: **2048 bit**.
-  * Lifetime:  **3650**.  (10 years).
-  * Click **Next**.
-Now Create the actual VPN server configuration.
-General OpenVPN Server Information:
-  * Interface:  **WAN**.  Or select the interface on which we want our service to listen.  If we have more than one WAN interface choose the one you want to dedicate to the service.  Later we can select multiple interfaces for greater redundancy.
-  * Protocol:  **UDP on IPv4 only**.
-  * Local Port:  **1194**.  Remember the port that is used for the VPN must be open on the listening interface.  Therefore it will be necessary to configure the Firewall to open this port.
-  * Description:  Choose the name to identify the server.
-Cryptographic Settings:
-  * TLS Authentication:  **Checked**.
-  * Generate TLS Key:  **Checked**,
-  * DH Parameters Length: **2048**.
-  * Encryption Algorithm:  **AES-128-CBC (128 bit key, 128 bit block)**.
-  * Auth Digest Algorithm:  **SHA256 (256-bit)**.
-  * Hardware Crypto:  **Intel RDRAND engine - RAND**.
-Tunnel Settings:
-  * Tunnel Network:  **10.20.30.0/24**.
-  * Redirect Gateway:  **Not Checked**.
-  * Local Network:  **192.168.1.0/24**.  If there are multiple LAN networks to which we want to give access, you can enter them by separating them with a comma.
-  * Concurrent Connections:  **<blank>**.  Can set this to the maximum number of client to allow access in.
-  * Compression:  **Omit Preferences (Use OpenVPN Default)**.
-  * Type-of-Service:  **Not Checked**.
-  * Inter-Client-Communication:  **Not Checked**.
-  * Duplicate Connections:  **Not Checked**.
-Client Settings:
-  * Dynamic IP:  **Checked**.
-  * Topology:  **Subnet - One IP address per client in a common subnet**.
-  * Netbios Node Type:  **None**.
-  * Click **Next**.
-Wizard Firewall Rule Setup
-  * Firewall Rule:  **Checked**.
-  * OpenVPN Rule:  **Checked**.
-  * Click **Next**.
-----
-===== Create the OpenVPN Users =====
-Create the users we want to connect to in VPN.
-Navigate to **System -> User Manager -> Users**.
-  * Username:  **Peter**.
-  * Password:  **Password**.
-  * Certificate:  **Checked**.  Click to create a user certificate.
-  * Descriptive name:  **Peter-cert**.
-  * Certificate authority:  **Internal_CA**.
-  * Key length:  **2048 bits**.
-  * Lifetime:  **3650**.
-In this way we will have created both the user and the associated certificate in a single operation
-<WRAP info>
-**NOTE:**  At this point we can export the configuration files and certificates for individual users who will use the VPN clients to connect.
-In the **System -> Certificate Manager** section we will see the certificate associated with the VPN server and all those associated with the users created.
-</WRAP>
-----
-===== Install the package openvpn-client-export =====
-Navigate to **System -> Package Manager -> Available Packages**.
-Search for **openvpn-client-export**.
-Install the Package.
-<WRAP info>
-**NOTE:**  Once installed we will see the option added under **OpenVPN -> Client Export**.
-</WRAP>
-Under **Remote Access Server** we select our created VPN server.
-In the **Client Connection Behavior** section we will enter the parameters with which the .ovpn configuration file will be generated for the user, in particular we recommend configuring as follows:
-  * Host Name Resolution:  **Other**.
-  * Host Name:  **Enter the Public IP address of the network**.
-  * Verify Server CN:  **Automatic - Use verify-x509-name (OpenVPN 2.3+) where possible**.  If there are problems set it to **Do not verify the CN server**.
-Once the parameters are configured, we can export our users configuration file to be installed on the clients.
-To do this we have various choices, the most recommended below:
-  * **Most Clients**: Generates an .ovpn file containing both the configuration and the certificates and the easily imported keys, compatible with clients: OpenVPN for Windows, Tunnelblick for OS X.
-  * **OpenVPN Connect**:  Generates an .ovpn file compatible with OpenVPN Connect Apps for Android and iOS.
-  * **Archive**:  Compatible with Windows, generates an archive containing, in 3 separate files, the configuration (.ovpn), certificates (.p12) and the key (.key).
-  * Under the **Current Windows Installer** section we can generate self-installing and pre-configured files for Windows clients.
-----
-===== References =====
-https://www.firewallhardware.it/en/pfsense-and-openvpn-guide-to-creating-and-configuring-a-road-warrior-vpn-server/