sábado, dezembro 17, 2016

pfSense OpenVPN client to PIA or access a private network routing traffic using openvpn.

OpenVPN Step-by-Step Setup for pfSense aes256/Strong [firewall/router] - PIA

pfsense openvpn client to site

How to force all client OpenVPN traffic to be routed via pfSense

pfsense openvpn client route


If you need to route to a specific network like 192.168.17.0/24 them the difference begins
After following all the steps bellow you need to modify the NAT outbound routing and add in your LAN the rule to use your VPN_Gateway ... as follows

This is Firewall / NAT / Outbound


This is Firewall / Rules / LAN
Action : Pass
Interface :Lan
Address Family : IPV4
Protocol : any
Destination : Network -> 192.168.17.0/24 (or your dest net)
(click advanced options)
Gateway : VPN_DHCP - 10.8.0.1 - Interface VPN__DHCP Gateway (as you configured your vpn_interface in Interfaces / Interface Assignments )

InstructionsSetting up OpenVPN on pfSense [firewall/router]

=============================================



Color Key

=============================================

Things highlighted in yellow are commands to be executed in the terminal 

Things highlighted in blue are to be clickedThings highlighted in green are to be typed

Things highlighted in violet are to be pressed on the keyboard

Things highlighted in grey are showing output




First start by downloading openvpn-strong.zip from...

    - https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip

    - This supplies PIAs "ca.rsa.4096.crt" file after unzipping the openvpn-strong.zip file.



Log into pfSense webConfigurator

    - https://pfsense-LAN-IP/index.php

    - Ex. https://192.168.1.1/index.php





Prevent DNS leaks by setting PIA DNS only

pfSense Setup Wizard - Video - http://youtu.be/MYXpAnDdEaI

=====================

    - Click "System"
    
Click "Setup Wizard"

    Click "Next"
    Click "Next"

    - For "Primary DNS Server:" type in "209.222.18.218"

    - For "Secondary DNS Server:" type in "209.222.18.222"

    - "Override DNS:[unchecked]

    Click "Next"    Click "Next"    - Scroll to the bottom and click "Next"

    Click "Next"    - "Admin Password AGAIN:" type in your pfSensePassword for the WebGUI

    Click "Next"

    Click "Reload" and wait

    Click the 2nd "here" where is says...        "Click here to continue on to pfSense webConfigurator"



Once pfSense loads up the "Status / Dashboard" your DNS section should look as follows:

    DNS server(s)    209.222.18.218

                              209.222.18.222







"PIA-CA-aes256" Installation

=====================

    - Click "System"
    
Click "Cert. Manager"
    
Click "CAs"

    Click "+ Add"

    "Descriptive name" type in "PIA-CA-aes256"

    "Method" select  "Import an existing Certificate Authority"

    "Certificate data" - (paste in all the content from the ca.rsa.4096.crt file)



-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
+no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
-----END CERTIFICATE-----




    - "Certificate Private Key (optional)" = (leave blank)

    - "Serial for next certificate" = (leave blank)

Now click "Save"





NOTE: The following password is not valid...
...
so don't waste your time trying it.  ;)



Write your "p"-username and password into the /etc/openvpn-passwd.txt file

=====================

    - Click "Diagnostics"

    - Click "Command Prompt"

    - Under "Execute Shell Command" click into the "Command" box and type the following into that box removing the username p2099690 and password JkY6UgYHa5 and replacing them with your credentials:

         echo "p2099690" > /etc/openvpn-passwd.txt; echo "JkY6UgYHa5" >> /etc/openvpn-passwd.txt

    - Click "Excute"



    

Create OpenVPN Client

=====================

    - Click "VPN"

    - Click "OpenVPN"

    - Click the "Client" tab

    - Click "+ Add"



Configure as follows...

    - "Disabled" = [unchecked]

    - "Server Mode" = "Peer To Peer (SSL/TLS)"

    - "Protocol" = "UDP"

    - "Device Mode" = "tun"

    - "Interface" = "WAN"

    - "Local Port" = (leave blank)



Choose a server for "Server host or address" form the PIA list here...

    https://www.privateinternetaccess.com/pages/network/#



    - "Server host or address" = "us-east.privateinternetaccess.com"

    - "Server Port" = "1197"

    - "Proxy host or address" = (leave blank)

    - "Proxy port" = (leave blank)

    - "Proxy authentication extra options" = none

    - "Server host name resolution" = [check] "Infinitely resolve server"

    - "Description" = "PIA OpenVPN aes256"

    - "TLS Authentication" = [uncheck] "Enable authentication of TLS packets."

    - "Peer Certificate Authority" = "PIA-CA-aes256"

    - "Client Certificate" = "webConfigurator default *In use"

    - "Encryption algorithm" = "AES-256-CBC (256-bit)"

    - "Auth Digest Algorithm" = "SHA256 (256-bit)"

    - "Hardware Crypto" = "No Hardware Crypto Acceleration"

    - "IPv4 Tunnel Network" = (leave blank)

    - "IPv6 Tunnel Network" = (leave blank)

    - "IPv4 Remote Network/s" = (leave blank)

    - "IPv6 Remote Network/s" = (leave blank)

    - "Limit outgoing bandwidth" = (leave blank)

    - "Compression" = choose "Enabled with Adaptive Compression"

    - "Type-of-Service" = [unchecked]

    - "Disable IPv6[check] "Don't forward IPv6 traffic."

    - "Don't pull routes" = [unchecked]

    - "Don't add/remove routes" = [unchecked]

    - Under "Advanced Configuration" for "Custom options" type the following in the box:



auth-user-pass /etc/openvpn-passwd.txt;verb 5;remote-cert-tls server



    - "Verbosity level" = default

Now click "Save"





Create OpenVPN interface

=====================

    - Click "Interfaces"

    - Click "(assign)"

    - "Available network ports:" select "ovpnc1(PIA OpenVPN aes256)Note: If you already setup aes128 this will be listed as "ovpnc2(PIA OpenVPN aes256)"

    - Click "+ Add"

    

Note: The new interface will be named "OPT1" or "OPT2" with a network port of "ovpnc1(PIA OpenVPN aes256)" or "ovpnc2(PIA OpenVPN aes256)"

    

    - Click on "OPT1" or "OPT2" to edit the interface



Configure as follows...

    - "Enabled" = [check]

    - "Description" = "OpenVPN_aes256_Interface"

    - "IPv4 Configuration Type" = none

    - "IPv6 Configuration Type" = none

    - "MAC address" = (leave blank)

    - "MTU" = (leave blank)

    - "MSS" = (leave blank)

    - "Block private networks" = [unchecked]

    - "Block bogon networks" = [unchecked]

Now click "Save"

Now click "Apply changes"





NAT Settings

=====================

    - Click "Firewall"

    - Click "NAT"

    - Click the "Outbound" tab

    - For "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)"...

        - put a (dot) in the radio button

Now click "Save"





The next step is to duplicate each of these rules...

    - but change the NAT Address from WAN to OpenVPN_aes256_Interface 

    - Start with the first "WAN" rule by clicking the copy icon ( looks like a square in front of another square ) immediately to the right of the line to "Add a new NAT based on this one"



A new page will open configure as follows...

    - "Disabled" = (do not change) [unchecked]

    - "Do not NAT" = (do not change) [unchecked]

    - "Interface" = OpenVPN_aes256_Interface 

    - "Protocol" = (do not change)

    - "Source" = (do not change)

    - "Destination" = (do not change)

    - "Translation" = (do not change)

    - "No XMLRPC Sync" = (no dot change)

    - "Description" = Made for PIA_OpenVPN_aes256

Now click "Save"



IMPORTANT!  Repeat this process for each of the other rules.  

    - When completed, it should resemble the following...

    - http://i.imgur.com/zoVTbUr.png ( ***out of date*** )

Now click "Apply changes" at the top of the page



    The changes have been applied successfully.

    You can also monitor the filter reload progress.





Verify OpenVPN Service

=====================

At this point, your system is configured. Restart your OpenVPN service to be sure.

    - "Status"

    - "OpenVPN"

    - "Status" should be "UP" (but it may be DOWN)

        - Click the "Restart OpenVPN Service" button no matter what the status is. 

        - It's the button that looks like an arrow bent into a circle to the right of the service.

    - "Status" should be "UP" now





Reboot the pfSense firewall now

=====================

    - "Diagnostics"

    - "Reboot"

    - "Reboot"

    - "OK"



Rebooting
Page will automatically reload in 90 seconds
    

Verify OpenVPN initialized correctly by checking System Logs

=====================

    - "Status"

    - "System Logs"

    - Click the "OpenVPN" tab

    - Scroll down and look for "Initialization Sequence Completed" similar to the following:



Jul 17 21:10:43     openvpn     3328     Initialization Sequence Completed        

Test by opening your Internet browser and going to...

=====================

    - https://www.privateinternetaccess.com/pages/whats-my-ip/

    - https://ipleak.net

    - http://dnsleak.com

    - http://ipv6leak.com



Enjoy!

Nenhum comentário: