Hi,
I’m about to setup openvpn for remove access on pfsense ce 2.7.2. I plan to follow this excellent tutorial https://www.youtube.com/watch?v=I61t7aoGC2Q&t=55s. Are there any updates to this video I should consider given it was made about 2 years ago?
I think using passwords was deprecated and now you need to use certificates. No idea if that is covered in the video.
Passwords were not deprecated in OpenVPN but some old ciphers have been but that happened before that video was published and is part of the reason I made that video.
Oh ok, if you weren’t using a certificate in the past then it must have been a shared key on OpenVPN which was deprecated.
I followed Tom’s video and things seem to work. I am using TLS authentication and encryption. I have checked the Redirect IPV4 Gateway option in the server config. I will be traveling soon and want to access internet securely through pfsense and have access to nothing else on my network. Is this setup doing that?
WAN rules:
OpenVPN rules:
Thanks
I would reorder the rules on your WAN. I think it’s best to think of the your OpenVPN connection as another network and apply the rules to that network that you want. What you have in place will work if the rest is configured correctly. Depending on what you’ve done you’ll need a NAT rule to get to the internet.
Then just load up a profile on your phone and test it.
Thank you for your help. I have a couple of clarifications.
1/ when you recommend reordering the WAN rules, do you mean move the Openvpn rule to the top of the list?
2/ Please clarify what you are referring to with this will if the rest is configured correctly. What configurations are you referring to?
The best approach is to back up your configuration, then configure OpenVPN. Test it out if something isn’t working that you’re failing to troubleshoot to post the specific topic.
Yes I would post the blocking rules at the end as they are processed in order.
If you are using certificates and follow the video and your setup is identical it should work. Devil is in the detail right!
The two block rules on the WAN interface are system defined rules, they can’t be re-ordered, only disabled/enabled (on the interface’s config page). In most cases, you’d want those rules enabled.
OP, that OpenVPN rule on the WAN interface is only to allow your external (ingressing the WAN interface) connection to the OpenVPN server, which should (at least) be listening on the WAN interface (again, in most common cases).
In order to block access to other, internal networks via the VPN tunnel, you’ll want to add a block rule that disallows (blocks) traffic to the IP range(s) of your other networks (ex: RFC1918 ranges). Then immediately after that rule, build an “Allow from to Any” rule.
These two rules would block traffic to any internal networks (assuming you’re using RFC1918 space, like you should be), and let anything else pass, which would be all NON-RFC1918 ranges (ie, public internet IP space (yeah yeah, there is more than just that IP space outside of 1918, but this works ‘fine’.)).
Beyond the firewall’ing, you may need to adjust NAT. I think if your NAT mode is setup to Automatic, pfSense should just add your OpenVPN tunnel subnet to the Outbound NAT config - so your outbound internet connection via the VPN tunnel should “just work”.
Oh that’s interesting I never saw rules that can’t be moved. It must be due to using the Wizard, if you want OpenVPN to just work the wizard ought to do that. I’ve set up OpenVPN manually, that might be the best way so you understand each step, if you need to troubleshoot it will be easier to retrace your steps.
Russ:
Thank you. My current setting are:
1/ No changes to WAN WAN rules, including reordering
2/ Firewall/Rules/OpenVPN:
3/ I did use the OpenVPN wizard and NAT mode is automatic. OpenVPN tunnel was added to Outbound NAT config
I am able to connect from remote client to internet and will do more testing ASAP.
Let me know if I’ve missed anything.
Thanks again
Really, that’s a sufficient setup.
However, if you really wanted to get into the weeds, you could also set the Source on the Allow rule to “OpenVPN Networks”. This way, only IP space on the tunnel would be allowed to Any.
This would ensure only your VPN clients are allowed and prevent any type of spoofed -OR- routed traffic (granted, the routes to allow connectivity would need to be in place).
(This is pretty much a non-issue, I just like doing it this way to be thorough throughout all of my configurations)
Incompetence is the first layer of vulnerability; Laziness is the second.
