How to connect using OpenVPN (Windows 10) to pfSense firewall.

This is a detailed guide on how to connect to your pfSense Firewall using OpenVPN for remote access. Piggybank Cloud lets you launch an pfSense firewall with a click of a button. You can connect your virtual machines to your firewall with ease from your Piggybank customer portal.

There is a known issue with the latest OpenVPN version and Windows 10 with the TAP adapter not working. This guide incorporates the fix for this issue.

1. Create OpenVPN server on pfSense firewall

1.1 Click Add under VPN / OpenVPN / Servers

1.2. Click on “Use a wizard to setup a new server.

1.3 Select Authentication Type

Type of Server – Select local User Access

1.4 Create a Certificate Authority (CA)

1.5 Add new Certificate

1.6 General OpenVPN Server Information

1.6.1 Set your interface to where VPN Clients will be connecting (usually WAN)

1.6.2 Set Protocol to UDP

1.6.3 Set the local port or leave blank

Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank to auto-select an unused port.

1.6.4 Description

Add your own description

1.7 Cryptographic Settings

Leave as default for the purpose of setting up this basic VPN server.

1.8 Tunnel Settings

1.8.1 Configure IPv4 Tunnel Network

This will be network assigned to OpnVPN Clients.

1.8.2 Configure IPv4 Local Network

This will be the network that will be accessed by the OpnVPN Clients, for example: the local network or LAN.

1.9 Client Settings

1.9.1 Add DNS servers

1.10 Firewall Rule Configuration

The wizard will create the firewall rules automatically for you if you check the tick boxes. This will allow traffic to the OpnVPN server and allow traffic to the Local network behind the pfSense Firewall.

1.11 Click Finish

2. Create local users

2.1 Navigate to System / User Manager

2.2 Set username and password

This is the credentials the client will use to authenticate when connecting to the VPN.

2.3 Generate user certificate

3. Install OpenVPN on Windows 10

3.1 Download and Install an older version of OpenVPN

https://build.openvpn.net/downloads/releases/openvpn-2.1.3-install-win2k.exe

When you install this you will be prompted to install a TAP driver which is version 9.Once installed we can update to the latest version of OpenVPN

3.2 Install later Version

https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I603.exe

Once the old version of OpenVPN is installed, install the version above.

3.3 Update the TAP drivers manually

3.3.1 Open device manager and right click TAP Windows Adapter and select update.

3.3.2 Select browse my computer for driver software

3.3.3 Point to the folder where you have saved the drivers. AMD64 for 64 bit and i386 for 32 bit.

4. Run OpenVPN GUI as administrator.



This will give you the OpenVPN icon in your windows tray. Right click the icon and click import. Before you do this you will need to download the client config from the pfSense Firewall.

5. Download Client VPN Configuration

5.1 Install openvpn-client-export on pfSense Firewall

Navigate to System / package manager and click on available packages. Search for openvpn-client-export and install.

5.2 Navigate to VPN / OpenVPN / Client Export

5.3 Click on Most Clients under Inline Configuration and download the client Configuration.

Scroll down to the section heading OpenVPN Clients. If all the other steps have been carried out correctly you will see the client configurations available to download.

6. Import file for client configuration.

6.1 Right click on the OpenVPN in your system tray as per screen shot above in point 4.

6.2 Click import file and select file from download location.

7. Connect to your VPN.

7.1 Right click the OpenVPN tray icon and click connect.

7.2 Enter user credentials.

Please feel free to leave any feedback. If you would like to explore Piggybank Cloud navigate to
https://piggybank.cloud/register.php

Thank you for reading.

How to create a Site to Site IPSec VPN from an OpnSense to a Fortigate behind a NAT Router.

Hi all,

This is a step by step guide to create a site to site VPN from a Fortigate which sits behind a NAT router to an OpnSense Firewall.

1. Create a firewall rule to allow IPSEC traffic to the WAN interface or interface to where the VPN will terminate.

This is configured under the Firewall / Rules

2. Add new phase 1 entry

Configured under VPN /IPSEC / Tunnel Settings. Please note the phase 1 and phase 2 settings needs to be mirrored on both the local and remote device.

2.1 Click add

2.2 General Information

2.3 Phase 1 proposal (Authentication)

Make sure you put the Peer identifier as the Private IP address of the WAN interface of the Fortigate behind the NAT router.

The Pre-Shared key or shared secret needs to match on both sides. You can choose your own.

2.4 Phase 1 proposal (Algorithms)

2.5 Advanced options

(Important) NAT Traversal – Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, which can help with clients that are behind restrictive firewalls.

3. Enable IPSEC

Check the tick box enable IPsec.

4. Add new phase 2 entry

4.1 Click the Show phase 2 entries and click the plus button on the left.

I have highlighted where you enable IPsec, edit phase 1, edit phase 2 and add a phase 2.

4.2 General information, local and remote network.

Your local network is the private network that will be reachable from the remote private network.

The remote network is the network that will be reachable from the local network.

You create one phase 2 entry per private network. So if you have 3 networks you will create 3 phase 2 entries. Alternatively, you can summerise your networks to have less phase 2’s.

It is important that the networks are an exact match on both ends of the VPN.

4.3 Phase 2 proposal (SA/Key Exchange)

4.4 Lifetime and advance options

Set the Automatically ping host to your private IP address of the remote Fortigate WAN interface.

5. Create Pre-Shared key

Set the identifier as the Private IP address of WAN interface of the remote Fortigates WAN interface.

6. Create Firewall rules

6.1 Click add

6.2 Define rules – source, destination protocol

The following screen shot shows the IPSEC rules allowing all traffic. But you can define more stricter rules allowing only specific sources, destinations and protocols etc.

7. Configure the remote Fortigate.

The purpose of this guide is directed more at the OpnSense configuration. In this step I will just give the CLI configuration of the remote Fortigate.

7.1 Phase 1

Please note: Change the following to the remote public IP in the script below – set remote-gw “remote public IP”

This is just a example of my configuration and you will need to enter your own values.

config vpn ipsec phase1-interface
edit "OPNSENSE_VPN"
set type static
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 28800
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes256-sha256
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd disable
set forticlient-enforcement disable
set comments ''
set npu-offload enable
set dhgrp 14
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set remote-gw "remote public IP" 
set monitor ''
set add-gw-route disable
set psksecret ENC YJYQCQkgBRfA4Ynqobur+iFEHHENqWxdlMu1xinpodo6QLayj46K40rCVdOiW6JWEFzwatMOVd1hmYwXFf3udgSJJNCec49BYINwom29fz9M+u0Q9TEhPF2xc0+k/GTnMNLqQTpdEkhk4Ab2EoyAb1GeGKLK4ft8u23YOeIOPQ2GJHseKiBCfR1O1/VllXG/fiOAlg==
set keepalive 10
set auto-negotiate enable
next
end

7.2 Create Phase 2

config vpn ipsec phase2-interface
edit "OPNSENSE_VPN"
set phase1name "OPNSENSE_VPN"
set proposal aes256-sha256
set pfs enable
set dhgrp 14
set replay enable
set keepalive enable
set auto-negotiate enable
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 3600
set src-subnet 192.168.101.0 255.255.255.0
set dst-subnet 10.10.0.0 255.255.255.0
next
end

7.3 Create Firewall Policies

config firewall policy
edit 6
set uuid fc48a3fe-61c6-51e9-d528-a761270fcdd8
set srcintf "lo0"
set dstintf "OPNSENSE_VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

Policy from local interface to VPN Virtual interface.

config firewall policy
edit 7
set uuid 1a9bec44-5e93-51e9-9240-9337d084beb8
set srcintf "OPNSENSE_VPN"
set dstintf "lo0"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

Policy from VPN Virtual Interface to local interface.

7.4 Create Static Route

config router static
edit 1
set dst 10.10.0.0 255.255.255.0
set device "OPNSENSE_VPN"

This will point the traffic down the tunnel.

8. Troubleshooting OpnSense

8.1 Make sure that the traffic is hitting the firewall on either port udp 500 or udp 4500.

8.2 Check IPSEC log and VPN Status

You can check the status of the VPN to make sure both phase 1 and 2 are up and passing traffic.

The log file provides debug information about the VPN to help you troubleshoot.

9. Troubleshooting Fortigate.

9.1 Make sure that the traffic is hitting the firewall on either port udp 500 or udp 4500.

Add the public IP address of the remote device after host.

diagnose sniffer packet any "host  and port 4500"

9.2 Debug VPN commands

Make sure you add the public IP address of the remote device after dst-addr4.

diagnose debug reset
diagnose vpn ike log-filter dst-addr4 
diagnose debug application ike -1
diagnose debug enable

10. Test the connection


PBC # execute ping-options source 192.168.101.254

PBC # execute ping 10.10.0.102
PING 10.10.0.102 (10.10.0.102): 56 data bytes
64 bytes from 10.10.0.102: icmp_seq=0 ttl=63 time=25.2 ms
64 bytes from 10.10.0.102: icmp_seq=1 ttl=63 time=25.1 ms

--- 10.10.0.102 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 25.1/25.1/25.2 ms

I have tested from the Fortigate firewall sourcing from the interface that matches the phase 2 of the VPN.

Thank you for reading and please leave feedback.

If you have any queries please contact us using the following link:

https://piggybankcloud.blog/contact-piggybank-cloud

How to connect using OpenVPN (Windows 10) to OpnSense firewall.

This is a detailed guide on how to connect to your OpnSense Firewall using OpenVPN for remote access. Piggybank Cloud lets you launch an OpnSense firewall with a click of a button. You can connect your virtual machines to your firewall all with ease from your Piggybank customer portal.

There is a known issue with the latest OpenVPN version and Windows 10 with the TAP adapter not working. This guide incorporates the fix for this issue.

1. Create OpenVPN server on OpnSense firewall

1.1. Click on “Use a wizard to setup a new server.

1.2 Select Authentication Type

Type of Server – Select local User Access

1.3 Create a Certificate Authority (CA)

1.4 Add new Certificate

1.5 General OpenVPN Server Information

1.5.1 Set your interface to where VPN Clients will be connecting (usually WAN)

1.5.2 Set Protocol to UDP

1.5.3 Set the local port or leave blank

Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank to auto-select an unused port.

1.5.4 Description

Add your own description

1.6 Cryptographic Settings

For this example I have left as the default settings as per screenshot.


1.7 Tunnel Settings

1.7.1 Configure IPv4 Tunnel Network

This will be network assigned to OpnVPN Clients.

1.7.2 Configure IPv4 Local Network

This will be the network that will be accessed by the OpnVPN Clients, for example: the local network or LAN.

1.8 Client Settings

1.8.1 Add DNS servers

1.9 Firewall Rule Configuration

The wizard will create the firewall rules automatically for you if you check the tick boxes. This will allow traffic to the OpnVPN server and allow traffic to the Local network behind the OpnSense Firewall.

1.9.1 WAN – Rules

1.9.2 OpenVPN -Rules

1.10 OpenVPN Server Example:

Please note: Certificate depth is set to do not check – this means that the same configuration can be used for multiple users to authenticate using the same OpnVPN server configuration.

2. Create local users

2.1 Navigate to System / Access / Users and click add.

2.2 Set user name and password

This is the credentials the client will use to authenticate when connecting to the VPN.

3. Install OpenVPN on Windows 10

3.1 Download and Install an older version of OpenVPN

https://build.openvpn.net/downloads/releases/openvpn-2.1.3-install-win2k.exe

When you install this you will be prompted to install a TAP driver which is version 9.Once installed we can update to the latest version of OpenVPN

3.2 Install later Version

https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I603.exe

Once the old version of OpenVPN is installed, install the version above.

3.3 Update the TAP drivers manually

3.3.1 Open device manager and right click TAP Windows Adapter and select update.

3.3.2 Select browse my computer for driver software

3.3.3 Point to the folder where you have saved the drivers. AMD64 for 64 bit and i386 for 32 bit.

4. Run OpenVPN GUI as administrator.



This will give you the OpenVPN icon in your windows tray. Right click the icon and click import. Before you do this you will need to download the client config from the Opnsense Firewall.

5. Download Client VPN Configuration

5.1 Navigate to VPN / OpenVPN / Client Export.

5.2 Set export type to file only.

5.3 Click on the small cloud icon to the left of the page.

5.4 Edit the Client configuration file.

5.4.1 Right click the file you have downloaded from the firewall and remove UDP from line 8 as per screen shots.

5.4.2 The config should looks as follows with x.x.x.x being you public IP of your firewall.

6. Import file for client configuration.

6.1 Right click on the OpenVPN in your system tray as per screen shot above in point 4.

6.2 Click import file and select file from download location.

7. Connect to your VPN.

7.1 Right click the OpenVPN tray icon and click connect.

7.2 Enter user credentials.

Please feel free to leave any feedback. If you would like to explore Piggybank Cloud navigate to
https://piggybank.cloud/register.php

Thank you for reading.

The Journey Begins

Hello to you all & welcome to our blog, keep an eye out for new posts we will blog.

Its a place for us to write up our ideas, experiences and tutorials surrounding:

Networking,
Cloud Computing,
Linux,
Open source computing
& also to promote our own platform which is https://piggybank.cloud

First of all I’ll start with a bit of background about us and what we do, its all a good idea for us to explain what Piggybank Cloud is and how it came about.

Who Are We?

We are 2 technology enthusiast who currently work for a managed services provider as Network & security engineer’s we love what we do but also have a strong passion for anything Linux anything opensource and anything Cloud computing.

We have spent a lot of our spare time in the past labbing up networking gear and following other peoples community guides.

What is Piggybank Cloud

We always wanted to give something back to the community and also set something up of our own and offer a cloud service, so we setup piggybank cloud, the idea being it was a cheap affordable cloud platform for people, we wanted to automate everything from setting users resource, to deploying firewall’s and setting up Ipsec Tunnels.

So we came up with a portal and started adding to it, it started pretty basic but as we got more into it ideas just kept flying.
We ended up with what we have now which we intent to add more and more functionality to.

It gave us an opportunity to delve into software defined networking and use vendor REST API’s to provision network pieces, Ipsec tunnels, NAT rules and more.
The good thing about REST API’s is that they are quick and simple once you have the schema you are just passing data to a REST endpoint.

The good thing as well is that you can easily integrate these into your website and that’s what we did.

Whats next?

So that’s a bit of background on us and what we do, keep your eyes peeled and we will get some more posts out, if you have any questions etc. leave us a comment. If you get chance to have a look at our site please do and any feedback would be much appreciated.

Until next time