How to connect using OpenVPN (Windows 10) to pfSense firewall.

This is a detailed guide on how to connect to your pfSense Firewall using OpenVPN for remote access. Piggybank Cloud lets you launch an pfSense firewall with a click of a button. You can connect your virtual machines to your firewall with ease from your Piggybank customer portal.

There is a known issue with the latest OpenVPN version and Windows 10 with the TAP adapter not working. This guide incorporates the fix for this issue.

1. Create OpenVPN server on pfSense firewall

1.1 Click Add under VPN / OpenVPN / Servers

1.2. Click on “Use a wizard to setup a new server.

1.3 Select Authentication Type

Type of Server – Select local User Access

1.4 Create a Certificate Authority (CA)

1.5 Add new Certificate

1.6 General OpenVPN Server Information

1.6.1 Set your interface to where VPN Clients will be connecting (usually WAN)

1.6.2 Set Protocol to UDP

1.6.3 Set the local port or leave blank

Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank to auto-select an unused port.

1.6.4 Description

Add your own description

1.7 Cryptographic Settings

Leave as default for the purpose of setting up this basic VPN server.

1.8 Tunnel Settings

1.8.1 Configure IPv4 Tunnel Network

This will be network assigned to OpnVPN Clients.

1.8.2 Configure IPv4 Local Network

This will be the network that will be accessed by the OpnVPN Clients, for example: the local network or LAN.

1.9 Client Settings

1.9.1 Add DNS servers

1.10 Firewall Rule Configuration

The wizard will create the firewall rules automatically for you if you check the tick boxes. This will allow traffic to the OpnVPN server and allow traffic to the Local network behind the pfSense Firewall.

1.11 Click Finish

2. Create local users

2.1 Navigate to System / User Manager

2.2 Set username and password

This is the credentials the client will use to authenticate when connecting to the VPN.

2.3 Generate user certificate

3. Install OpenVPN on Windows 10

3.1 Download and Install an older version of OpenVPN

https://build.openvpn.net/downloads/releases/openvpn-2.1.3-install-win2k.exe

When you install this you will be prompted to install a TAP driver which is version 9.Once installed we can update to the latest version of OpenVPN

3.2 Install later Version

https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I603.exe

Once the old version of OpenVPN is installed, install the version above.

3.3 Update the TAP drivers manually

3.3.1 Open device manager and right click TAP Windows Adapter and select update.

3.3.2 Select browse my computer for driver software

3.3.3 Point to the folder where you have saved the drivers. AMD64 for 64 bit and i386 for 32 bit.

4. Run OpenVPN GUI as administrator.



This will give you the OpenVPN icon in your windows tray. Right click the icon and click import. Before you do this you will need to download the client config from the pfSense Firewall.

5. Download Client VPN Configuration

5.1 Install openvpn-client-export on pfSense Firewall

Navigate to System / package manager and click on available packages. Search for openvpn-client-export and install.

5.2 Navigate to VPN / OpenVPN / Client Export

5.3 Click on Most Clients under Inline Configuration and download the client Configuration.

Scroll down to the section heading OpenVPN Clients. If all the other steps have been carried out correctly you will see the client configurations available to download.

6. Import file for client configuration.

6.1 Right click on the OpenVPN in your system tray as per screen shot above in point 4.

6.2 Click import file and select file from download location.

7. Connect to your VPN.

7.1 Right click the OpenVPN tray icon and click connect.

7.2 Enter user credentials.

Please feel free to leave any feedback. If you would like to explore Piggybank Cloud navigate to
https://piggybank.cloud/register.php

Thank you for reading.

How to create a Site to Site IPSec VPN from a pfSense to a Fortigate behind a NAT Router.

This is a detailed guide on how to create a Site to Site IPSec VPN from a pfSense to a Fortigate behind a NAT Router.

1. Fortigate Configuration

1.1 Configure the Fortigate Phase 1

 
config vpn ipsec phase1-interface 
edit "PfSense" 
set interface "wan1" 
set proposal aes256-sha256 
set dhgrp 5 
set remote-gw x.x.x.x
set psksecret 
next 
end

1.2 Configure the Fortigate Phase 2

 
config vpn ipsec phase2-interface 
edit "pfSense" 
set phase1name "PfSense" 
set proposal aes256-sha256 
set pfs disable 
set keepalive enable 
set auto-negotiate enable 
set src-subnet 192.168.0.0 255.255.0.0 
set dst-subnet 10.0.100.0 255.255.255.0 
next 
end 

1.3 Configure a static route on the Fortigate

 
config router static set dst 10.0.100.0 255.255.255.0 
set device "PfSense"

1.4 Configure Fortigate firewall policies


config firewall policy
edit 11
set srcintf "PfSense"
set dstintf "lo0"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end


config firewall policy
edit 15
set srcintf "lo0"
set dstintf "PfSense"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

2. pfSense Configuration

2.1 Configure Phase 1 General Information on the pfSense 

pfsense - fortigate.PNG

Key Exchange Version = IKEv1

Remote Gateway = The public IP address of the Fortigate

2.2 Configure Phase1 Proposal ( Authentication) on the pfSense

pfsense - fortigate_1.PNG

Authentication Method = Mutual PSK

Negotiation Mode = Main

My Identifier = My IP address

Peer Identifier = This is important and needs to be the Private IP address of the WAN interface of the Fortigate or remote device. Normally this would just be the Peer IP address if the Public IP address was configured on the Remote Fortigate.

Pre-Shared Key = Make sure that the Pre-Shared key matches on both sides

2.3 Configure Phase1 Proposal ( Encryption) on the pfSense

Ensure that the Encryption Algorithms are an exact mirror on both devices. Also ensure that the timers match on either side.

2.4  Configure Advanced options on the pfSense 

pfsense - fortigate_2.PNG

You can leave this as the defaults values

2.5 Configure Pre-shared Keys TAB at the Top of the page

pfsense - fortigate_3.PNG

Click the TAB labelled Pre-Shared Keys and enter your Pre-shared Key again and the Private IP address of the WAN interface remote device (Fortigate).

2.6  Click the green Add P2 to add the pfSense’s phase 2 configuration 

pfsense - fortigate_4.PNG

Make sure that the Phase2 Selectors are an exact mirror to the Fortigate:

Networks

Authentication

Encryption

2.7  Configure Phase 2 General Information on the pfSense 

pfsense - fortigate_5.PNG

Set the local network to the local subnet connected to the pfSense.

Set the remote network to the remote subnet of the Fortigate.

2.8 Configure Phase  2 Proposal (SA/Key Exchange) on the pfSense

pfsense - fortigate_6.PNG

Make sure the phase 2 encryption and authentication match on both sides of the tunnel.

Configure Lifetime on the pfSense again ensuring that this matches on both end point devices.

(optional) PFS – In this case I have not configured it. As with all the encryption and authentication this will need to match on both sides. So if set to Group 2 on the pfSense this will need to match on the Fortigate.

2.9 PfSense Advanced Configuration

Set the automatically ping host value to the Privat IP address WAN interface of the Fortigate.

pfsense - fortigate_7.PNG

2.10 Configure pfSense Firewall Rules to allow traffic 

This can be found under the Firewall TAB labelled Rules

pfsense - fortigate_8.PNG

2.11 Check that the tunnel is up 

This is under the TAB Status labelled IPSec

pfsense - fortigate_9.PNG

3. Test the Connection 

 

C:\Users\Administrator>ping 192.168.101.254 
Pinging 192.168.101.254 with 32 bytes of data: 
Reply from 192.168.101.254: bytes=32 time=28ms TTL=254 
Reply from 192.168.101.254: bytes=32 time=27ms TTL=254 
Reply from 192.168.101.254: bytes=32 time=28ms TTL=254 
Reply from 192.168.101.254: bytes=32 time=27ms TTL=254 
Ping statistics for 192.168.101.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 27ms, Maximum = 28ms, Average = 27ms 

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

How to get OpenVPN to work on Windows 10

1. Install OpenVPN on Windows 10

1.1 Download and Install an older version of OpenVPN

https://build.openvpn.net/downloads/releases/openvpn-2.1.3-install-win2k.exe

When you install this you will be prompted to install a TAP driver which is version 9.Once installed we can update to the latest version of OpenVPN

1.2 Install later Version

https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I603.exe

Once the old version of OpenVPN is installed, install the version above.

1.3 Update the TAP drivers manually

1.3.1 Open device manager and right click TAP Windows Adapter and select update.

1.3.2 Select browse my computer for driver software

1.3.3 Point to the folder where you have saved the drivers. AMD64 for 64 bit and i386 for 32 bit.

2. Run OpenVPN GUI as administrator.



This will give you the OpenVPN icon in your windows tray. Right click the icon and click import. Before you do this you will need to download the client config from the VPN Server.

3. Download Client VPN Configuration from your VPN server.

4. Import file for client configuration.

4.1. Right click on the OpenVPN in your system tray as per screen shot above in point 2.

4.3. Click import file and select file from download location.

5. Connect to your VPN.

5.1 Right click the OpenVPN tray icon and click connect.

5.2 Enter user credentials.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

How to connect using OpenVPN (Windows 10) to OpnSense firewall.

This is a detailed guide on how to connect to your OpnSense Firewall using OpenVPN for remote access. Piggybank Cloud lets you launch an OpnSense firewall with a click of a button. You can connect your virtual machines to your firewall all with ease from your Piggybank customer portal.

There is a known issue with the latest OpenVPN version and Windows 10 with the TAP adapter not working. This guide incorporates the fix for this issue.

1. Create OpenVPN server on OpnSense firewall

1.1. Click on “Use a wizard to setup a new server.

1.2 Select Authentication Type

Type of Server – Select local User Access

1.3 Create a Certificate Authority (CA)

1.4 Add new Certificate

1.5 General OpenVPN Server Information

1.5.1 Set your interface to where VPN Clients will be connecting (usually WAN)

1.5.2 Set Protocol to UDP

1.5.3 Set the local port or leave blank

Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank to auto-select an unused port.

1.5.4 Description

Add your own description

1.6 Cryptographic Settings

For this example I have left as the default settings as per screenshot.


1.7 Tunnel Settings

1.7.1 Configure IPv4 Tunnel Network

This will be network assigned to OpnVPN Clients.

1.7.2 Configure IPv4 Local Network

This will be the network that will be accessed by the OpnVPN Clients, for example: the local network or LAN.

1.8 Client Settings

1.8.1 Add DNS servers

1.9 Firewall Rule Configuration

The wizard will create the firewall rules automatically for you if you check the tick boxes. This will allow traffic to the OpnVPN server and allow traffic to the Local network behind the OpnSense Firewall.

1.9.1 WAN – Rules

1.9.2 OpenVPN -Rules

1.10 OpenVPN Server Example:

Please note: Certificate depth is set to do not check – this means that the same configuration can be used for multiple users to authenticate using the same OpnVPN server configuration.

2. Create local users

2.1 Navigate to System / Access / Users and click add.

2.2 Set user name and password

This is the credentials the client will use to authenticate when connecting to the VPN.

3. Install OpenVPN on Windows 10

3.1 Download and Install an older version of OpenVPN

https://build.openvpn.net/downloads/releases/openvpn-2.1.3-install-win2k.exe

When you install this you will be prompted to install a TAP driver which is version 9.Once installed we can update to the latest version of OpenVPN

3.2 Install later Version

https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I603.exe

Once the old version of OpenVPN is installed, install the version above.

3.3 Update the TAP drivers manually

3.3.1 Open device manager and right click TAP Windows Adapter and select update.

3.3.2 Select browse my computer for driver software

3.3.3 Point to the folder where you have saved the drivers. AMD64 for 64 bit and i386 for 32 bit.

4. Run OpenVPN GUI as administrator.



This will give you the OpenVPN icon in your windows tray. Right click the icon and click import. Before you do this you will need to download the client config from the Opnsense Firewall.

5. Download Client VPN Configuration

5.1 Navigate to VPN / OpenVPN / Client Export.

5.2 Set export type to file only.

5.3 Click on the small cloud icon to the left of the page.

5.4 Edit the Client configuration file.

5.4.1 Right click the file you have downloaded from the firewall and remove UDP from line 8 as per screen shots.

5.4.2 The config should looks as follows with x.x.x.x being you public IP of your firewall.

6. Import file for client configuration.

6.1 Right click on the OpenVPN in your system tray as per screen shot above in point 4.

6.2 Click import file and select file from download location.

7. Connect to your VPN.

7.1 Right click the OpenVPN tray icon and click connect.

7.2 Enter user credentials.

Please feel free to leave any feedback. If you would like to explore Piggybank Cloud navigate to
https://piggybank.cloud/register.php

Thank you for reading.

How to create a pfSense Mobile (dialup) IPSEC VPN for a remote VPN client.

Hi all,

If you have an existing VPN client and would like to connect to a pfSense firewall this is how to do it.

I am currently connecting to my pfSense firewall which you can deploy with a click of a button on Piggybank Cloud.

pfsense_1.PNG

This will set up your public IP address and also give you your local LAN subnet. Alternatively you can add a virtual Ethernet adapter and configure your own private IP subnet.

Step1. Enable and configure Mobile Clients

Click on the IPSEC under VPN tab on the top menu.

Click on the mobile Clients Tab – VPN/IPSEC/Mobile Clients

Tick the box next to Enable IPSEC Mobile Client Support.

Set user authentication to local database

Set group authentication to system

pfsense_2.PNG

Configure your Virtual Address pool – this will be the subnet addresses that are assigned to the VPN clients.

Configure DNS servers

Click Save and apply

Step 2. Configure IPSEC Mobile Clients Phase 1 

Once you finish configuring the Mobile Clients setting you will be presented with a TAB to edit the Phase 1 of Mobile Clients.

pfsense_3.PNG

pfsense_4.PNG

Enter the following settings (you can apply your own encryption, hash, DHgroup, lifetime etc.) You need to ensure that both ends of the tunnel configuration (client and pfSense) match in terms of ike VPN settings.

  • Authentication methodMutual PSK + Xauth
  • Negotiation modeaggressive
  • My identifierMy IP address
  • Peer identfierUser Distinguished Name, for example “support@piggybank.cloud”
  • Pre-Shared Key: “Your PSK”
  • Encryption AlgorithmAES 128 
  • Hash AlgorithmSHA1
  • DH Key Group2
  • Lifetime86400
  • NAT TraversalForce
  • Click Save

Step 3. Configure IPSEC Mobile Clients Phase 2

The IPSEC settings can be configured to your own specification in terms of encryption, hash, pfs etc. as long as the client and the pfsense firewall IPSEC phase2 settings match.

pfsense_5.PNG

  • Click  inside the Mobile Phase 1 to expand its Phase 2 list.
  • Click (add P2) to add a new Phase 2
  • Enter the following settings:
    • ModeTunnel
    • Local Network: Phase 2 network address to be access by the VPN client (in this case the LAN subnet)
    • ProtocolESP
    • Encryption AlgorithmsAES 128 only
    • Hash AlgorithmsSHA1 only
    • PFS key groupoff
    • Lifetime28800
  • Add additional phase 2 (created separately)
  • Click Save
  • Click Apply Changes

pfsense_6.PNG

Step 4. Configure a user on the local database

System > User Manager

Configure your users by entering a username and password and allocating them to groups.

Please make sure you authorise users for VPN – IPsec xauth Dialin permission as per below otherwise your users will fail authentication.

pfsense_7.PNG

Step 5. Create a rule to allow traffic 

Under Firewall tab click rules and create a rule to allow IPSEC traffic under the IPSEC tab.

pfsense_28.PNG

Step 6. Configure your VPN Client

You can download a copy of the VPN client and a base config from Piggybank Cloud’s Demo account.

Navigate to the following url

https://piggybank.cloud/home/Demo.html

Check out the following guide to give you a tour of the platform and to get you familiar with the layout if you need help finding the client.

Get the full tour of Piggybank Cloud’s Client Portal and Virtual Datacentre.

pfsense_9.PNG

Click View VPN Details

Click Download VPN Config and Download VPN Client

This will give you the Demo accounts VPN’s details which you can change the following once the config is imported

pfsense_10.PNG

Install the VPN Client

Import the downloaded config into the VPN Client by clicking file and then import.

pfsense_14.PNG

Change the remote Host name of IP address (pfSense in this case)

pfsense_13.PNG

Change the Identification type – change this to User Fully Qualified Domain Name and add your UFQDN string that you have configured on the pfSense.

pfsense_12.PNG

Change the PSK (Pre Shared Key) to match what you have configured on your pfSense.

pfsense_11.PNG

Change the phase 1 settings to match what you have configured on the pfsense

pfsense_15.PNG

Change the phase 2 settings to match what you have configured on the pfSense

pfsense_16.PNG

Save your configuration

Step 6. Connect and test your VPN 

Highlight your VPN and click connect., enter you password and you should see the tunnel enabled.

pfsense_21.PNG

You can click on network to make sure that it is established.

pfsense_19.PNG

You should now be able to connect to your firewall on the LAN gateway address or test by pinging a device connect on the pfSenses LAN interface.

Thank you for reading and be sure to check out our growing number of guides.

Please feel free to leave your feedback below.

The Journey Begins

Hello to you all & welcome to our blog, keep an eye out for new posts we will blog.

Its a place for us to write up our ideas, experiences and tutorials surrounding:

Networking,
Cloud Computing,
Linux,
Open source computing
& also to promote our own platform which is https://piggybank.cloud

First of all I’ll start with a bit of background about us and what we do, its all a good idea for us to explain what Piggybank Cloud is and how it came about.

Who Are We?

We are 2 technology enthusiast who currently work for a managed services provider as Network & security engineer’s we love what we do but also have a strong passion for anything Linux anything opensource and anything Cloud computing.

We have spent a lot of our spare time in the past labbing up networking gear and following other peoples community guides.

What is Piggybank Cloud

We always wanted to give something back to the community and also set something up of our own and offer a cloud service, so we setup piggybank cloud, the idea being it was a cheap affordable cloud platform for people, we wanted to automate everything from setting users resource, to deploying firewall’s and setting up Ipsec Tunnels.

So we came up with a portal and started adding to it, it started pretty basic but as we got more into it ideas just kept flying.
We ended up with what we have now which we intent to add more and more functionality to.

It gave us an opportunity to delve into software defined networking and use vendor REST API’s to provision network pieces, Ipsec tunnels, NAT rules and more.
The good thing about REST API’s is that they are quick and simple once you have the schema you are just passing data to a REST endpoint.

The good thing as well is that you can easily integrate these into your website and that’s what we did.

Whats next?

So that’s a bit of background on us and what we do, keep your eyes peeled and we will get some more posts out, if you have any questions etc. leave us a comment. If you get chance to have a look at our site please do and any feedback would be much appreciated.

Until next time