Home Tags Posts tagged with "pfsense"
Tag:

pfsense

FirewallsHardwareMiscellaneousNetworkPFSense

Setting up IPSec VPN between two PFSense firewalls WITH OpenVPN Remote Access Clients

by Jesper Haggren
written by Jesper Haggren

We have been working quite som time with the OpenSource firewall PFSense, especially when it comes to set-ups in virtual environments, for example when a customer has one or a few virtual servers running we sometimes also virtualize their firewall, and PFSense is the perfect choice. Lately we have also begun using physical PFSense boxes as we found a company in Sweden that build and sell them rather cheap with nice specifications (TekLager.se – check them out here).

One of the big advantages when it comes to PFSense is that is can pretty much do everything out of the box, and setting up a new PFSense literally takes 20 minutes. It’s fast to navigate and the GUI makes sense for both beginners and more experienced users.

One senario that we have been struggling with was getting two PFSense boxes, that were connected by a standard IPsec tunnel to also work in a combination with OpenVPN as Remote Access gateway, and hence allowing the users to connect to the first PFsense box using OpenVPN and then from that connection access the network behind the second PFSense box through the IPSec tunnel.

I have googled this a lot and never really found the answer, hence this blog post to share to everybody how I got it working. So…..

 

Howto set up IPSec VPN between two PFSense firewalls WITH OpenVPN Remote Access Clients

Consider this senario:

 

The IPSec tunnel

First of, setting up the IPSec tunnels between the two PFSense firewalls is easily done and there is a ton of guides/howtos on the Internet, here is one that will do the trick: https://lifeoverlinux.com/how-to-setup-ipsec-vpn-on-pfsense-2-3/

Once the IPsec tunnel setup has been done you should be able to communicate from “Server HQ” to “Server DC” and back. Don’t continue below until you have this working.

 

The OpenVPN Server setup

Next up is configuring the OpenVPN Server of PFSense. In our environment, we have setup the full shabang with Active Directory integration for User authentication, but less can do it. Again, you can find a ton of guides on the Internet and here is one that works: https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server (the screenshots are from an older version of PFSense but otherwise it’s OK). My advice is to ALWAYS use tun, in my opinion tun gives you the right topology and it’s simply easier to get working (see my comments on choice of VPN Client software below).

Some comments on the OpenVPN Server setup:

  • The guide uses the OpenVPN Configuration Export utility yah!
  • I will always recommend you using the “Remote Access (SSL/TLS + User Auth)” mode, hence username/password in combination with a certificate. All users in our environment use the same certificate and the Configuration Export utility makes it very easy to build your Client config when set up is done.
  • For choice of VPN client I strongly recommend the OpenVPN client called Viscosity from Sparklabs (https://www.sparklabs.com/viscosity) – yes it costs money, but it’s pennies when considering how much time you are going to sit and complain about the legacy client from OpenVPN PLUS it just works on never versions of Windows with tun setup without UAC issues. I highly recommend checking Viscosity out.

Now when you have the OpenVPN Server setup, the client profile created, downloaded and ready you setup the first PC and connect and hopefully everything just works – again do not continue before you have a working Remote Access setup.

 

IPSec works, OpenVPN remote access works – but not together – what now ?

The first two parts of this blog post was the easy parts – again there is a ton of guides on the Internet and I think it should be reasonable easy to get this far – however now you find out that:

  • Server HQ and Server DC can communicate over the IPSec tunnel
  • The Remote User and Server DC can communicate over the OpenVPN Remote Access setup
  • BUT the Remote User cannot communicate with Server HQ as the IPSec tunnel doesn’t work together with the OpenVPN remote access setup!

And THIS is exactly the situation I ended up with – and Googling gave me hints but not the solution. So here it is:

The PFSense implementation of OpenVPN is builtin and eventhough it works great and is easy to setup its not fully integrated with the rest of the PFSense interface. For example you do not see the OpenVPN Server network interface in the interfaces list, you don’t see the VPN subnet anyware. Under firewall rules you see an “OpenVPN” tab, but this is the built-in tab and hence not the network Interface as such.

 

The solution is to add the OpenVPN network interface and add the client subnet to both ends of the Phase 2 part of the IPSec tunnel, so that both PFsense boxes knows about the VPN subnet and hence traffic gets routed.

 

This is fairly simple in the PFsense in “HQ” as you can simply just add another Phase2 connection, specifying the LAN subnet locally as source and the Client VPN subnet as remote destination, here is an example:

The problem is on the other box, in the PFSense box holding the OpenVPN connection you have no way of adding the Phase 2 connection, because you can’t choose the OpenVPN Client subnet anywhere:

This is again because the OpenVPN implementation is not fully integrated into the rest of PFSense.

Therefore what you do is:

  • Start by going to ‘Interfaces’ > ‘Assign’:
  • Notice that after you set up OpenVPN you now have a new and unassigned Interface:
  • Click the ‘Add’ Button, then ‘Save’ and ‘Apply’. THe interface is now assigned
  • Now click the ‘Interfaces’ dropdown again and find the new “OPT1” interface in the list, click it.
  • Configure it with the same information as the OpenVPN Setup already brought you through earlier; hence give it the first IP in the subnet you choose as you VPN subnet. ‘Save’.
  • You have now told the rest of the PFSense functionality that the virtual OpenVPN interface exists. At this point, I found, during testing that you sometimes have to reboot PFSense, you could probably just restart the IPsec and the OpenVPN services, but a reboot is easier (and then you can go for Coffee ;-)).
  • Once rebooted login and go to ‘VPN’ > ‘IPSec’ and add the missing Phase 2 configuration item, notice that you now have the OPT1 Subnet in the list:
  • Click ‘Save’ and go to ‘Status’ > ‘IPsec’ and reconnect the IPSec tunnel.
  • DONE 😉

You should now be able to connect from the Remote VPN Client to both the Server (DC) connected to the LAN behind the PFSense box running the OpenVPN service AND to the Server (HQ) running behind the IPSec tunnel to the PFSense box at HQ:

 

 

 

0 comment
3 FacebookTwitterPinterestEmail