How to configure OpenVPN shared key tunnels using pfsense and OpenWRT. Ver. 1.0 ( ) Author: Ville Leinonen

Transcription

1 How to configure OpenVPN shared key tunnels using pfsense and OpenWRT. Ver. 1.0 ( ) Author: Ville Leinonen Intro In this document I try to explain how to configure ssl-based site-to-site tunnels using pfsense /1/ and OpenWRT /2/. In this example I use shared key, because it s easiest way to set up site-to-site tunnel. Bad thing for this is that I can use only one tunnel/key, but it s enough for me. This document assume that reader have some experience how to use pfsense and OpenWRT. Enviroment Bellow is picture for this document example environment. WAN address for pfsense is picked up in my head. Picture 1. Example network environment. Home office: LAN: /24 WAN: dhcp Tun0: pfsense: LAN: /24 WAN: Tun0: Generating key You must generate shared static key. Step 1. Take ssh session to your pfsense firewall. Step 2. Select 8 and press enter. pfsense console setup *********************** 0) Logout (SSH only) 1) Assign Interfaces 2) Set LAN IP address 3) Reset webconfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell 9) PFtop 10) Filter Logs 11) Restart webconfigurator Enter an option: 8

2 Step 3. Generate key # openvpn --genkey --secret /tmp/myshared.key Example key: # more /tmp/myshared.key # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V ef9b9f0bff2268eb3966d6a408398db1 f7e6f c76560d1ce25b8d46be4 1c58e656d2e7633d2481e74b9e c9e6a7528a46b2474bc08838ae19a4c 7f19878bd381cf8cfb0c4dc14fa e50710d0af df0a25 54e1e86b2c9fcc4139dba763b97861bc 36cd477c6f293e8ca07e1bffaba697bf 948b65c213c5747cf0645fb7886bac4b f697640dff961b95cfd8d2c0f3 ef976540e9c004ed be 969a70e7d53910f3415f8d829bdb192e b4aad90e91baec25cac0b e9 e fdd9d33a56c44b90cbd5ce 0d e2cdd33192fdfb4d06399fd 9eb aadb c5249ce END OpenVPN Static key V Step 4. Copy key into your computer. Step 5. Delete generated key file. # rm /tmp/myshared.key Step 6. Logout # exit Step 7. Choose 0 and press enter. Setup pfsense This document assumes that you have existing and working pfsense environment. Step 1. Select OpenVPN link. Step 2. Select add new server button.

3 Step 3. Create OpenVPN server. - Protocol : TCP (this is communication protocol) - Local port 1194 (server listens this port) - Address pool: /24 (client takes tun0 address from this pool) - Cryptography: BF-CBC (128-bit) (we use this cryptography cipher algorithm) - Authentication method: Share key (paste here your generated key) - LZO compression (put mark for this) - Description: OPTIONAL Insert tunnel description - Click Save.

4 Step 4. Select Rules. Step 5. Select Add new rule.

5 Step 6. Add rule to allow OpenVPN tunnel traffic. - Action: Pass (allow traffic) - Interface: WAN (select WAN interface if your client connects this interface/address) - Protocol: TCP - Log: Put mark here (Yes we want to log this traffic) - Destination port range: 1194 (allow OpenVPN tunnel connections) - Description: OPTIONAL Insert rule description - Click Save

6 Setup OpenWRT This document assumes that you have working OpenWRT environment. This document assumes that you have update your OpenWRT packages list access to backports. Step 1. Take ssh session to your OpenWRT box. Step 2. Paste your key file /etc/openvpn directory. (OpenWRT use vi editor. vi help /3/) # vi /etc/openvpn/myshared.key - Inside vi press Esc and then i - Paste your key - Press Esc - Write :wq! and press enter Step 3. Generate configuration file to /etc/config/ directory dev tun0 # Generate/use tunnel 0 proto tcp-client # Use tcp keepalive # Some ping like messages persist-tun # Some persist options persist-key # Some persist options ifconfig # Tun0 ip-address route # Route for corporate network remote # OpenVPN server address resolv-retry infinite # Some Road warrior stuff nobind # We don t need to specific port number mute-replay-warnings # Some WLAN stuff secret /etc/openvpn/myshared.key # Where our secret file is located comp-lzo # Enable compression verb 3 # Log verbosity Example. myopenvpn.cfg file Step 4. Generate startup script for /etc/init.d directory. # Make sure that tun module is loaded insmod tun # Start OpenVPN daemon openvpn --daemon --config /etc/config/openvpn.oma --ifconfig-nowarn # Allow traffic to tunnel /4/ iptables -A INPUT -i tun+ -j ACCEPT # Allow forwarding traffic from tunnel iptables -A FORWARD -i tun+ -j ACCEPT # Allow forwarding traffic from br0 interface to tunnel iptables -A FORWARD -i br0 -o tun+ -j ACCEPT Example. S98openvpn file Step 5. Restart your OpenWRT box and watch your pfsense firewall and OpenVPN logs. There should be something like this Jan 11 12:52:47 openvpn[9494]: Initialization Sequence Completed Jan 11 12:52:46 openvpn[9494]: Peer Connection Initiated with xxx.xxx.xxx.xxx:4356 Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:4356 Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link local (bound): [undef]:1194 Jan 11 12:52:46 openvpn[9494]: TCP connection established with xxx.xxx.xxx.xxx:4356 Links /1/ /2/ /3/ /4/