Multisite VPN Bridge Using Public Key Infrastructure (PKI)

Transcription

1 Configuring an OpenVPN Multisite VPN Bridge Using Public Key Infrastructure (PKI) Overview: This article covers a case-scenario in which two offices, each with a dedicated pfsense router, join together as one logical network using OpenVPN. Foreword: TUN and TAP are virtual network kernel devices, i.e. they are not backed by hardware network adapters (e.g. pci, pci-e card). TAP is short for network tap: Simulates an Ethernet device Operates with layer 2 packets such as Ethernet frames TUN is short for network tunnel: Simulates a network layer device Operates with layer 3 packets such as IP packets TAP is used to create a network bridge, while TUN is used with routing. Source:{ I ve worked with two modes of OpenVPN: Routing (TUN) and Bridging (TAP) Routing: From what I gather, this is better for a network tunnel between client(s) where primarily point-to-point connections are required. Bridging: From what I gather, this is better for a network

2 tunnel between network(s) wherein ALL traffic, including broadcasts, is a requirement. This document covers OpenVPN in Bridging (TAP) mode. Note: From what I researched, you cannot bridge different subnets. Bridging can only connect two segments which use the same IP subnet. To connect different subnets you need to use IP routing. Caveats: The network configuration in this document allows broadcasts to span the network bridge. As such, broadcasts like DHCP will traverse the bridge both ways. Possible problems this might present: When started, each DHCP client broadcasts a DHCP discover message (DHCPDISCOVER) to its local subnet in an attempt to find a DHCP server. Because DHCP clients use broadcasts during their initial startup, you cannot predict which server will respond to the DHCP discover request of a client if more than one DHCP server is active on the same subnet. This can lead to unexpected results. One searing example is a client picking up default gateways belonging to a network that lies across the bridge. Imagine a client from Florida using the default gateway from the site in New Jersey! No Bueno. Luckily, there is a workaround. Block DHCP traffic from traversing the network bridge. The instructions for this are included in the document. The Big Picture

3 The network we re working with is , with a network mask of , or /16. This is essentially one giant network. This allows for a wide range of Private IP Addresses: (1-254).(1-254) all under one broadcast domain. This is what I needed for my setup. Network configuration illustrated above: two different subnets that are part of the same broadcast domain. Create Certificate Authority

4 Login to the web admin Click System > Cert Manager From the CAs leaf, click the Plus button Give it descriptive name. Method: Create an internal Certificate Authority, leave Key length and Lifetime to default. 6. Fill in the rest of the fields as you see fit. 7. Click Save 8. Once this is done, we need to create our certificates for the OpenVPN server as well as any users/sites we want to connect. Create the Server Certificate

5 1. The process for creating a Cert for the server and users are almost identical. Let s create the Server Certificate. 2. The OpenVPN server (pfsense) must have its own cert as well as any users. 3. Click the Certificates leaf, click the plus button. 4. In the Method Drop down box make sure it says "Create an Internal Certificate" 5. Give a descriptive name. A good idea is to specify server/username 6. In the Certificate Authority drop down choose the CA you just created. 7. In Certificate Type drop down specify whether this Cert is for the server or a user. In this case, it is a Server Certificate 8. Fill out the rest of the info for location. 9. Click Save

6 Create the User Certificate(s) 1. Repeat the previous process, but selecting User Certificate for the Certificate Type. Create as many certs as you need ensuring that all are based off the original CA created earlier. 2. Click Save Create a Certificate Revocation List

7 Its a good idea to create a revocation list. Doing so allows for easily revoking client connections should the need arise. No need to disable the OpenVPN server entirely, or delete any client certificates, or manually kill connections, nothing ugly. To create a revocation list: Click the Cert Revocation leaf Press the plus button next to the CA you created. Method: Create an internal Cert Revo list. Give it a name and verify the CA is in the drop down box. Click Save. You ll notice a new line with an edit button. This is where you can revoke or restore certificates for users. Congrats, you should now have the PKI in place!

8 Install Package: OpenVPN Bridge Fix There is no tunnel network when using tap/bridging mode, yet the PfSense 2.0 gui required you to enter one. This essentially wouldn t allow you to do this through the gui. Thankfully after user jadams brought this to their attention, they released a package to fix this problem. To install this package: 1. Click System > Packages 2. Click the Available Packages Tab 3. Install the OpenVPN tap Bridging Fix package OpenVPN Server Setup Section:General Information

9 1. Click VPN > OpenVPN 2. In the Server leaf, click the plus button to add a server. 3. Disables the server: unchecked (obviously) 4. Server Mode: Remote Access (SSL/TLS) 5. Protocol: UDP 6. Device Mode: TAP 7. Interface: WAN 8. Local port: 1194 (default port but you can choose whatever port you like) 9. Description: ************* OpenVPN Server Setup Section:Cryptographic Settings

10 1. TLS Authentication: Check both check boxes 2. Peer Certificate Authority: Use the CA we created earlier Peer Revoke List: use the revoke list creates earlier Server Certificate: This is where you use the Server Certificate created earlier, NOT any of the User certs DH Parameters Length: I set mine to 1024 Encryption Algorithm: I used AES-128-CBC Hardware Crypto: I used the BSD Cryptodev engine, as the system is on an Intel Atom with 2GB of RAM Cert Depth: One OpenVPN Server Setup Section:Tunnel Settings

11 Note:Here s a classic Catch-22: If you want to bridge the OpenVPN tunnel with your LAN, you must first create the bridge, BUT, you can t create the Bridge without first creating the OpenVPN tunnel! Solution: Proceed with OpenVPN Server setup without enabling any bridge functionality. Then, once that is complete, you create the bridge, revisit the OpenVPN server settings, and enable the option. Ok, now back to Tunnel Settings: 1. Tunnel Network: leave Blank. No tunnel network with Bridging (see info at top if you re curious as to why) 2. B r i d g e D H C P : T h i s b o x m a y n o t y e t b e a v a i l a b l e (Catch-22, we revisit after we setup this OpenVPN tunnel and create the bridge) 3. Bridge Interface: Again, we revisit after we setup this OpenVPN tunnel and create the bridge. This will be set to your LAN interface. 4. Server DHCP Start/Stop: You can specify an IP range here. However since its bridging you can leave it blank. Your internal DHCP server will take care of it. I left these blank. One thing to keep in mind is that a

12 client s IP will not be displayed on the Dashboard Widget if you leave the range blank. I ll be bringing this up on the PfSense forums. Redirect Gateway: SEE NOTE AT THE END Concurrent Connections: self explanatory, I left this blank. Compression: I checked this TOS: I left unchecked Inter-client communication: If you want different remote clients to be able to talk to each other check this box Duplicate connections: This will allow different people with the same certs you give them to connect. Not recommended, but I m sure theres instances where it might be required. OpenVPN Server Setup Section:ClientSettings Dynamic IP: checked Address Pool: unchecked DNS Default domain: if you have one enter it here DNS Servers: specify up to 4 NTP Server: you can specify up to 2 Wins Server: if you have one OpenVPN Server Setup Section:Advanced Settings

13 Here you can setup additional routes. I left this blank. This is the last section in the OpenVPN Server setup. Click the Save button. Create the LAN/OpenVPN Bridge Click Interfaces > Assign Press the + button to add an interface It will probably show up as OPT1, in the drop down box choose your OpenVPN instance goto Interfaces > OPT1 Enable the Interface Give it a better description Leave the rest default. Save While still in the Interfaces > Assign click the Bridges tab Press the plus button to create a bridge. Choose TWO or more interfaces you want to bridge (e.g. your LAN, and the interface we just made for your OpenVPN server) by clicking on them using the CTRL button Give it a description SAVE

14 Create OpenVPN LAN Bridge Click Interfaces > Assign Click the plus button to add an interface. It will probably show up as OPT1 in the drop down box. Choose the interface matching the OpenVPN instance you want to bridge. Click Interfaces > OPT1 Enable the Interface, give it a more appropriate description (e.g. OpenVPN) Leave the rest default. Click Save Click Interfaces > Assign Click the Bridges leaf. Press the plus button to create a bridge.

15 12. Choose TWO interfaces the interface we just clicking on them using 13. Give it an appropriate you want to bridge (your LAN, and made for your OpenVPN server) by the CTRL button. description and click SAVE. OpenVPN Server Setup (Revisit) Section:Tunnel Settings DHCP Start/DHCP End Bridge DHCP: If and Only If (IFF) you correctly configured the bridge, OpenVPN bridge options should now be available. Place a check mark on Allow clients on the bridge to obtain DHCP Bridge Interface: Set this your LAN interface. Click Save at the bottom. Note: The image in this step illustrates using an ip address range as the DHCP Start and DHCP End, but you can leave these blank if you plan on having IP Addresses assigned by the default DHCP Server settings on the pfsense box (if applicable) or by a dedicated DHCP server on your network.

16 In my case, I set the address to a scope of 15 IP Addresses that lay OUTSIDE of my DHCP server s IP Address range. Server Firewall Rule: Allow OpenVPN Connection to WAN Port Click Firewall > Rules Click the WAN leaf, click the plus button to add a rule. Action: Pass Disabled: unchecked Interface: WAN Protocol: UDP Source: any Destination: WAN Address

17 9. Destination Port Range: This is the port of your OpenVPN server (Mine is set to the default 1194) 10. Give it a description (e.g. Allow OpenVPN to WAN ) 11. Click Save Server Firewall Rule: Open the Floodgates, Allow All Bridged OpenVPN Traffic 1. Click Firewall > Rules 2. Click the OpenVPN leaf, click the plus button to add a rule. 3. Action: Pass 4. Disabled: unchecked 5. Interface: OpenVPN 6. Protocol: any 7. Source: any 8. Destination: any 9. Destination Port Range: any 10. Give it a description (e.g. Allow OpenVPN Traffic from Clients) 11. Click Save Cont d

18 1. Click the leaf corresponding to your OpenVPN Tap Interface (e.g. OPENVPNTAP,OVPN) 2. Do the same as you did for the OpenVPN Leaf Export Certificate for Use On the Client Router(s): CA Certs 1. Click System > Cert Manager 2. To export CA Cert and Key: click on the first downward

19 pointing triangle. 3. As a guide, when you hover over it, the text label is Export CA, Save File Export Certificate for Use On the Client Router(s): User Certs 1. Click System > Cert Manager 2. To Export User Cert and Key: click on the first downward pointing triangle. 3. As a guide, when you hover over it, the text label is Export Cert/Key, Save File. 4. You ll also need the TLS Authentication token from the server, as this will be pasted into the Cryptographic Settings on the client side.

20 5. On the OpenVPN Server, click the Server configuration (VPN > OpenVPN > Server leaf), copy the TLS Authentication. 6. It s up to you how you will get this TLS Authentication and these exported files to the client end(s) (e.g. in an to yourself, or copying onto a USB stick for transfer) Export Certificate for Use On the OpenVPN Clients (e.g. Windows) You can connect to the PFSense OpenVPN Server via desktop clients like Windows, Mac OSX, and Ubuntu Linux It is easiest to go about this by installing the OpenVPN Client Export Utility Click System > Packages

21 Click the Available Packages leaf Click the plus sign to install the OpenVPN Client Export Utility Once installation is complete, Click VPN > OpenVPN If the package was installed successfully, you should see the Client Export leaf. Click it. Click Configuration archive for the corresponding user, in my case RemoteSite1 You will be prompted to save a.zip archive containing the necessary files for connection on the client end. Save the file. The Configuration Archive should contain at least three of these file types:.ovpn.key.p12 It s up to you how you will get this Configuration Archive to the client end(s) (e.g. in an to yourself, or copying onto a usb stick for transfer) Client Side(s): Import the Certificates (CA Certs)

22 Now on the client router, Click System > Cert Manager Click the CAs leaf, add new one. Method: Import an existing Certificate Authority Enter as Descriptive name the name of the certificate from the first server, in my case MainOffice Using a text editor, open the Server cert file, in my case MainOffice.crt Simply copy / paste the content of the file into the Certificate Data field. We are NOT pasting anything into the second field (Certificate Private Key ) Click Save

23 Client Side(s): Import the Certificates (User Certs) Click the Certificates leaf, add new one. Method: Import an existing Certificate Enter as Descriptive name the name of the client router, in my case RemoteSite1 Using a text editor, open the Client cert file, in my case RemoteSite1.crt Simply copy / paste the content of the file into the Certificate Data field. Using a text editor, open the Client private key file, in my case RemoteSite1.key Simply copy / paste the content of the file into the Private Key Data field. Click Save OpenVPN Client Setup Section: General Information

24 1. Click VPN > OpenVPN 2. In the Client leaf, click the plus button to add a client. 3. Disables this client unchecked (obviously) 4. Server Mode: Peer to Peer (SSL/TLS) 5. Protocol: UDP 6. Device Mode: TAP 7. Interface: WAN 8. Local port: blank 9. Server host or address: enter in the OpenVPN Server WAN IP Address or Registered DNS. Note: If you re using a dynamic hostname (e.g. *.dyndns), make sure to check the Server host name resolution box.

25 10. For All Proxy options, I didn t need these so I left them blank 11. Server host name resolution: From what I gather, you check this box if the server is using a dynamic addresses (e.g. *.dyndns.org) 12. Set an appropriate Description (e.g. Site to Site OpenVPN Bridge with MainOffice) OpenVPN Client Setup Section: Cryptographic Settings 1. Enable authentication of TLS packets: Checked 2. Automatically Generate a shared TLS authentication key: Unchecked 3. Paste into the TLS Authentication field the TLS Authentication value from the server. 4. Peer Certificate Authority: Set this to the Server CA 5. Client Certificate: Set this to the Client Cert 6. Encryption algorithm: Set this to match that of the Server 7. Hardware Crypto: Set this to match that of the Server

26 OpenVPN Client Setup Section: Tunnel Settings Compression: Checked All else is default Advanced: blank Click Save Add Routings To Other Networks (Optional)

27 If you intend to push routes to networks not part of the bridge, you ll need to do specify the options in the advanced section ==>> e.g. route ; route ; The above will push these static routes to any clients that successfully establish a VPN connection. (Optional) Client-Specific Overrides

28 Client-specific overrides allow settings to be pushed on a per-client basis. The above picture illustrates assigning a different gateway to client johndoe-crt push route-gateway Verify OpenVPN Client Connections

29 ( Optional) Block DHCP Packets From Traversing the Bridge If you plan on keeping DHCP Scopes contained to their own sites, you should enable a firewall rule to disallow DHCP Traffic across the OpenVPN bridge. Note:{pFsense uses Packet Filter as its firewall. Packet Filter is governed by rules that are Evaluated from Top to Bottom, on a first match wins basis. For this reason, any block rules you want in place should be positioned before the allow rules Click Firewall ==>> Rules Click the OpenVPN leaf Click the plus button to add a rule Action: Block Disabled: unchecked Interface: OpenVPN Protocol: UDP (Both IPV4 and IPV6) Source: any Source Port Range: Set range to Destination: any Destination Port Range: Set range to Give it a description (e.g. Block DHCP Traffic)

30 13. Click Save Troubleshooting Network Connectivity is Lost Across Bridge Scenario: Upgraded pfsense from 2.1 to Removed and regenerated all certs Enabled Active Directory Authentication Problem: Once I got the client connected, I could not ping the gateway or any machine on my network I noticed that ipconfig results showed no gateway definition. Turns out that s normal Head scratching wtf For a shitz and giggles I removed and readded members interfaces to the Bridge configuration. Once I saved, voila. Worked. WTF? TLS Error: TLS object -> incoming plaintext read error EDIT: This should have been fixed in the latest pfsense build.

31 Client-Side: VERIFY ERROR For the OpenVPN Client configuration, make sure you re using the correct Peer Certificate Authority (CA) This should be set to the CA you imported Sources Fumanchu. "The Hand of FuManChu." Site-to-site Ethernet Bridge over OpenVPN (2 of 2). Web. 26 Feb < _ethernet_bridge_over_openvp_2?blog=2>. Fumanchu. "The Hand of FuManChu." Site-to-site Bridged Ethernet Using OpenVPN (1 of 2). Web. 26 Feb < _bridged_ethernet_using_open_2?blog=2>. Lepalaan, Filipp. "NetBoot Over OpenVPN." OpenVPN Bridging: Netboot over VPN. Web. 26 Feb < Gibson, Steve. "GRC OpenVPN HOWTO Guide: Routing vs Bridging." OpenVPN: Step-by-Step HowTo Guide. Web. 26 Feb < "OpenVPN Tunnels and Bridges." Shoreline Firewall. 30 July Web. 26 Feb

32 < "OpenVPN Client Export Files in PfSense 2.0RC." PfSense Forum. Web. 26 Feb < "How to Configure OpenVPN (lockup Version)." Lockup. Web. 26 Feb < "Pfsense OpenVPN Bridging Guide [H]ard Forum." [H]ard Forum. Web. 26 Feb < Stefcho. "Stefcho s Blog." Routing Road Warrior s Clients through a Site-To-Site VPN with PfSense 2.0 RC1 and OpenVPN. Web. 26 Feb < Stefcho. "Stefcho s Blog." PfSense 2.0 RC1 Configuration of OpenVPN Server for Road Warrior with TLS and User Authentication. Web. 26 Feb < Vana, Yaron, and Idit Michael. "How to Simulate WAN in VMware?" Vvirtual s Blog. Web. 26 Feb < Google Search Keywords openvpn pfsense openvpn pfsense windows subnet route gateway 2 dev tap bridge tap conf client export utility PKCS12 openvpn error opening.p12