Configuring OpenVPN on pfSense

This howto describes the setup of pfSense for the IPredator VPN. The following steps assume a fresh installation of pfSense 2.2.

 

Once configured you cannot change the settings for the IPredator VPN connection from the GUI.

Requirements

GUI configuration

Create an initial OpenVPN configuration through the pfSense GUI. This creates the needed directory structure and configuration files that get altered on the command line. Click on the following screenshot to see what options you need to customize. Leave everything else unchanged.

pfsense_initial_config.png

Command line configuration

pfSense does not support sftp or scp so the OpenVPN configuration file needs to be created manually.

First download the configuration file to a system that has openssl installed and then create the pfSense config on your pfSense router:

your host$  openssl enc -base64 -in IPredator-pfSense-Password.conf
[... copy the output ...]

On the pfSense machine run the openssl again to decode the data and create the configuration file:

[2.2-RELEASE][root@pfSense]/: cd /var/etc/openvpn
[2.2-RELEASE][root@pfSense]/var/etc/openvpn: openssl enc -base64 -d >> client1.conf << EOF
[... paste the output followed by EOF ...]
EOF

Your username and password needs to be stored on the router in the next step:

[2.2-RELEASE][root@pfSense]/var/etc/openvpn: cat >> IPredator.auth << EOF
<USERID>
<PASSWORD>
EOF
[2.2-RELEASE][root@pfSense]/var/etc/openvpn:

To make sure that the system cannot change the config files, the immutable bit needs to be set on them. While there ensure that the permissions are correct:

[2.2-RELEASE][root@pfSense]/var/etc/openvpn: chmod 600 IPredator.auth client1.conf
[2.2-RELEASE][root@pfSense]/var/etc/openvpn: chflags schg IPredator.auth client1.conf

To undo the immutable restriction make sure you are at least in kern.securelevel 0 (or lower) and use chflags again:

[2.2-RELEASE][root@pfSense]/var/etc/openvpn: sysctl kern.securelevel
kern.securelevel: -1
[2.2-RELEASE][root@pfSense]/var/etc/openvpn: chflags noschg client1.conf
[2.2-RELEASE][root@pfSense]/var/etc/openvpn: chflags noschg IPredator.auth

[2.2-RELEASE][root@pfSense]/var/etc/openvpn: ls -lo
total 14
-rw-------  1 root  wheel  schg 1337 Jan 23 23:42 IPredator.auth
-rw-------  1 root  wheel  -    1876 Jan 23 23:42 client1.ca
-rw-------  1 root  wheel  -    1501 Jan 23 23:42 client1.cert
-rw-------  1 root  wheel  schg 3524 Jan 23 23:42 client1.conf
-rw-------  1 root  wheel  -       3 Jan 23 23:42 client1.interface
-rw-------  1 root  wheel  -     987 Jan 23 23:42 client1.key
srwxrwxrwx  1 root  wheel  -       0 Jan 23 23:42 client1.sock

Start the VPN connection

Back in the GUI, simply restart the OpenVPN service ( StatusOpenVPN). Then either use the GUI or the command line tail -F /var/log/openvpn.log to check the OpenVPN log.

Verification

To verify that the VPN connection came up correctly, first execute ifconfig -a on the command line and see if you got a tun interface in the network device list.

DS411> ifconfig -a
[..]
ovpnc1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 46.246.41.236 --> 46.246.41.236 netmask 0xffffff00 
        Opened by PID 25694

Issue netstat -nrfinet to see if the the routing table got altered correctly. The following entries are essential:

  • A host route to the VPN server (in this example 46.246.41.130).
  • A new split default route (destinations 0.0.0.0/1 and 128.0.0.0/1).
[2.2-RELEASE][root@pfSense]/: netstat -rnfinet
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
0.0.0.0/1          46.246.41.1        UGS      ovpnc1
default            192.168.23.254     UGS         re0
46.246.41.0/24     46.246.41.236      UGS      ovpnc1
46.246.41.130/32   192.168.23.254     UGS         re0
46.246.41.236      link#8             UH       ovpnc1
127.0.0.1          link#6             UH          lo0
128.0.0.0/1        46.246.41.1        UGS      ovpnc1
192.168.23.0/24    link#1             U           re0
192.168.23.70      link#1             UHS         lo0