OpenVPN server configuration with maximum security in pfSense

The pfSense operating system, which is oriented to firewall and router, has several VPN protocols to interconnect sites through Site-to-Site VPN, and we can also configure remote access VPN to interconnect different mobile clients with each other, and so that all Internet traffic goes through the operating system itself. OpenVPN is one of the most used softwares to create virtual private networks, thanks to its security, flexibility and good operation. Today in RedesZone we are going to explain step by step how to configure the OpenVPN server that is inside pfSense.

What is the OpenVPN built into pfSense and what is it for?

OpenVPN is a software that allows us to build virtual private networks, we will have a control channel where the lifting of the tunnel and the negotiation of the encryption protocols will be managed, and we will have a data channel where all the tunnel traffic will be encrypted point to point . One of the strengths of OpenVPN in pfSense is that the vast majority of available options are available through a very intuitive graphical user interface, this will allow us to configure it without the need to manually incorporate any directive in the “options” field. advanced ». The OpenVPN software that we have integrated into pfSense will allow us to create and configure two types of architectures:

  • Remote Access VPN – Remote clients will connect to the pfSense VPN server, and go out to the Internet through us. They will also be able to access the subnets that we indicate. This type of VPN is aimed at telecommuters, network and systems technicians, etc.
  • Site-to-Site VPN : this architecture allows us to intercommunicate one site with another, to intercommunicate different sites through the Internet and that all traffic is protected point-to-point. For example, with this type of VPN we can communicate offices, company headquarters, etc.

OpenVPN supports dozens of different configurations, both to improve performance and security. pfSense allows different types of authentication, but the most recommended is based on SSL / TLS certificates to ensure authenticity, confidentiality and integrity, and it is not recommended to use pre-shared keys. In addition to incorporating authentication based on SSL / TLS certificates, we could also incorporate additional authentication with username / password, to have a more robust system. pfSense allows you to export the private key of the certificates with a password, in this way, to be able to use these certificates we would also have to incorporate an additional password, otherwise, it would not work.

The OpenVPN server integrated in pfSense will allow us to connect to our home or work remotely, quickly and safely, regardless of whether the network is wired or WiFi. All traffic will be end-to-end encrypted from our OpenVPN client (which is installed on a computer, smartphone or tablet) to the pfSense OpenVPN server. A very important detail is that the OpenVPN server must be installed in an Internet connection outside of CG-NAT, and with the rules in the firewall open to allow the connection, otherwise, we will not be able to connect through the Internet.

Of course, on the server we can add different subnets to route traffic through the different subnets that we have in pfSense, and we can even configure in the firewall whether or not we want to allow those accesses from a specific OpenVPN server IP address. With OpenVPN we have two ways of managing packages and how they work at the transport layer level:

  • TUN : this operating mode allows encapsulation of all the packets that are transported through it as TCP segments or UDP datagrams. All clients will be provided with a specific new subnet, by default the OpenVPN subnet is but we can configure the one we want.
  • TAP : this operating mode simulates an Ethernet network interface, it is also known as a bridge, and what this virtual tunnel does is directly encapsulate Ethernet packets. The bridge operation mode is useful to intercommunicate remote users easily, but if the source private network matches the destination one, we will have a routing problem and the communication will not work.

In this tutorial to configure OpenVPN in pfSense we will use a virtual subnet where we will have all the VPN clients when they connect, it will be very easy to identify the different VPN clients that we have connected to the network, in addition, we can “force” so that each client with a specific certificate always has the same private IP address of the VPN tunnel.

In this manual we are going to teach you how to make a very secure OpenVPN configuration in pfSense, customizing the symmetric, asymmetric and hash encryption algorithms. In this way, we can have the best possible encryption of communications.

Summary of the cryptography to use

  • Digital certificates : OpenVPN allows the use of digital certificates based on RSA or also EC (Elliptical Curves), we will use the EC algorithm secp521r1, although we have many others available through the pfSense certificate management. The hash algorithm that we will use will be SHA512, one of the safest that we can currently use. All VPN clients from version 2.4 should be compatible with this configuration, in our case, both the server and the clients use OpenVPN 2.5 or higher, so there should be no problems.
  • OpenVPN control channel : we will use TLS 1.3 for maximum security, and always using PFS (Perfect Forward Secrecy). We will use the three cryptographic suites of TLS 1.3 to establish communication: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 and TLS_AES_128_GCM_SHA256. If you want to check if your server or client supports this type of encryption, you must put in the console “openvpn –show-tls”.
  • OpenVPN data channel : we will use the AES-256-GCM symmetric encryption algorithm, one of the most secure currently and which has been incorporated into OpenVPN 2.4 and later. However, we will also use CHACHA20-POLY1305 and AES-128-GCM for the VPN client to choose the one they want, giving priority to the first one. If you want to check if your server or client supports these types of encryption, you must put in the console “openvpn –show-ciphers”.

To define in the data channel that we want to make use of TLS 1.3, we will have to use the directive “tls-ciphersuites” instead of the typical “tls-cipher” as we have always used. It would be as follows:

tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

In addition to these security measures, we will include an HMAC signature for the first TLS negotiation, this will allow us to protect the OpenVPN server against possible DoS attacks. If the client does not have the correct HMAC signature, it is automatically blocked and will not go on to check the digital certificates. We will use tls-crypt that is available from OpenVPN 2.4 and later, to have the best security because it allows us to authenticate and encrypt the channel so that no one is able to capture this pre-shared key.

Finally, we will use the UDP protocol instead of TCP, because it is stronger against denial of service attacks, we must remember that UDP is non-connective, unreliable and not connection-oriented. However, we can use TCP without any problem to provide the VPN with all the benefits of this protocol.

Install the OpenVPN Client plugin to generate the configuration

Although OpenVPN is installed by default in pfSense, either in its server or client mode, we do not have a pre-installed package that allows us to automatically generate the configuration for the clients. If we go to the package manager in «System / Package Manager» and we go to the «Available Packages» tab we can install the «OpenVPN-client-export» package that will allow us to carry out precisely this action, to greatly facilitate the configuration of clients, importing the server configuration with their corresponding digital certificates.

Once installed, we will be ready to move on to the next step, creating the digital certificates.

Create digital certificates in pfSense itself

To configure an OpenVPN server with “Remote access SSL / TLS” authentication, we must make use of digital certificates. We will have to create a certification authority (CA) with which to sign the different certificates, we have to create a specific certificate for the OpenVPN server and server type, as well as all the digital certificates of the VPN clients that we want to register.

We can also create a certificate revocation list, if a certificate is compromised because we have lost it, we can cancel it directly so that it is not valid. In case an illegitimate user uses it, you will not be able to connect to our VPN server in any way.

Create the CA (Certification Authority)

In the “CAs” section is where we must click on “Add” to create a new certification authority, doing this is essential to make all digital certificates work correctly, both the server and those of the VPN clients that are going to be used. connect. In this menu we must choose the following options:

  • Create / Edit CA
    • Descriptive Name: we put a descriptive name to this CA, whatever we want.
    • Method: Create an internal Certificate Authority.
  • Internal Certificate Authority
    • Key type: ECDSA with secp521r1 which is compatible with OpenVPN.
    • Digest Algorithm: sha512
    • Lifetime Days: 3650 (10 years)
    • Common-name: the CN must be a descriptive name, which uniquely describes this CA. In our case we only have a CA for OpenVPN, so we have simply put “openvpn-ca”
    • Country Code: none. This is no longer necessary to fill in the new OpenVPN certificates.

The CA configuration would be as follows:

In the different menus we can choose other configuration options, such as importing a CA that we have already created, or creating an intermediate CA, we will create a CA and then the certificates, without using any intermediate CA.

We will also be able to choose between RSA or ECDSA, and even use different RSA key lengths and different EC algorithms for creating the CA. In “Digest algorithm” we can choose different hashing algorithms, the most recommended are sha256, sha384 and sha512, you should never use sha1 for safety.

Once the CA is created, it will appear in the CA list as you can see here:

In this menu we can see the number of certificates associated with it, the CN, the validity of the certificate and if we currently have this CA in use. When we have a CA or certificate in use, we will not be able to remove it. In the «Actions» section we can edit the description of the certificate, export the public key of the CA, the private key, renew the CA and even delete the CA we just created.

Create the OpenVPN server certificate

Now we have to create the certificate that the OpenVPN server integrated in pfSense will use. We go to the “Certificates” section and click on “Add / Sign”, we will always have a preconfigured certificate in pfSense because the HTTPS protocol uses it to connect, otherwise it might not work. This certificate is created automatically when you install the operating system.

The certificate creation menu is very similar to the previous one, we will have to choose between three options:

  • Method:
    • Create an internal certificate.
    • Import an existing certificate.
    • Create a certificate signing request.
    • Sign a certificate signing request.

We are going to select the first option, create an internal certificate.

Next, we will have to give it a descriptive name, whatever we want, and the configuration must be as follows:

  • Add / Sign a New Certificate
    • Method: Create an internal Certificate Authority.
    • Descriptive Name: we put a descriptive name to this certificate, whatever we want.
  • Internal Certificate
    • Certificate Authority: we must choose the previous CA that we just created in the previous step.
    • Key type: ECDSA with secp521r1 which is compatible with OpenVPN. The same as the CA.
    • Digest Algorithm: sha512
    • Lifetime Days: 3650 (10 years)
    • Common-name: the CN must be a descriptive name, which unequivocally describes this server certificate. In our case we only have a server certificate, so we have simply indicated openvpn-server.
    • Country Code: none. This is no longer necessary to fill in the new OpenVPN certificates.

If we have a certificate with a duration of more than 398 days it is possible that it will give us errors on some platforms, this is in a general way, but not for OpenVPN. Therefore, we can set the duration that we want without problems, it will not give us failure.

At the bottom, we must choose the following options:

  • Certificate Attributes:
    • Certificate Type: server certificate
    • Alternative Name: we can leave it with nothing, completely empty.

We must bear in mind that right now we are configuring the digital certificate for the OpenVPN server, therefore, we must choose “Server Certificate”.

The “Alternative Name” section is often used for IPsec certificates, but we won’t use it in OpenVPN.

Once created, we will see it in the list of certificates, in addition, we can also see the CA with which we have signed the certificate and if it is of the server type.

This digital certificate for the server is the one that we will have to put when configuring the OpenVPN server in pfSense, we must remember very well the name that we have given it, because later it will take us a list with all the certificates.

Create certificates for all clients

To create one or more digital certificates for clients, we must do exactly the same process as for the server certificate.

  • Add / Sign a New Certificate
    • Method: Create an internal Certificate Authority.
    • Descriptive Name: we put a descriptive name to this client certificate.
  • Internal Certificate
    • Certificate Authority: we must choose the previous CA that we created in the first step.
    • Key type: ECDSA with secp521r1 which is compatible with OpenVPN. The same as the CA.
    • Digest Algorithm: sha512
    • Lifetime Days: 3650 (10 years)
    • Common-name: the CN must be a descriptive name, which uniquely describes this client certificate. In our case we only have a client certificate, so we have simply indicated openvpn-client1.
    • Country Code: none. This is no longer necessary to fill in the new OpenVPN certificates.

In the “Certificate Attributes” section we will have to configure it as follows:

  • Certificate Attributes:
    • Certificate Type: user certificate
    • Alternative Name: we can leave it with nothing, completely empty.

Once created, we can see the new list of certificates created in pfSense.

If we click on edit, the only thing we can do is modify the descriptive name, but we can also export the private key with a passphrase, if we put a password, the private key itself will be encrypted with AES-256-CBC to protect its content, and, therefore, avoid that if it falls into the wrong hands they can read and use it. This is what we have used to export the clients’ certificate, as we will show you later.

If we want to create more customer certificates we can do it in the same way, all we have to do is put a different description and also a different CN.

Once we have finished creating all the certificates of the clients that are going to connect to the OpenVPN server, we proceed to configure the server step by step.

Configure OpenVPN server with all options explained

To configure the OpenVPN server, all we have to do is go to the main menu of pfSense, click on the “VPN” section and select ” OpenVPN “.

In the “OpenVPN” section we must click on “Servers” and click on “Add” to add a new OpenVPN server.

Within the OpenVPN server configuration, we must choose the following options:

  • General Information:
    • Server Mode: Remote Access (SSL / TLS)
    • Protocol: UDP
    • Device Mode: tun
    • WAN interface
    • Local Port: 1194, by default it is this port, it is recommended to change it.
    • Description: we put a description of this OpenVPN server, because we can create several.

In the “Protocol” section we have different configuration options, by default it is “UDP on IPv4 only”, since we can also use TCP, and even TCP and UDP, and also for IPv6 networks, if we use this protocol. net. In the “Device Mode” section we can choose tun or tap, as we have explained previously, tun is at the level of layer 3, and tap is at the level of layer 2, with its strengths and weaknesses. In the “Interface” section, the most normal thing is to use the WAN, but we can be listening with this OpenVPN server on all interfaces. Finally, in “Local port” we can modify the TCP and / or UDP port that we want, it is advisable not to use the default port which is 1194.

In the ” Cryptographic Settings ” section we can configure everything regarding SSL / TLS digital certificates, then we explain all the options:

  • Cryptographic Settings
    • TLS Configuration: we enable the use of a TLS key, to make use of the tls-crypt, we click on automatically generate the TLS key. When saving the changes, it will appear if we want to use “Authentication” or also “Encryption”, the latter is recommended to use the new tls-crypt instead of tls-auth that we had previously.
    • Peer Certificate Authority: we select the CA that we have created in pfSense itself for this OpenVPN server.
    • Peer certificate Revocation list: if we create a certificate revocation list, we create it in the “System> Cert.Manager” section and select here the list that we created previously.
    • Server Certificate: we choose the OpenVPN server, in our case, it is “OpenVPN_ServidorOVPN (Server: Yes)”
    • DH Parameter Length: ECDH Only
    • ECDH Curve: we choose secp521r1

In the “Data Encryption Negotiation” section we enable it, and we choose the symmetric ciphers that we want to use for the data channel. In our case, we have chosen a total of 3: AES-256-GCM, AES-128-GCM and also the new CHACHA20-POLY1305 that they have recently incorporated. We must also choose a «Fallback» algorithm in case the OpenVPN client is not compatible, in this case we choose AES-256-CBC, but if you want maximum security, we recommend choosing AES-256-GCM to force it not to connect If we do not use strong encryption, nothing to use AES-256-CBC, if there are old clients we must update them.

In “Auth Digest Algorithm” we will choose SHA256 or SHA512, always safe hash functions.

In the “Hardware Crypto” section: if we have hardware encryption acceleration, we will choose it here so that the connection to the VPN works faster, if we do not have or do not want to enable it, we leave the default value.

In «Certificate Depth» we select «One (Client + Server)».

Leave a Reply

Your email address will not be published.

Back to top button