====== opnSense Road Warrior ====== - Create a Certificate of Authority (hint, use an existing one if you want) - System | Trust | Authorities - Add and select Create Internal - Name - System CA (or something) - Lifetime - 3650 (10 years) - Fill in rest of stuff - Click Save - Set up local authentication - System | Settings | Administration | Server = Local Database - Create a Server Certificate (recommend you create a new one) - System | Trust | Certificates - Add and select Create Internal - Descriptive Name - VPN Road Warrior Server Certificate - Certificate authority - Select System CA - Type Server Certificate - Lifetime - 3650 (10 years) - Common Name - roadwarriorservercert - Server Settings. - VPN | Open VPN | Servers - Use wizard to create - Type of Server - Local User Access - Certificate Authority - System CA - Server Certificate - VPN Road Warrior Server Certificate - General Settings - Interface - WAN - Protocol - UDP - Local Port - Choose one around 1190 which is not used by something else - Description - Road Warrior - Cryptographic Settings - I just leave them at default - Tunnel Settings - IPv4 Tunnel Network - any subnet defined for private use (ie, 10., 172., 192) - IPV6 Tunnel Network - I don't use - Redirect Gateway - check if you want all traffic to be forced through the tunnel. More secure, but uses more bandwidth - IPv4 Local Network - the subnet on your LAN - Concurrent Connections - maximum number of simultaneous VPN connections allowed at one time (all users) - Inter-Client Communication - Check if you want VPN users to "see" each other - Duplicate Connections - Check if you want one user to be able to use the same settings simultaneously on different computers - I generally leave the rest of it alone; you can change it later if you want. - Firewall Rule Configuration - Check the first box to get it to automagically create the firewall rules to allow VPN connections - After creation, you can go to Firewall | Rules | WAN and see the rule to allow entry - You can also go to Firewall | Rules | OpenVPN to see the rule to allow traffic after the connection is created - Check the second if you want users to be forced to pass all traffic through the VPN connection - System | Access | Groups (optional, allows RoadWarriors to change their passwords) - Add - Group Name - Road Warrior - Description - Road Warrior Users - Save - Edit - Assign Privileges (hint, use the filter - Lobby: Login / Logout / Dashboard - GUI: System:User Password Manager - System | Access | Users - Add - Username - I use all lower case, no special chars (including spaces) - Password - Put in a good password (user can change it is if you set up the group) - If the user should be able to log in from the cli or ssh, change login shell - Expiration Date - Leave blank to not expire - Group Memberships - RoadWarrior - Certificate - Click to create a user certificate - Save, it will go to the Create a Certificate page - Method - Create an internal certificate - Lifetime - 3650 = 10 years, or whatever you want - When the Cert expires, user will no longer be able to use VPN and you must generate a new cert - Change the stuff below if you want; the default is usually sufficient - Click Save, you will return to the User screen for that user - Add an SSH authorized_keys file (with public ssh key) if you want. - VPN | OpenVPN | Client Export - Change Remote Access Server if you have more than one and want to select one - Host Name Resolution - choose how the client knows what to connect to - Since I try to set up my firewalls using a DNS name as it's name, I usually select "installation hostname" - If you have a static IP, you can use the Interface IP Address - If you need to manually put something in, choose "Other" - You can protect the certificate with a password by checking Use a password to protect pkcs12 file. Users will have to use that password, then use their username/password to make a connection - For each user, select Export type. "Others" fits about anyplace and is a single file, but if you are using Viscosity, or are using on a tablet/phone, use one of the specific options. ===== Links ===== * [[https://www.kirkg.us/posts/building-an-openvpn-server-with-opnsense/]] * [[https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server]]