other:networking:opnsense:roadwarrior
Differences
This shows you the differences between two versions of the page.
— | other:networking:opnsense:roadwarrior [2019/07/30 23:18] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== opnSense Road Warrior ====== | ||
+ | |||
+ | - Create a Certificate of Authority (hint, use an existing one if you want) | ||
+ | - System | Trust | Authorities | ||
+ | - Add and select Create Internal | ||
+ | - Name - System CA (or something) | ||
+ | - Lifetime - 3650 (10 years) | ||
+ | - Fill in rest of stuff | ||
+ | - Click Save | ||
+ | - Set up local authentication | ||
+ | - System | Settings | Administration | Server = Local Database | ||
+ | - Create a Server Certificate (recommend you create a new one) | ||
+ | - System | Trust | Certificates | ||
+ | | ||
+ | - Descriptive Name - VPN Road Warrior Server Certificate | ||
+ | - Certificate authority - Select System CA | ||
+ | - Type Server Certificate | ||
+ | - Lifetime - 3650 (10 years) | ||
+ | - Common Name - roadwarriorservercert | ||
+ | - Server Settings. | ||
+ | - VPN | Open VPN | Servers | ||
+ | - Use wizard to create | ||
+ | - Type of Server - Local User Access | ||
+ | - Certificate Authority - System CA | ||
+ | - Server Certificate - VPN Road Warrior Server Certificate | ||
+ | - General Settings | ||
+ | - Interface - WAN | ||
+ | - Protocol - UDP | ||
+ | - Local Port - Choose one around 1190 which is not used by something else | ||
+ | - Description - Road Warrior | ||
+ | - Cryptographic Settings - I just leave them at default | ||
+ | - Tunnel Settings | ||
+ | - IPv4 Tunnel Network - any subnet defined for private use (ie, 10., 172., 192) | ||
+ | - IPV6 Tunnel Network - I don't use | ||
+ | - Redirect Gateway - check if you want all traffic to be forced through the tunnel. More secure, but uses more bandwidth | ||
+ | - IPv4 Local Network - the subnet on your LAN | ||
+ | - Concurrent Connections - maximum number of simultaneous VPN connections allowed at one time (all users) | ||
+ | - Inter-Client Communication - Check if you want VPN users to " | ||
+ | - Duplicate Connections - Check if you want one user to be able to use the same settings simultaneously on different computers | ||
+ | - I generally leave the rest of it alone; you can change it later if you want. | ||
+ | - Firewall Rule Configuration | ||
+ | - Check the first box to get it to automagically create the firewall rules to allow VPN connections | ||
+ | - After creation, you can go to Firewall | Rules | WAN and see the rule to allow entry | ||
+ | - You can also go to Firewall | Rules | OpenVPN to see the rule to allow traffic after the connection is created | ||
+ | - Check the second if you want users to be forced to pass all traffic through the VPN connection | ||
+ | - System | Access | Groups (optional, allows RoadWarriors to change their passwords) | ||
+ | - Add | ||
+ | - Group Name - Road Warrior | ||
+ | - Description - Road Warrior Users | ||
+ | - Save | ||
+ | - Edit | ||
+ | - Assign Privileges (hint, use the filter | ||
+ | - Lobby: Login / Logout / Dashboard | ||
+ | - GUI: System:User Password Manager | ||
+ | - System | Access | Users | ||
+ | - Add | ||
+ | - Username - I use all lower case, no special chars (including spaces) | ||
+ | - Password - Put in a good password (user can change it is if you set up the group) | ||
+ | - If the user should be able to log in from the cli or ssh, change login shell | ||
+ | - Expiration Date - Leave blank to not expire | ||
+ | - Group Memberships - RoadWarrior | ||
+ | - Certificate - Click to create a user certificate | ||
+ | - Save, it will go to the Create a Certificate page | ||
+ | - Method - Create an internal certificate | ||
+ | - Lifetime | ||
+ | - 3650 = 10 years, or whatever you want | ||
+ | - When the Cert expires, user will no longer be able to use VPN and you must generate a new cert | ||
+ | - Change the stuff below if you want; the default is usually sufficient | ||
+ | - Click Save, you will return to the User screen for that user | ||
+ | - Add an SSH authorized_keys file (with public ssh key) if you want. | ||
+ | - VPN | OpenVPN | Client Export | ||
+ | - Change Remote Access Server if you have more than one and want to select one | ||
+ | - Host Name Resolution - choose how the client knows what to connect to | ||
+ | - Since I try to set up my firewalls using a DNS name as it's name, I usually select " | ||
+ | - If you have a static IP, you can use the Interface IP Address | ||
+ | - If you need to manually put something in, choose " | ||
+ | - You can protect the certificate with a password by checking Use a password to protect pkcs12 file. Users will have to use that password, then use their username/ | ||
+ | - For each user, select Export type. " | ||
+ | |||
+ | |||
+ | |||
+ | ===== Links ===== | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
other/networking/opnsense/roadwarrior.txt · Last modified: 2019/07/30 23:18 by 127.0.0.1