User Tools

Site Tools


other:networking:opnsense:roadwarrior

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

other:networking:opnsense:roadwarrior [2019/03/18 00:10]
other:networking:opnsense:roadwarrior [2019/07/30 23:18] (current)
Line 1: Line 1:
 +====== opnSense Road Warrior ======
 +
 +  - Create a Certificate of Authority (hint, use an existing one if you want)
 +     - System | Trust | Authorities
 +     - Add and select Create Internal
 +        - Name - System CA (or something)
 +        - Lifetime - 3650 (10 years)
 +        - Fill in rest of stuff
 +        - Click Save
 +  - Set up local authentication
 +     - System | Settings | Administration | Server = Local Database
 +  - Create a Server Certificate (recommend you create a new one)
 +     - System | Trust | Certificates
 +     ​- ​ Add and select Create Internal
 +        - Descriptive Name -  VPN Road Warrior Server Certificate
 +        - Certificate authority - Select System CA
 +        - Type Server Certificate
 +        - Lifetime - 3650 (10 years)
 +        - Common Name - roadwarriorservercert
 +  - Server Settings.
 +     - VPN | Open VPN | Servers
 +     - Use wizard to create
 +     - Type of Server - Local User Access
 +     - Certificate Authority - System CA
 +     - Server Certificate - VPN Road Warrior Server Certificate
 +     - General Settings
 +        - Interface - WAN
 +        - Protocol - UDP
 +        - Local Port - Choose one around 1190 which is not used by something else
 +        - Description - Road Warrior
 +     - Cryptographic Settings - I just leave them at default
 +     - Tunnel Settings
 +        - IPv4 Tunnel Network - any subnet defined for private use (ie, 10., 172., 192)
 +        - IPV6 Tunnel Network - I don't use
 +        - Redirect Gateway - check if you want all traffic to be forced through the tunnel. More secure, but uses more bandwidth
 +        - IPv4 Local Network - the subnet on your LAN
 +        - Concurrent Connections - maximum number of simultaneous VPN connections allowed at one time (all users)
 +        - Inter-Client Communication - Check if you want VPN users to "​see"​ each other
 +        - Duplicate Connections - Check if you want one user to be able to use the same settings simultaneously on different computers
 +        - I generally leave the rest of it alone; you can change it later if you want.
 +     - Firewall Rule Configuration
 +        - Check the first box to get it to automagically create the firewall rules to allow VPN connections
 +           - After creation, you can go to Firewall | Rules | WAN and see the rule to allow entry
 +           - You can also go to Firewall | Rules | OpenVPN to see the rule to allow traffic after the connection is created
 +        - Check the second if you want users to be forced to pass all traffic through the VPN connection
 +  - System | Access | Groups (optional, allows RoadWarriors to change their passwords)
 +  - Add
 +     - Group Name - Road Warrior
 +     - Description - Road Warrior Users
 +     - Save
 +     - Edit
 +     - Assign Privileges (hint, use the filter
 +        - Lobby: Login / Logout / Dashboard
 +        - GUI: System:User Password Manager
 +  - System | Access | Users
 +     - Add
 +        - Username - I use all lower case, no special chars (including spaces)
 +        - Password - Put in a good password (user can change it is if you set up the group)
 +        - If the user should be able to log in from the cli or ssh, change login shell
 +        - Expiration Date - Leave blank to not expire
 +        - Group Memberships - RoadWarrior
 +        - Certificate - Click to create a user certificate
 +        - Save, it will go to the Create a Certificate page
 +        - Method - Create an internal certificate
 +        - Lifetime
 +           - 3650 = 10 years, or whatever you want
 +           - When the Cert expires, user will no longer be able to use VPN and you must generate a new cert
 +        - Change the stuff below if you want; the default is usually sufficient
 +        - Click Save, you will return to the User screen for that user
 +        - Add an SSH authorized_keys file (with public ssh key) if you want.
 +  - VPN | OpenVPN | Client Export
 +    - Change Remote Access Server if you have more than one and want to select one
 +    - Host Name Resolution - choose how the client knows what to connect to
 +      - Since I try to set up my firewalls using a DNS name as it's name, I usually select "​installation hostname"​
 +      - If you have a static IP, you can use the Interface IP Address
 +      - If you need to manually put something in, choose "​Other"​
 +    - You can protect the certificate with a password by checking Use a password to protect pkcs12 file. Users will have to use that password, then use their username/​password to make a connection
 +    - For each user, select Export type. "​Others"​ fits about anyplace and is a single file, but if you are using Viscosity, or are using on a tablet/​phone,​ use one of the specific options.
 +
 +
 +
 +===== Links =====
 +  * [[https://​www.kirkg.us/​posts/​building-an-openvpn-server-with-opnsense/​]]
 +  * [[https://​doc.pfsense.org/​index.php/​OpenVPN_Remote_Access_Server]]