In the last article, configuring a VPN tunnel using IPSec was covered. Here, two more protocols supported by pfSense VPN will be covered: L2TP and OpenVPN.
Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol typically used as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy. It is based on Cisco’s Layer 2 Forwarding Protocol (L2F) and USRobotics Point-to-Point Tunneling Protocol (PPTP).
To start, browse to VPN -> L2TP. On the “Configuration” tab, check the “Enable L2TP Server” radio button. At interface, leave the default setting of “WAN” unchanged, and at “Server address“, specfiy an unused IP. At “Remote address range“, specify an unused starting IP. The range will be as long as the number of users specified at “Number of L2TP users“. At “Subnet mask“, specify a subnet mask. Specify “Number of L2TP users“. Then press “Save” to save the changes. Click on the “Users” tab, and click on the “plus” button to create a new user. Specify a “Username” and “Password” for the new user, and click on “Save” to save the changes. If necessary, click on “Apply changes” to apply the changes, if necessary.
If you want a VPN tunnel with encryption, you might consider using OpenVPN, which uses a custom security protocol that utilizes Secure Socket Layer/Transport Layer Security (SSL/TLS) for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It also allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority.
To set up an OpenVPN tunnel, first browse to VPN -> OpenVPN. There are four tabs: “Server“, “Client“, “Client Specific Overrides“, and “Wizards“. Click on the “Wizards” tab. At “Type of Server“, the three options are “Local user Access“, “LDAP” (Lightweight Directory Access Protocol, for accessing and maintaining distributed directory information), and “RADIUS” (Remote Authentication Dial In User Service, for providing centralized Authentication, Authorization and Accounting management for computers that connect and use a network service). For this example, select “Local User Access“, and click “Next“. On the next screen, you can change “Key Length” if you want more or less security (the default length is 2048 bits; the options are 512, 1024, 2048 and 4096 bits). At lifetime, you can change the lifetime of the server certificate. The default is 3650 days (10 years). At “Descriptive name” enter a name. For “Country Code“, enter US. At “State or Province“, enter any state or province. Enter a “City” and an “Organization” and at “E-mail” enter an e-mail address. Then click on the “Add new CA” button.
The next screen is for creating a new certificate; the options are almost identical to those for adding a new CA on the previous step. You probably want to input a different “Descriptive name“, but the other options can remain the same. Click on the “Create New Certificate” button and move on to the next screen.
The next screen of the setup wizard has four sections: General OpenVPN Server Information, Cryptographic Settings, Tunnel Settings, and Client Settings. In this example, you can keep “Interface“, “Protocols“, and “Local Ports” unchanged. Enter a “Description” for your reference.
In this example, we will leave everything in “Cryptographic Settings” unchanged. Under “Tunnel Settings“, specify a “Tunnel Network” in CIDR notation. [CIDR notation is a syntax of specifying IP addresses and their associated routing prefix. It appends to the address a slash character and the decimal number of leading bits of the routing prefix, e.g., 192.168.2.0/24 for IPv4, and 2001:db8::/32 for IPv6.] This should be an unused interface range. At “Local Network“, specify the local network in CIDR notation. At “Concurrent Connections“, specify a maximum number of concurrent connections. Leave “Client Settings” unchanged and click on the “Next” button.
There are two rules on the next page: “Traffic from clients to server” and “Traffic from clients through VPN“. Check “Add a rule to permit traffic from clients on the Internet to the OpenVPN server process” and “Add a rule to allow all traffic from connected clients to pass across the VPN tunnel“. Then press the “Next” button. The next screen is the “Configuration Complete!” screen; click on the “Finish” button.
Now, the OpenVPN service will allow external users to establish a secure, encrypted connection to the network. Users will connect to the network using an OpenVPN client and, once authenticated, the user will have access to the network as if they were physically connected.
Part three of this series will cover using VPN with the PPTP protocol.