pfSense VPN: Part Two

In the last article, configuring a VPN tunnel using IPSec was covered. Here, two more protocols supported by pfSense VPN will be covered: L2TP and OpenVPN.

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol typically used as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy. It is based on Cisco’s Layer 2 Forwarding Protocol (L2F) and USRobotics Point-to-Point Tunneling Protocol (PPTP).


To start, browse to VPN -> L2TP. On the “Configuration” tab, check the “Enable L2TP Server” radio button. At interface, leave the default setting of “WAN” unchanged, and at “Server address“, specfiy an unused IP. At “Remote address range“, specify an unused starting IP. The range will be as long as the number of users specified at “Number of L2TP users“. At “Subnet mask“, specify a subnet mask. Specify “Number of L2TP users“. Then press “Save” to save the changes. Click on the “Users” tab, and click on the “plus” button to create a new user. Specify a “Username” and “Password” for the new user, and click on “Save” to save the changes. If necessary, click on “Apply changes” to apply the changes, if necessary.

pfSense VPN

The “Add new CA” page in the OpenVPN setup wizard.

If you want a VPN tunnel with encryption, you might consider using OpenVPN, which uses a custom security protocol that utilizes Secure Socket Layer/Transport Layer Security (SSL/TLS) for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It also allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority.

pfSense VPN

Create new Certificate page in the OpenVPN setup wizard.

To set up an OpenVPN tunnel, first browse to VPN -> OpenVPN. There are four tabs: “Server“, “Client“, “Client Specific Overrides“, and “Wizards“. Click on the “Wizards” tab. At “Type of Server“, the three options are “Local user Access“, “LDAP” (Lightweight Directory Access Protocol, for accessing and maintaining distributed directory information), and “RADIUS” (Remote Authentication Dial In User Service, for providing centralized Authentication, Authorization and Accounting management for computers that connect and use a network service). For this example, select “Local User Access“, and click “Next“. On the next screen, you can change “Key Length” if you want more or less security (the default length is 2048 bits; the options are 512, 1024, 2048 and 4096 bits). At lifetime, you can change the lifetime of the server certificate. The default is 3650 days (10 years). At “Descriptive name” enter a name. For “Country Code“, enter US. At “State or Province“, enter any state or province. Enter a “City” and an “Organization” and at “E-mail” enter an e-mail address. Then click on the “Add new CA” button.


The next screen is for creating a new certificate; the options are almost identical to those for adding a new CA on the previous step. You probably want to input a different “Descriptive name“, but the other options can remain the same. Click on the “Create New Certificate” button and move on to the next screen.

The next screen of the setup wizard has four sections: General OpenVPN Server Information, Cryptographic Settings, Tunnel Settings, and Client Settings. In this example, you can keep “Interface“, “Protocols“, and “Local Ports” unchanged. Enter a “Description” for your reference.

In this example, we will leave everything in “Cryptographic Settings” unchanged. Under “Tunnel Settings“, specify a “Tunnel Network” in CIDR notation. [CIDR notation is a syntax of specifying IP addresses and their associated routing prefix. It appends to the address a slash character and the decimal number of leading bits of the routing prefix, e.g., 192.168.2.0/24 for IPv4, and 2001:db8::/32 for IPv6.] This should be an unused interface range. At “Local Network“, specify the local network in CIDR notation. At “Concurrent Connections“, specify a maximum number of concurrent connections. Leave “Client Settings” unchanged and click on the “Next” button.

There are two rules on the next page: “Traffic from clients to server” and “Traffic from clients through VPN“. Check “Add a rule to permit traffic from clients on the Internet to the OpenVPN server process” and “Add a rule to allow all traffic from connected clients to pass across the VPN tunnel“. Then press the “Next” button. The next screen is the “Configuration Complete!” screen; click on the “Finish” button.

Now, the OpenVPN service will allow external users to establish a secure, encrypted connection to the network. Users will connect to the network using an OpenVPN client and, once authenticated, the user will have access to the network as if they were physically connected.

Part three of this series will cover using VPN with the PPTP protocol.

Be Sociable, Share!

Comments

  1. After looking over a number of the blog posts on your website, I truly
    appreciate your technique of writing a blog. I saved as a
    favorite it to my bookmark website list and will
    be checking back in the near future. Please visit my website ttoo and let me know what you think.

  2. This means that a business can literally brand the way the video
    is being played. Therefore, facebook offers different options
    for creating a page, each one with its own set of
    advantages. The default templates that ship with i – Work are usually
    good enough to last you a while but if you work in an office where the Mac is
    the primary computer that people use, you will
    soon find that pretty much everyone begins to use the same template to put out not only spreadsheets but all of their memos as well.

  3. About Yellow Pages Association: The Yellow Pages Association (YPA) is the trade
    organization of a print and digital media Yellow Pages industry.
    Take advantage of the branding opportunity and make your company logo as large as
    possible. Due to this facility, the businesses can upload descriptions,
    pictures, videos and much more to attract more and more desi customers.

  4. Continue saving money when you need Brother 4040cn ink and toner ( Local
    stores may be close, but often can’t compete on prices for Brother HL ink and
    toner ( or other brands of ink and toner cartridge ( as well as online sellers can do.
    Since 1986, AWE has been a leader in advertising and contact solutions through our flagship products, the Yellow Pages and White Pages directories.
    Many sites will permit, even encourage you to search their member ranks and some people really do put up
    phone numbers there.

Trackbacks

  1. [...] previous two articles on pfSense VPN, I covered how to configure a VPN tunnel using IPsec and also the L2TP and OpenVPN protocols. In this article, I will cover how to set up a VPN tunnel using [...]

  2. [...] In the next article, I will cover using VPN with the L2TP, OpenVPN and PPTP protocols. [...]

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy