Contents

1. Intro
   1. Intended audience
   2. Versions
   3. On security and a disclaimer
   4. Thanks
2. On your Active Directory domain controller
   1. Create a group VPNusers
   2. Install and configure RADIUS
3. On your pfSense router
   1. Set up the Authentication Server
   2. Install a Certificate Authority
   3. Create an internal certificate
   4. Set up the OpenVPN server
   5. Configure the firewall
   6. Create a user account
   7. Install the OpenVPN Client Export Utility
   8. Prepare the Windows packages
4. On the Windows clients
   1. Install the OpenVPN package
   2. Change the cryptoapicert SUBJ
   3. Using the Windows client
5. Tweaking the client
6. Troubleshooting

1. Intro

Intended audience

This howto is intended for small businesses that want to roll out secure vpn connectivity for their users using free software. Due to the nature of its set up, which is mostly manual, this process may be too inefficient for larger businesses.

Versions

• PfSense 2.0.1
• Active Directory on Windows Server 2008 R2 – I’m using a Forest Functional Level of 2008 R2 but I don’t think that’s really a prerequisite. If it doesn’t work you may have to store your user account passwords using reversible encryption but since that seems like a serious security issue to me I guess you’d be better off upgrading to at east 2008 R2.

On security and a disclaimer

I am not a security expert. However the method described in this article is they way it should be:

• you have two-factor authentication: something you have (the installed certificate) and something you know (your AD user account name and password);
• your connection is encrypted and nothing crosses the internet in plain text.

If your laptop gets stolen, noone can dial into your corporate network if they don’t know your username and password. If someone guesses your password, they will also need your laptop to dial in. I can not guarantee that no bad things happen to you because of following this howto. Please consult other sources, use your common sense and try breaking into your own system to check if it’s safe.

Thanks

Thanks to the pfSense forum, in particular to user unguzov, who wrote a shorter version of this howto. I adapted his version and added screenshots.  Also thanks to Dan, who alerted me on the question of the policy order.

2. On your Active Directory domain controller

Create a group VPNusers

Create a security group in Active Directory Users and Computers called VPNusers. You could give everyone access but it’s a good idea to keep some granular control over it.

Add all accounts that need to use your vpn system to this group.

Install and configure RADIUS

If RADIUS isn’t alreay set up, you’ll need to add the roll to your Domain Controller. If it is set up, you can skip this step. Open Server Manager and click the Roles node in the tree on the left.

On the right side, click Add Roles.

This will open the Add Roles Wizard.

Check Network Policy and Access Services.

Select Network Policy Server.

If all went well you now have a Network Policy and Access Services node in the tree.

Expand the Network Policy and Access Services node, go to NPS (Local) > RADIUS Clients and Servers, right-click RADIUS Clients and choose New.

In the Friendly name field, enter pfSense VPN or anything you deem appropriate.

In the Address (IP or DNS) field, enter your pfSense router’s IP address. Mine is 192.168.77.1. Shared Secret: check Generate and save the shared secret; you’ll need it later on.

Under NPS (Local) > Policies right-click Network Policies and select New.

In the Policy name field, enter Allow pfSense. Type of network access server: Unspecified.

In the Specify Conditions window, click Add…

Select Windows Groups and click Add…

Click Add Groups… and add the group VPNusers (or whatever group you need).

Back in the Specify Conditions window, click Next and select Access granted.

Put the new policy before policies preventing the connection. Mind the Processing Order field. Thanks to Dan for alerting me on this.

In the Configure Authentication Methods window, check Unencrypted authentication (PAP, SPAP).

Skip the next wizard window (Constraints) or configure it as you like. I suggest leaving it as it is until you’re sure it works.

You’re done. Next, Next, Finish your way out.

3. On your PfSense router

3.1. Set up your Authentication Server

In pfSense, go to System > User Manager > Servers. Click the [+] button on the right.

Enter these values:

Descriptive name	RADIUS
Type	Radius
Hostname or IP address	192.168.77.15
Shared Secret	Paste the shared secret you had the RADIUS server generate. Then delete the file you saved the shared secret to. You won’t need it again and if you do you can just generate a new one.
Services offered	Authentication and Accounting
Authentication port value	1812
Accounting port value	1813

3.2 Install a Certificate Authority

Go to System > Cert Manager > CAs and click the [+] button.

Enter these values:

Descriptive name	TestDomain VPN CA
Method	Create an internal Certificate Authority
Key length	2048
Lifetime	3650 days Ten years should be enough for now.
Distinguished name	Fill out your preferences here.
Common name	testdomainvpn-ca

Note that you now have an extra CA in your CA list.

3.3 Create an internal certificate

Go to System > Cert Manager > Certificates and press the [+] button.

Enter these values:

Method	Create an internal Certificate
Desciptive name	vpn-testdomain-network
Certificate Authority	TestDomain VPN CA
Key length	2048
Certificate Type	User Certificate
Lifetime	3560 days
Distinguished name	Fill out your prefs here.
Common Name	vpn.example.com

3.4 Set up the OpenVPN server

Go to VPN > OpenVPN > Server and click the [+] button.

Enter these values:

Server Mode:	Remote Access ( SSL/TLS + User Auth)
Backend for authentication	RADIUS
Protocol	UDP
Device Mode	tun
Interface	WAN
Local port	1194
Description	Something appropriate
TLS Authentication	Check both Enable authentication of TLS packets and Automatically generate a shared TLS authentication key.
Peer Certificate Authority	TestDomain VPN CA
Server Certificate	vpn-testdomain-network (CA: TestDomain VPN CA)
DH Parameters Length	1024
Encryption algorithm	AES-128-CBC (128-bit) Others probably work as well.
Hardware Crypto	No Hardware Crypto Acceleration (Unless your hardware supports it. Check dmesg. No Acceleration is always safe.)
Certificate Depth	One (Client+Server)
Strict User/CN Matching	If you check this, a user can only connect with his own credentials, not that of other users. I think this is is good idea, so check this option.
Tunnel Network	192.168.82.0/24 Or any other network, as long as it is not in use in your lan/wan and probably not at your users’ locations. I.e. don’t use 192.168.0.0/24, 192.168.1.0/24 and 10.0.0.0/24.
Redirect Gateway	If you check this, not traffic to your lan will be routed through the tunnel but also to the rest of the internet. If the user starts downloading a BluRay dvd it will go through your company network. On the other hand, they will be behind your corporate firewall. Check this if you use the vpn for secure internet access. Do not check if your corporate line has a slow upload speed.
Local Network	192.168.77.0/24 This is my range. Yours is probably different. Enter your lan subnet here.
Concurrent connections	Crypto can be tough on resources. If your pfSense installation runs on an appliance keep this number low. If it runs on an old computer it can do more. Keep en eye on the machine’s CPU. If more concurrent vpn connections ask too much of resources, upgrade your hardware.I tend to set this number to the number of client installations.
Compression	Check, unless your clients and your server are on stone-age hardware.
Type-of-Service	Unchecked
Inter-client communication	Unchecked unless you need this for some reason.
Duplicate Connections	Unchecked unless you need it.
Dynamic IP	Checked unless you are seriously worried about laptops getting stolen in the middle of a vpn session.
Address Pool	Checked
DNS Default Domain	Checked, enter your Active Directory domain name here
DNS Servers	Checked, enter some Active Directory DNS server addresses here.
NTP Servers	If you set up one of your DC’s as an NTP server, check and enter it here. Decent time keeping is important for AD communication but if you have no weird time problems you can keep it unchecked.
NetBIOS Options	Unchecked. It’s a security risk. Only check it if you need it for legacy applications but check if they work without NetBIOS first; they probably do.
WINS Servers	Unchecked unless you need it.

3.5 Configure the firewall

Go to Firewall > Rules > WAN and press the [+] button to create a new rule.

3.5.2 Enter these values:

Action	Pass
Disabled	not checked
Interface	WAN
Protocol	UDP
Source	unchecked, any
Destination	unchecked, WAN address
Destination port range	from OpenVPN to OpenVPN
Log	only check when troubleshooting
Description	OpenVPN RADIUS

After you clicked Save, the rules page reloads. Do not forget to click Apply.

3.6 Create a user account

You must create a user account for each user that is going to use your vpn system. In Descriptive and Common name, enter the username the user uses to log on to Active Directory. Strictly speaking Descriptive name can be anything but usernames should be unique anyway. Go to System > Cert Manager (not User Manager!) > Certificates and click the [+] button. (Note that the alt text of this button may be wrong.)

Enter these values:

Create an internal Certificate
Decriptive name	[Username of the user that will be using the vpn connection] In some cases this is case sensitive. I tend to stick to all lowercase for that reason. It doesn’t really matter but keep it in mind if the connection can’t be established.
Certificate authority	TestDomain VPN CA
Key length	2048
Certificate Type	User Certificate
Lifetime	3650 days Unless the user has a temporary account.
Distinguished name	Fill out your preferences here.
Common Name:	[see Descriptive name]

Note the entry in the Certificate list.

3.7 Install the OpenVPN Client Export Utility

Note – these screenshots are out of date. Today many more export formats are available.

Go to System > Packages > Available Packages.

Scroll down to OpenVPN Client Export Utility and click the [+] button on the right.

Confirm that you want to install that package and the package will be installed.

When it says Installation completed the installation is finished.

3.8 Prepare the Windows packages

Go to VPN > OpenVPN and note that there is an extra tab called Client Export. Open it.

Enter these values:

Remote Access Server	VPN with RADIUS UDP:1194
Host Name Resolution	– If you have a static IP (not a semi-static like cable providers give you), enterInterface IP Address here. – If you have a dns address pointing in your direction, enter Installation hostnamehere.Personally, I like to create a dedicated dns entry for vpn connections called vpn.example.com. If you ever decide to move things around it is nice to have things set up modularly.

If you’re not sure, stick with Interface IP Address for now.Use Microsoft Certificate Storage instead of local filescheckedUse a password to protect the pkcs12 file contents or key in Viscosity bundle.checked; choose a random password here and safe it for when you need to install it on the client.Use HTTP ProxyUnchecked unless you need it.

Find the right username under Certificate Name and click Windows Installer.

Get a package for each user

4. On the Windows clients

4.1 Install the OpenVPN package

Copy the Windows Install you downloaded to the client. It is called after the tunnel configuration, for example router-udp-1194-install.exe.

Run the installer with all defaults. When selecting components, make sure they are all checked (they are by default).

Once the installation is complete, press Next. Read or don’t read the Readme and press Finish.

The OpenVPN Configuration Setup will continue to install the certificates.

Stick to the defaults. When prompted for a password, enter the password you used when you exported the Windows Installer from the Client Export tab.

Have the wizard automatically select the archive.

Change the cryptoapicert SUBJ

Open C:\Program Files\OpenVPN\config\yourconfig.ovpn or C:\Program Files(x86)\OpenVPN\config\yourconfig.ovpn and change the line that says

cryptoapicert “SUBJ:”

to

cryptoapicert “SUBJ:vorkbaard“

…replace vorkbaard by the user’s username. I may be mistaken but I think this helps specifying which certificate OpenVPN should use in case certificates have a naming conflict.

Using the Windows client

To use the client, doubleclick the OpenVPN GUI icon on your Desktop. Windows will ask you to comfirm the execution. Confirm. OpenVPN will start but that’s not enough. Right-click the OpenVPN icon in the taskbar and choose Connect. The user must now enter his username and password. This is only the username part, without the domain. The password is the user’s Active Directory password.

  If all is well, OpenVPN will connect to your pfSense router and minimize to the system tray.

5. Tweaking the client

Here are some tweaks I like to do on my client installations.

Change the name of the .ovpn file

When you connect to your router OpenVPN shows a balloon telling you that the vpn is up. It contains your rather cryptic Windows Installer name, but you can change that to something more appropriate by renaming the .ovpn file in C:\Windows\Program Files\OpenVPN\config (or C:\Windows\Program Files(x86)\OpenVPN\config to whatever name you want the balloon to show.   (is nu verbonden is dutch for is now connected.)

Edit the shortcut to connect directly

You can edit the shortcut to OpenVPN GUI to directly connect to your router in stead of first starting OpenVPN and then starting the connection by right-clicking the shortcut and adding to the Target field:

–connect “Headquarters.ovpn”

…if Headquarters.ovpn is the name of your ovpn file. The user will still need to enter his password but it does save a step in the process.

Edit more settings

More information on automation, customization and registry tweaks are available in this text document:http://openvpn.se/install.txt.

6. Troubleshooting

If something doesn’t work, here are some pointers for troubleshooting:

• The username may be case sensitive.
• Use pfSense’s fine logging system under Status > System logs > OpenVPN.
• Ask your question in the pfSense forum.
• Windows 7 sometimes adds a Microsoft Virtual WiFi Miniport Adapter. Disabling this sometimes solves vague connection problems where there should be none.
• Is the subnet unique? Perhaps the user is in a subnet that is the same as your virtual or corporate subnet.
• Certificate problems? Check certmgr.msc. Perhaps an old certificate is blocking the installation of a new certificate.
• Client getting disconnected? Check the user’s wifi connection. No wifi=no internet=no vpn.
• Check if your domain controller allows UDP ports 1812 and 1813 throught the firewall. Adding the Network Policy and Access Services role and configuring a RADIUS client should automatically have entered these rules in the server’s firewall. They are called Network Policy Server (RADIUS Accounting – UDP-In) and Network Policy Server (RADIUS Authentication – UDP-In). Note that this is about the firewall on your domain controller, not pfSense’s firewall!

This article is also published on doc.pfsense.org.