PfSense on Hyper-V

Versions used: PfSense 2.0-RC3 and Hyper-V on Windows Server 2008 R2

Prerequisites:

  • experience in working with Hyper-V on Windows Server 2008 R2
  • working Hyper-V installation with working network connection
  • dedicated secondary physical network card in the Hyper-V host machine for the WAN connection
  • some experience setting up PfSense

 

1. Set up the networking part
Fire up the Hyper-V management console, select your HyperV machine and under Actions select Virtual Network Manager. Add a new virtual network, selecting the dedicated second network interface as the external connection type. Clear the checkbox before “Allow host OS to share this adapter”. I’ll refer to this network as Lan2. We’ll call the first one Lan1.

2. Create the VM
Create a new VM with a 9GB virtual disk. If you keep the default size of 127GB, PfSense 2.0-RC3 will be unable to format it. I haven’t tested any other sizes; 9GB worked for me. Set it to boot from the PfSense ISO.

Right-click the PfSense VM, choose Settings and remove the network adapter. PfSense 2.0-RC3 won’t recognize the default network adapter. Add two Legacy network adapters. Set their mac addresses to AA-AA-AA-AA-AA-AA for Lan1 and AA-AA-AA-AA-AA-BB for Lan2 for easy recognition. Do not check VLAN identification.

3. Start the VM
Start the VM. Install PfSense. After installing, disconnect the ISO and reboot.

4. Work around a networking bug
Note your WAN interface doesn’t get a dhcp address and you can’t ping the LAN address. Resetting the interfaces and re-requesting a dhcp address fixes this. Drop into the shell (choose option 8 from the menu) and use Vi to create /usr/local/etc/rc.d/startup.sh (note that my WAN interface is de0; check which one is yours):

	ifconfig de0 down
	ifconfig de1 down
	ifconfig de0 up
	ifconfig de1 up
	dhclient de0

(Courtesy of http://forum.pfsense.org/index.php/topic,30760.msg163707.html#msg163707).

Add execute rights to the script:

	#chmod +rx /usr/local/etc/rc.d/startup.sh

Reboot. It takes a while for PfSense to boot because the WAN interface is not connected during boot.

Note that Hyper-V’s Legacy network adapters are only 100Mb. If your internet connection is faster than that I recommend you try VirtualBox.

Apparently FreeBSD 8 has a problem with AMD 64 processors which prevents them from booting in virtual environments. A workaround is to choose option 7 “Escape to loader prompt”, then type:

	set hw.clflush_disable=1
	boot

Install PfSense.

After the installation, use the same trick to boot into PfSense, choose option 8 to get on the command prompt and do

	vi /boot/loader.conf

Add this line:

	hw.clflush_disable="1"

Thanks to wmlaros for his forum post on this.

Set up OpenVPN on pfSense for Windows clients with certificates and user authentication via Active Directory RADIUS

Contents

  1. Intro
    1. Intended audience
    2. Versions
    3. On security and a disclaimer
    4. Thanks
  2. On your Active Directory domain controller
    1. Create a group VPNusers
    2. Install and configure RADIUS
  3. On your pfSense router
    1. Set up the Authentication Server
    2. Install a Certificate Authority
    3. Create an internal certificate
    4. Set up the OpenVPN server
    5. Configure the firewall
    6. Create a user account
    7. Install the OpenVPN Client Export Utility
    8. Prepare the Windows packages
  4. On the Windows clients
    1. Install the OpenVPN package
    2. Change the cryptoapicert SUBJ
    3. Using the Windows client
  5. Tweaking the client
  6. Troubleshooting

1. Intro

Intended audience

This howto is intended for small businesses that want to roll out secure vpn connectivity for their users using free software. Due to the nature of its set up, which is mostly manual, this process may be too inefficient for larger businesses.

Versions

  • PfSense 2.0.1
  • Active Directory on Windows Server 2008 R2 – I’m using a Forest Functional Level of 2008 R2 but I don’t think that’s really a prerequisite. If it doesn’t work you may have to store your user account passwords using reversible encryption but since that seems like a serious security issue to me I guess you’d be better off upgrading to at east 2008 R2.

On security and a disclaimer

I am not a security expert. However the method described in this article is they way it should be:

  • you have two-factor authentication: something you have (the installed certificate) and something you know (your AD user account name and password);
  • your connection is encrypted and nothing crosses the internet in plain text.

If your laptop gets stolen, noone can dial into your corporate network if they don’t know your username and password. If someone guesses your password, they will also need your laptop to dial in. I can not guarantee that no bad things happen to you because of following this howto. Please consult other sources, use your common sense and try breaking into your own system to check if it’s safe.

Thanks

Thanks to the pfSense forum, in particular to user unguzov, who wrote a shorter version of this howto. I adapted his version and added screenshots.  Also thanks to Dan, who alerted me on the question of the policy order.

2. On your Active Directory domain controller

Create a group VPNusers

Create a security group in Active Directory Users and Computers called VPNusers. You could give everyone access but it’s a good idea to keep some granular control over it.

radiusvpn_204

Add all accounts that need to use your vpn system to this group.

radiusvpn_205

Install and configure RADIUS

If RADIUS isn’t alreay set up, you’ll need to add the roll to your Domain Controller. If it is set up, you can skip this step. Open Server Manager and click the Roles node in the tree on the left. radiusvpn_004

On the right side, click Add Roles.

radiusvpn_003

This will open the Add Roles Wizard.

radiusvpn_005

Check Network Policy and Access Services.

radiusvpn_006

Select Network Policy Server.

radiusvpn_010

If all went well you now have a Network Policy and Access Services node in the tree.

radiusvpn_011

Expand the Network Policy and Access Services node, go to NPS (Local) > RADIUS Clients and Servers, right-click RADIUS Clients and choose New.

radiusvpn_012

In the Friendly name field, enter pfSense VPN or anything you deem appropriate.

In the Address (IP or DNS) field, enter your pfSense router’s IP address. Mine is 192.168.77.1. Shared Secret: check Generate and save the shared secret; you’ll need it later on.

radiusvpn_123

Under NPS (Local) > Policies right-click Network Policies and select New.

radiusvpn_014

In the Policy name field, enter Allow pfSense. Type of network access serverUnspecified.

radiusvpn_015

In the Specify Conditions window, click Add…

radiusvpn_016

Select Windows Groups and click Add…

radiusvpn_017Click Add Groups… and add the group VPNusers (or whatever group you need).

radiusvpn_124

Back in the Specify Conditions window, click Next and select Access granted.

radiusvpn_020

Put the new policy before policies preventing the connection. Mind the Processing Order field. Thanks to Dan for alerting me on this.

NPS Policies

In the Configure Authentication Methods window, check Unencrypted authentication (PAP, SPAP).

radiusvpn_021

Skip the next wizard window (Constraints) or configure it as you like. I suggest leaving it as it is until you’re sure it works.

You’re done. Next, Next, Finish your way out.

3. On your PfSense router

3.1. Set up your Authentication Server

In pfSense, go to System > User Manager > Servers. Click the [+] button on the right.

radiusvpn_022

Enter these values:

Descriptive name RADIUS
Type Radius
Hostname or IP address 192.168.77.15
Shared Secret Paste the shared secret you had the RADIUS server generate. Then delete the file you saved the shared secret to. You won’t need it again and if you do you can just generate a new one.
Services offered Authentication and Accounting
Authentication port value 1812
Accounting port value 1813

radiusvpn_0233.2 Install a Certificate Authority

Go to System > Cert Manager > CAs and click the [+] button.

radiusvpn_024

Enter these values:

Descriptive name TestDomain VPN CA
Method Create an internal Certificate Authority
Key length 2048
Lifetime 3650 days Ten years should be enough for now.
Distinguished name Fill out your preferences here.
Common name testdomainvpn-ca

radiusvpn_025

Note that you now have an extra CA in your CA list.

radiusvpn_026

3.3 Create an internal certificate

Go to System > Cert Manager > Certificates and press the [+] button.

radiusvpn_027

Enter these values:

Method Create an internal Certificate
Desciptive name vpn-testdomain-network
Certificate Authority TestDomain VPN CA
Key length 2048
Certificate Type User Certificate
Lifetime 3560 days
Distinguished name Fill out your prefs here.
Common Name vpn.example.com

radiusvpn_0303.4 Set up the OpenVPN server

Go to VPN > OpenVPN > Server and click the [+] button.

radiusvpn_031

Enter these values:

Server Mode: Remote Access ( SSL/TLS + User Auth)
Backend for authentication RADIUS
Protocol UDP
Device Mode tun
Interface WAN
Local port 1194
Description Something appropriate
TLS Authentication Check both Enable authentication of TLS packets and Automatically generate a shared TLS authentication key.
Peer Certificate Authority TestDomain VPN CA
Server Certificate vpn-testdomain-network (CA: TestDomain VPN CA)
DH Parameters Length 1024
Encryption algorithm AES-128-CBC (128-bit) Others probably work as well.
Hardware Crypto No Hardware Crypto Acceleration (Unless your hardware supports it. Check dmesg. No Acceleration is always safe.)
Certificate Depth One (Client+Server)
Strict User/CN Matching If you check this, a user can only connect with his own credentials, not that of other users. I think this is is good idea, so check this option.
Tunnel Network 192.168.82.0/24 Or any other network, as long as it is not in use in your lan/wan and probably not at your users’ locations. I.e. don’t use 192.168.0.0/24, 192.168.1.0/24 and 10.0.0.0/24.
Redirect Gateway If you check this, not traffic to your lan will be routed through the tunnel but also to the rest of the internet. If the user starts downloading a BluRay dvd it will go through your company network. On the other hand, they will be behind your corporate firewall. Check this if you use the vpn for secure internet access. Do not check if your corporate line has a slow upload speed.
Local Network 192.168.77.0/24 This is my range. Yours is probably different. Enter your lan subnet here.
Concurrent connections Crypto can be tough on resources. If your pfSense installation runs on an appliance keep this number low. If it runs on an old computer it can do more. Keep en eye on the machine’s CPU. If more concurrent vpn connections ask too much of resources, upgrade your hardware.I tend to set this number to the number of client installations.
Compression Check, unless your clients and your server are on stone-age hardware.
Type-of-Service Unchecked
Inter-client communication Unchecked unless you need this for some reason.
Duplicate Connections Unchecked unless you need it.
Dynamic IP Checked unless you are seriously worried about laptops getting stolen in the middle of a vpn session.
Address Pool Checked
DNS Default Domain Checked, enter your Active Directory domain name here
DNS Servers Checked, enter some Active Directory DNS server addresses here.
NTP Servers If you set up one of your DC’s as an NTP server, check and enter it here. Decent time keeping is important for AD communication but if you have no weird time problems you can keep it unchecked.
NetBIOS Options Unchecked. It’s a security risk. Only check it if you need it for legacy applications but check if they work without NetBIOS first; they probably do.
WINS Servers Unchecked unless you need it.

radiusvpn_033

3.5 Configure the firewall

Go to Firewall > Rules > WAN and press the [+] button to create a new rule.

radiusvpn_207

3.5.2 Enter these values:

Action Pass
Disabled not checked
Interface WAN
Protocol UDP
Source unchecked, any
Destination unchecked, WAN address
Destination port range from OpenVPN to OpenVPN
Log only check when troubleshooting
Description OpenVPN RADIUS

radiusvpn_202

After you clicked Save, the rules page reloads. Do not forget to click Apply.

radiusvpn_203

3.6 Create a user account

You must create a user account for each user that is going to use your vpn system. In Descriptive and Common name, enter the username the user uses to log on to Active Directory. Strictly speaking Descriptive name can be anything but usernames should be unique anyway. Go to System > Cert Manager (not User Manager!) > Certificates and click the [+] button. (Note that the alt text of this button may be wrong.)

radiusvpn_102

Enter these values:

Create an internal Certificate
Decriptive name [Username of the user that will be using the vpn connection] In some cases this is case sensitive. I tend to stick to all lowercase for that reason. It doesn’t really matter but keep it in mind if the connection can’t be established.
Certificate authority TestDomain VPN CA
Key length 2048
Certificate Type User Certificate
Lifetime 3650 days Unless the user has a temporary account.
Distinguished name Fill out your preferences here.
Common Name: [see Descriptive name]

radiusvpn_104Note the entry in the Certificate list.

radiusvpn_105

3.7 Install the OpenVPN Client Export Utility

Note – these screenshots are out of date. Today many more export formats are available.

Go to System > Packages > Available Packages.

radiusvpn_106

Scroll down to OpenVPN Client Export Utility and click the [+] button on the right.

radiusvpn_107Confirm that you want to install that package and the package will be installed.

When it says Installation completed the installation is finished.

radiusvpn_1083.8 Prepare the Windows packages

Go to VPN > OpenVPN and note that there is an extra tab called Client Export. Open it.

radiusvpn_208Enter these values:

Remote Access Server VPN with RADIUS UDP:1194
Host Name Resolution – If you have a static IP (not a semi-static like cable providers give you), enterInterface IP Address here. – If you have a dns address pointing in your direction, enter Installation hostnamehere.Personally, I like to create a dedicated dns entry for vpn connections called vpn.example.com. If you ever decide to move things around it is nice to have things set up modularly.

If you’re not sure, stick with Interface IP Address for now.Use Microsoft Certificate Storage instead of local filescheckedUse a password to protect the pkcs12 file contents or key in Viscosity bundle.checked; choose a random password here and safe it for when you need to install it on the client.Use HTTP ProxyUnchecked unless you need it.

Find the right username under Certificate Name and click Windows Installer.

radiusvpn_110

Get a package for each user

4. On the Windows clients

4.1 Install the OpenVPN package

Copy the Windows Install you downloaded to the client. It is called after the tunnel configuration, for example router-udp-1194-install.exe.

Run the installer with all defaults. When selecting components, make sure they are all checked (they are by default).

Once the installation is complete, press Next. Read or don’t read the Readme and press Finish.

radiusvpn_112

The OpenVPN Configuration Setup will continue to install the certificates.

Radiusvpn-113-EN

Stick to the defaults. When prompted for a password, enter the password you used when you exported the Windows Installer from the Client Export tab.

Radiusvpn-114-EN

Have the wizard automatically select the archive.

Radiusvpn-115-EN

Change the cryptoapicert SUBJ

Open C:\Program Files\OpenVPN\config\yourconfig.ovpn or C:\Program Files(x86)\OpenVPN\config\yourconfig.ovpn and change the line that says

cryptoapicert “SUBJ:”

to

cryptoapicert “SUBJ:vorkbaard

…replace vorkbaard by the user’s username. I may be mistaken but I think this helps specifying which certificate OpenVPN should use in case certificates have a naming conflict.

Using the Windows client

To use the client, doubleclick the OpenVPN GUI icon on your Desktop. Radiusvpn_116 Windows will ask you to comfirm the execution. Confirm. OpenVPN will start but that’s not enough. Right-click the OpenVPN icon in the taskbar and choose Connect. Radiusvpn_117 The user must now enter his username and password. This is only the username part, without the domain. The password is the user’s Active Directory password.

Radiusvpn-118-EN

  If all is well, OpenVPN will connect to your pfSense router and minimize to the system tray.

5. Tweaking the client

Here are some tweaks I like to do on my client installations.

Change the name of the .ovpn file

When you connect to your router OpenVPN shows a balloon telling you that the vpn is up. It contains your rather cryptic Windows Installer name, but you can change that to something more appropriate by renaming the .ovpn file in C:\Windows\Program Files\OpenVPN\config (or C:\Windows\Program Files(x86)\OpenVPN\config to whatever name you want the balloon to show. Radiusvpn_122   (is nu verbonden is dutch for is now connected.)

Edit the shortcut to connect directly

You can edit the shortcut to OpenVPN GUI to directly connect to your router in stead of first starting OpenVPN and then starting the connection by right-clicking the shortcut and adding to the Target field:

–connect “Headquarters.ovpn”

…if Headquarters.ovpn is the name of your ovpn file. Radiusvpn_206 The user will still need to enter his password but it does save a step in the process.

Edit more settings

More information on automation, customization and registry tweaks are available in this text document:http://openvpn.se/install.txt.

6. Troubleshooting

If something doesn’t work, here are some pointers for troubleshooting:

  • The username may be case sensitive.
  • Use pfSense’s fine logging system under Status > System logs > OpenVPN.
  • Ask your question in the pfSense forum.
  • Windows 7 sometimes adds a Microsoft Virtual WiFi Miniport Adapter. Disabling this sometimes solves vague connection problems where there should be none.
  • Is the subnet unique? Perhaps the user is in a subnet that is the same as your virtual or corporate subnet.
  • Certificate problems? Check certmgr.msc. Perhaps an old certificate is blocking the installation of a new certificate.
  • Client getting disconnected? Check the user’s wifi connection. No wifi=no internet=no vpn.
  • Check if your domain controller allows UDP ports 1812 and 1813 throught the firewall. Adding the Network Policy and Access Services role and configuring a RADIUS client should automatically have entered these rules in the server’s firewall. They are called Network Policy Server (RADIUS Accounting – UDP-In) and Network Policy Server (RADIUS Authentication – UDP-In). Note that this is about the firewall on your domain controller, not pfSense’s firewall!

This article is also published on doc.pfsense.org.