1. Download the i386 LiveCD w/ Installer pfsense image to your server.
root@server $ wget https://www.pfsense.org/download/download.php?url=http%3A%2F%2Ffiles.bgn.pfsense.org%2Fmirror%2Fdownloads%2FpfSense-LiveCD-2.1.2-RELEASE-i386.iso.gz
root@server $ mv download.php?url=http%3A%2F%2Ffiles.bgn.pfsense.org%2Fmirror%2Fdownloads%2FpfSense-LiveCD-2.1.2-RELEASE-i386.iso.gz /var/lib/libvirt/images/pfSense-LiveCD-2.1.2-RELEASE-i386.iso.gz
2. Spin up the VM with pfsense.
lol@workstation $ virt-manager &
Connect to the server and make a new VM. Choose local install media -> iso image -> choose the pfsense image. OS type=UNIX, Version should autodetect to FreeBSD 8.x. 512MB RAM and a single core has been plenty for me, if my host gets strapped I'll probably drop the pfsense guest down to 256 and see how it does. 5GB hard disk is more than enough also.
Once the VM comes up, choosing all defaults is fine for installation. Once the ncurses install is complete, the configurator will ask for the primary network interface, or try to do some kind of autodetection. We created the VM with the default single interface because there is upstream DHCP coming from the home router and we're only using pfsense for the OpenVPN features, so the answer to the interface question is probably "em0". Choose sensible options for everything else.
Note that after you choose what hostname pfsense will tell the upstream DHCP server, you will likely get a new IP after reboot, so check your DHCP logs for what the new IP is.
3. Use this youtube video to configure the OpenVPN server.
I think I did everything exactly the same as the guy in the video, except I chose max key lengths, a longer AES cipher, and 9999 days for everything. Stop when he gets to the client export/configuration part.
Make sure the "Local network" option is set to your local subnet, and the IPv4 tunnel network" option is NOT set to your local subnet. Not sure why the guy in the video used 192.168.2.0/24; I chose 10.0.0.0/24 since it's also designated for private networks and it's way more visible at a glance.
4. Open the port on your router.
My router (a D-Link DIR-655) has a "virtual servers" option, which is like port forwarding on steroids. Either way, this part is simple - make sure UDP port 1194 is open and points to your pfsense server. It's probably a good idea to make sure the pfsense VM has a static IP at this point too.
5. Set up dynamic DNS pointing at your house.
pfsense comes with clients for many free dynamic DNS services - I'm using no-ip.com. Make an account and grab some trashy xxx.no-ip.biz domain. In pfsense, go to services -> dynamic DNS and add your account. Super simple, now your no-ip subdomain will always point at your house no matter how often your ISP changes your WAN IP.
6. Make the Android client work.
The OpenVPN Connect app worked on the first try for me, and it's free, small, has few permissions and has a clean interface. Plug your phone into the computer you're checking out pfsense on, then in the pfsense web UI go to VPN -> OpenVPN -> Client Export. This will only be there if you installed the "export" package from the youtube video.
Make sure to choose the DynDNS option for your domain under Host name resolution. If it isn't there for some reason, or if you don't want to run the dynamic DNS client on pfsense or whatever, just choose "other" and enter the domain manually there.
At the bottom, under the "Client Install Packages" section, click the "OpenVPN Connect (iOS/Android)" link. The downloaded .ovpn file has "iOS" in the name, but don't worry about that. Copy that file to your phone's storage (SD or onboard). Pull up the OpenVPN app, choose Menu (the vertical ellipsis (...) button) ->Import Profile from SD card -> enter your username and password, and boom! It should just work.
EDIT FOR T-MOBILE USERS: It just worked when I was on Verizon, because they're a lumbering behemoth and are still using IPv4 everyplace - if you're on T-Mobile, you'll need to follow a substep that I wrote up here.
EDIT FOR T-MOBILE USERS: It just worked when I was on Verizon, because they're a lumbering behemoth and are still using IPv4 everyplace - if you're on T-Mobile, you'll need to follow a substep that I wrote up here.
7. Make the Linux (NetworkManager) client work.
From the same client export page that we used in the last step, under the "Client Install Packages" section, click the "Standard Configurations: Archive" link. Unzip the downloaded file somewhere in your home directory - default permissions were not cool, so take away everything but rx on the dir for owner, and just r for the owner on the files inside:
lol@vpnclient $ mv downloads/vpn-files.zip vpn-stuff/
lol@vpnclient $ unzip vpn-files.zip
lol@vpnclient $ sudo chmod -Rc a-rwx vpn-files
lol@vpnclient $ sudo chmod -Rc u+rx vpn-files
lol@vpnclient $ sudo chmod -c u-x vpn-files/*
(The chmod steps in the above are optional. I know it could have been done more succinctly, but I don't typically use masks for chmod - of course I'm familiar with 0777, 0655 etc, but for non-standard permissions sets they seem obfuscating. In ten years they probably won't, but I'm just not there yet.)
Click Network Manager icon -> VPN connections -> Configure VPN -> Import -> Choose the unzipped .ovpn file. Everything except username and the two password boxes should be filled in, enter the user credentials you chose on pfsense and enter the same password again for the "private key password". The three file pickers were all pointed at the same .p12 file - this is ok.
Remember that weird stuff might happen if you try to connect to the VPN while the client is already attached to the network you're attaching to. To test, I just shut down the Android VPN client, created a wifi hotspot with my phone, attached to that with my laptop, and then connected just the laptop to the home VPN.
Hope it works for you!
does this work with the latest Pfsense and Can you send me the link to download the latest pfsense ISO image
ReplyDelete