How to configure OpenVPN shared key tunnels using pfSense and OpenWRT.

possibledisastrousΑσφάλεια

9 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

596 εμφανίσεις

How to configure OpenVPN shared key tunnels using pfSense and OpenWRT.

Ver. 1.0 (11.1.2006)
Author: Ville Leinonen

Intro
In this document I try to explain how to configure ssl-based site-to-site tunnels using pfSense /1/ and
OpenWRT /2/. In this example I use shared key, because it’s easiest way to set up site-to-site
tunnel. Bad thing for this is that I can use only one tunnel/key, but it’s enough for me. This document
assume that reader have some experience how to use pfSense and OpenWRT.

Enviroment

Bellow is picture for this document example environment. WAN address for pfSense is picked up in
my head.


Picture 1. Example network environment.

Home office: LAN: 10.0.0.0/24
WAN: dhcp
Tun0: 10.0.8.2

pfSense: LAN: 192.168.0.0/24
WAN: 212.212.212.1
Tun0: 10.0.8.1

Generating key

You must generate shared static key.

Step 1. Take ssh session to your pfSense firewall.
Step 2. Select 8 and press enter.

pfSense console setup
***********************
0) Logout (SSH only)
1) Assign Interfaces
2) Set LAN IP address
3) Reset webConfigurator password
4) Reset to factory defaults
5) Reboot system
6) Halt system
7) Ping host
8) Shell
9) PFtop
10) Filter Logs
11) Restart webConfigurator

Enter an option: 8

Step 3. Generate key
# openvpn --genkey --secret /tmp/myshared.key

Example key:
# more /tmp/myshared.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
ef9b9f0bff2268eb3966d6a408398db1
f7e6f9823402c76560d1ce25b8d46be4
1c58e656d2e7633d2481e74b9e328618
3c9e6a7528a46b2474bc08838ae19a4c
7f19878bd381cf8cfb0c4dc14fa52622
7360921e50710d0af689476388df0a25
54e1e86b2c9fcc4139dba763b97861bc
36cd477c6f293e8ca07e1bffaba697bf
948b65c213c5747cf0645fb7886bac4b
893953f697640dff961b95cfd8d2c0f3
ef976540e9c004ed72494648462496be
969a70e7d53910f3415f8d829bdb192e
b4aad90e91baec25cac0b260205823e9
e945938896fdd9d33a56c44b90cbd5ce
0d0373923e2cdd33192fdfb4d06399fd
9eb0321402aadb116004721c5249ce61
-----END OpenVPN Static key V1-----

Step 4. Copy key into your computer.
Step 5. Delete generated key file.
# rm /tmp/myshared.key
Step 6. Logout
# exit
Step 7. Choose 0 and press enter.

Setup pfSense

This document assumes that you have existing and working pfSense environment.


Step 1. Select OpenVPN link.


Step 2. Select add “new server button”.




Step 3. Create OpenVPN server.

- Protocol : TCP (this is communication protocol)
- Local port 1194 (server listens this port)
- Address pool: 10.0.8.0/24 (client takes tun0 address from this pool)
- Cryptography: BF-CBC (128-bit) (we use this cryptography cipher algorithm)
- Authentication method: Share key (paste here your generated key)
- LZO compression (put mark for this)
- Description: OPTIONAL Insert tunnel description
- Click Save.

Step 4. Select Rules.



Step 5. Select “Add new rule”.


Step 6. Add rule to allow OpenVPN tunnel traffic.

- Action: Pass (allow traffic)
- Interface: WAN (select WAN interface if your client connects this interface/address)
- Protocol: TCP
- Log: Put mark here (Yes we want to log this traffic)
- Destination port range: 1194 (allow OpenVPN tunnel connections)
- Description: OPTIONAL Insert rule description
- Click Save
Setup OpenWRT

This document assumes that you have working OpenWRT environment.
This document assumes that you have update your OpenWRT packages list access to backports.

Step 1. Take ssh session to your OpenWRT box.
Step 2. Paste your key file /etc/openvpn directory. (OpenWRT use vi editor. vi help /3/)
# vi /etc/openvpn/myshared.key
- Inside vi press Esc and then i
- Paste your key
- Press Esc
- Write :wq! and press enter
Step 3. Generate configuration file to /etc/config/ directory

dev tun0 # Generate/use tunnel 0
proto tcp-client # Use tcp
keepalive 10 60 # Some ping like messages
persist-tun # Some persist options
persist-key # Some persist options
ifconfig 10.0.8.2 10.0.8.1 # Tun0 ip-address
route 192.168.0.0 255.255.255.0 # Route for corporate network
remote 212.212.212.1 1194 # OpenVPN server address
resolv-retry infinite # Some Road warrior stuff
nobind # We don’t need to specific port number
mute-replay-warnings # Some WLAN stuff
secret /etc/openvpn/myshared.key # Where our secret file is located
comp-lzo # Enable compression
verb 3 # Log verbosity

Example. myopenvpn.cfg file

Step 4. Generate startup script for /etc/init.d directory.

# Make sure that tun module is loaded
insmod tun
# Start OpenVPN daemon
openvpn --daemon --config /etc/config/openvpn.oma --ifconfig-nowarn
# Allow traffic to tunnel /4/
iptables -A INPUT -i tun+ -j ACCEPT
# Allow forwarding traffic from tunnel
iptables -A FORWARD -i tun+ -j ACCEPT
# Allow forwarding traffic from br0 interface to tunnel
iptables -A FORWARD -i br0 -o tun+ -j ACCEPT

Example. S98openvpn file

Step 5. Restart your OpenWRT box and watch your pfSense firewall and OpenVPN logs.

There should be something like this
Jan 11 12:52:47 openvpn[9494]: Initialization Sequence Completed
Jan 11 12:52:46 openvpn[9494]: Peer Connection Initiated with xxx.xxx.xxx.xxx:4356
Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:4356
Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link local (bound): [undef]:1194
Jan 11 12:52:46 openvpn[9494]: TCP connection established with xxx.xxx.xxx.xxx:4356

Links
/1/
http://www.pfsense.com
/2/
http://www.openwrt.org
/3/
http://unixhelp.ed.ac.uk/vi/index.html
/4/
http://www.netfilter.org