pfsense Setting up a VPN

[Lilrich]

Budman - Thanks for doing that for me, i have disabled your account for now, always handy to have it there just incase i need any help in the future.

I am just trying to find a client to use for the Mac and then i will give it a go.

Next job once i verify that the connection works is to setup the shares i require, when i am connected via VPN i am right in thinking that i should be able to Remote into computers on my network?

[+BudMan MVC]

Yes once your in, you should be able to access anything on your network just like you were there, just a bit slower. You might have to use IP, or fqdn to access - you didn't have netbios enabled.

check out that http://www.thesparklabs.com/viscosity/ client - its for mac. I don't think its free though.

You might have to change your lan rules to be able to access stuff? I didn't look at them, I pinged your .250 box see my post with output of that, it answered. So sure you should be able to remote desktop to anything.

You might have to set any host firewalls to allow access from your vpn network that 10.0.200.

[Lilrich]

Budman, am i being totally retarded where do i get the CA from to import into my software?

[+BudMan MVC]

the ca can be exported via the export package, if you grab the archive it will have all the keys you need, and the ca - if you grab the inline it will be imbedded into the .opvn file Or you can download it from your Certificate manager on pfsense - but I would suggest you just grab it with the archive off the export package.

I would have to double check, but I believe the .p12 file in the archive is what your talking about.

edit: I am going to have to refresh my memory on need of the ca key, are you using it for the viscosity client? If you grab the viscisity bundle off the export, I just checked downloading that from mine and it includes ca.crt

edit2: Ok I just grabbed the inline off of mine, and yeah CA is there

<ca>

-----BEGIN CERTIFICATE-----

MIIEQTCCAymgAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJVUzER

MA8GA1UECBMISWxsaW5vaXMxEzARBgNVBAcTClNjaGF1bWJ1cmcxDTALBgNVBAoT

BGhvbWUxIDAeBgkqhkiG9w0BCQEWEWpvaG5wb3pAZ21haWwuY29tMRAwDgYDVQQD

<snipped>

7QG5X5kQj05axywyl61SO3RDYkphMT3NwKU3tn2irVEo3JrF7pTCgAn1MqdXk4Di

ilERPsVaWREzJRQEl2jFQify+ttvNg6BGhlJDtKu9IxkOanoBUI8VNRXFs7QxSYs

vI2JufYfxGbw7SSAw3r0r8DGjLbVbhaz9/98RcNOvz9yThPAuA==

-----END CERTIFICATE-----

</ca>

edit: Yeah just double checked that .p12 file has all the crts in it, the CA is in there. Which is why you don't see a ca.crt it defaults to using that - I think you can change that setting though.. let me look

edit: ok from quick look from the gui it doesn't look like you can change that setting for openvpn - but that .p12 file has the private key, the local cert and the ca cert in it.

[Lilrich]

YES!

I finally have it working, i have managed to remote into the network from my laptop, i have just attempted to remote into my weather station .250 which also worked.

Need to setup my shares and see if i can get them to work next, might need some help with firewall rules though if you would be so kind.

[+BudMan MVC]

are you running host firewalls on your other devices? if so you would have to allow traffic on the ports you want from the 10.0.200 network. Also I have changed my pfsense lan rule to be any vs lan net. I was having issues doing something, which I don't recall exactly what now with vpn clients, and changing it to any for the lan interface rules fixed it.

See my note and how the lan source is * vs lan net, I don't recall exactly why now though. Something was not working, I would have to set it back to see what doesn't work to refresh my memory. But I do recall changing source for something I was trying to do - which now works, just don't recall what it was ;)

edit: as to shares working over the vpn, yeah work just fine - you might want to allow netbios on your openvpn config. And most likely have to auth, but see I am here at work, and I can access shares off my home workstation

D:\>net view \\i5-w7
System error 5 has occurred.

Access is denied.

D:\>net use \\i5-w7\ipc$ /u:i5-w7\budman
The password or user name is invalid for \\i5-w7\ipc$.

Enter the password for 'i5-w7\budman' to connect to 'i5-w7':
The command completed successfully.

D:\>net view \\i5-w7
Shared resources at \\i5-w7

Share name   Type   Used as  Comment
-------------------------------------------------------------------------------
Deskjet6500  Print		   HP Deskjet 6500 Series
test		 Disk
The command completed successfully.

Just had to auth - since my workstation is not using a budman account ;) with same password.

edit: Also what are the details of your weatherstation - I have been thinking of setting one up, curious what yours is and what you do with it, etc. etc..

[Lilrich]

Budman i have attached my firewall rules i cant see any proto IPV4 or IPV6 did you have to add these?

[+BudMan MVC]

Im running ipv6, those that breaks it up.. Se your rule above your block from source 192.168.33.252, that is your lan allow.

I don't see how that block is working though? because 192.168.33.252 falls into your lan net, and would be allowed access before it hits the block. If you want to block that IP from using the internet on tcp, then you need to put that above your lan net rule.

And you really have duplicate rules there, one with lan net as source (which is your 192.168.33.0/24) and then that last rule which is any any. And your rules for 45631 and 21 are also not needed since they would fall under that lan net rule. Unless they were coming from different network than your lan net?

Rules go down in order from top, first rule that hits is one that is applied - be it allowed or blocked. Notice in my lan rules the ones for .41 address - I allow it access only to the websense stuff, then I block its access for anything else! So if say .23 comes it, he goes past all those rules until he hits my allow rule.

[Lilrich]

What about this

[+BudMan MVC]

Again, not sure why you have 2 rules there

Unless you have something with UDP going on, you let anything out TCP. Then next rule is anything *, so that would include tcp and udp coming from your lan net can go anywhere.

You really only need one rule, not now sure on the details - but like I said for something I was trying to do with vpn, I changed the default rule from lan net to *, which kind of like the rule you have above the lan net rule, only you change proto to TCP only - not sure why?

[Lilrich]

Again, not sure why you have 2 rules there

Unless you have something with UDP going on, you let anything out TCP. Then next rule is anything *, so that would include tcp and udp coming from your lan net can go anywhere.

I have removed this, see my updated post below.

You really only need one rule, not now sure on the details - but like I said for something I was trying to do with vpn, I changed the default rule from lan net to *, which kind of like the rule you have above the lan net rule, only you change proto to TCP only - not sure why?

I know what had happened here, when i was reading your rules table i saw that it said IPV4* i got confused and thought that this was something that it wasn't, it wasn't until later that i found out you were running IPV6 that is why you got them options. I now notice that the IPV4 on my setup is just * as i am not running IPV6.

[+BudMan MVC]

So pretty much your wide open there outbound, if you want to block some of your machines - put them blocked above that rule

So is your openvpn doing everything you want it to do?

[Lilrich]

I have made some changes to the firewall to block some clients between certain times.

OpenVPN seems to be doing everything that i want for the time being, i am sure if i come accross something i will be back to ask :)

Thanks for your help.