OpenVPN Site 2 MultiSite PKI

Pfsense 2.0.1 – OpenVPN Site 2 MultiSite PKI

Here is a simple howto for a PKI Site 2 MultiSite setup.

Server: Private Subnet 192.168.1.0/24
Client1: Private Subnet 192.168.2.0/24

SERVER SIDE: 192.168.1.0/24 <========> 10.0.8.0/24 <========> CLIENT SIDE: 192.168.2.0/24

SERVER: ++First step Create Certificates (CA, Server Certificate, User Certificate)++

System/Cert Mananger

Tab CAs
Create an Certificate Authorithy (+ sign)

Descriptive name: internal-ca
Method: Create an internal Certificate Authority
Key length: 2048
Lifetime: 3650 days
Country Code: {xx}
State of Province: {xx}
City: {xx}
Organisation: {xx}
Email Address: {xx@xx.xx}
Common Name: internal-ca

click save.

Tab Certificates
Create an Server Certificate (+ sign)

Method: Create an internal Certificate
Descriptive name: internal-server
Certificate authority: internal-ca
Key length: 2048 bits
Certificate Type: Server Certificate
Lifetime: 3650 days
Country Code: {xx}
State of Province: {xx}
City: {xx}
Organisation: {xx}
Email Address: {xx@xx.xx}
Common Name: internal-server

Tab Certificates
Create an User “client” Certificate (+ sign)

Method: Create an internal Certificate
Descriptive name: client1
Certificate authority: client1
Key length: 2048 bits
Certificate Type: User Certificate
Lifetime: 3650 days
Country Code: {xx}
State of Province: {xx}
City: {xx}
Organisation: {xx}
Email Address: {xx@xx.xx}
Common Name: client1

You can repeat “the create user certificate” step for more then one client 😉

SERVER: ++Second step Export Certificates (CA, User Certificate)++

System/Cert Mananger

Tab CAs
“export CA cert” of internal-ca
do not export the private key!

Tab Certificate
“export cert” and “export key” of client1

SERVER: ++Third step Setup OpenVPN Server.++

VPN/OpenVPN

Tab Server
create an Server (+ sign)

Disabled: empty
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
Description: Site 2 Site PKI
TLS Authentication: Enable authentication of TLS packets
Automatically generate a shared TLS authentication key.
Peer Certificate Authority: internal-ca
Peer Certificate Revocation List:
Server Certificate: internal-server
DH Parameters Length: 1024 bits
Encryption algorithm: AES-256-CBC (256-bit)
Hardware Crypto:
Certificate Depth: One (Client+Server)
Tunnel Network: 10.0.8.0/24
Redirect Gateway:empty
Local Network:empty
Remote Network:empty
Concurrent connections:empty
Compression:empty
Type-of-Service:empty
Duplicate Connections:empty
Advanced: push “route 192.168.1.0 255.255.255.0”;route 192.168.2.0 255.255.255.0;

Click Save

Tab Client Specific Override
create an Client Specific Override (+ sign)
Disabled:empty
Common name: client1
Description: CSO client1
Connection blocking:empty
Tunnel Network:empty
Redirect Gateway:empty
Server Definitions:empty
DNS Default Domain:empty
DNS Servers:empty
NTP Servers:empty
NetBIOS Options:empty
Advanced: iroute 192.168.2.0 255.255.255.0

Click Save

CLIENT: ++Step Four Import Certificates (CA, User Certificate)++

System/Cert Mananger

Tab CAs
Import an Certificate Authorithy (+ sign)
Descriptive name: internal-ca
Method: Importing an existing Certificate Authorithy
Certificate data: copy/paste this from the exported internal-ca.crt (open with notepad)

Click Save.

Tab Certificates
Import an User Certificate (+ sign)
Method: Importing an existing Certificate
Descriptive name: client1
Certificate data: copy/paste this from the exported client.crt (open with notepad)
Private key data: copy/paste this from the exported client.key (open with notepad)

Click Save.

CLIENT: ++Step Five Setup OpenVPN Client.++

VPN/OpenVPN

Tab Client
Create a Client connection (+ sign)

Disabled:empty
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: empty
Server host or address: WAN address of server.
Server port: 1194
Proxy host or address: empty
Proxy port: empty
Proxy authentication extra options: none
Server host name resolution: empty
Description: Site 2 Site PKI
TLS Authentication: Enable authentication of TLS packets.
Automatically generate a shared TLS authentication key: empty
Copy/paste shared key (from server connection) here.
Peer Certificate Authority:internal-ca
Client Certificate: client1
Encryption algorithm: AES-256-CBC (256-bit)
Hardware Crypto: empty
Tunnel Network: 10.0.8.0/24
Remote Network: empty
Limit outgoing bandwidth: empty
Compression: empty
Type-of-Service: empty
Advanced: empty

Click Save.

Remember to open the client/server firewall.
Firewall/Rules
Tab OpenVPN
Create rule: pass, any, any, any

open udp port 1194 on the server firewall on the wan interface.

All done 😉

source

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top
WhatsApp chat