| Subcribe via RSS

Installing and Configuring OpenVPN Server on CentOS using Webmin (part 4)

September 4th, 2011 Posted in Linux, network, Security



Configuring pfSense as OpenVPN client for site-to-site VPN

pfsense

In this section, we will discuss the client side of OpenVPN site-to-site configuration. At the client side, I use pfSense as the firewall, webproxy, and VPN gateway to connect to the HO through site-to-site VPN with OpenVPN server.

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. pfSense is a powerful, flexible firewalling and routing platform, and easy to configure.You can download pfSense from pfsense.org.

In this configuration, there are two network interface card use in the pfSense.One network interface is connected to the internet, and the other network interface is connected to the LAN and used as the default gateway for the LAN.

pfsense1

Here are the steps to configure pfSense as an OpenVPN client and perform as a VPN gateway:

Go to VPN menu and click on OpenVPN.

pfsense2

In the OpenVPN page, click on Client tab.

pfsense3

To add a new VPN client tunnel configuration, click on + button in the OpenVPN client page, the in the OpenVPN client edit page fill in the requested fields.

In the server address field, fill in the public ip address of the OpenVPN server.

In the server port field, fill in the same port as use in the OpenVPN server.

In the cryptography field, fill in the same cryptography algorithm used in the OpenVPN server.

Before we can fill in the CA certificate field, client certificate field and client key field, we need to export the files from OpenVPN server.In the OpenVPN server, go to Server -> OpenVPN +CA, click on VPN List.In the VPN Server list page, click on Client List of the VPN Server.In the client list click the export link of the selected the client.

export-client

When we export the vpn client configuration files, we will get one zip file with several files inside it.For example, for client named site-1, we will have site-1.zip file.The content of the site-1.zip file are as follow.

export-client2

To fill in the CA certificate field, open the ca.crt file with text editor then copy the content and paste it in the CA certificate field. To fill in the Client certificate field, open the site-1.crt file with text editor then copy the content and paste it in the Client certificate field.To fill in the Client key certificate field, open the site-1.key file with text editor then copy the content and paste it in the Client key field.When finish with the requested field, click Save.

The VPN client tunnel configuration will look like picture below.

pfsense4

In order for the VPN client to have DNS information from internal DNS server in HO, we need to configure the DNS forwarder service and specify an authoritative dns server to be queried for internal domain/zone.To configure the DNS forwarder service, go to Services menu and click on DNS forwarder.

pfsense5

In the Services: DNS forwarder page, put a check mark on Enable DNS forwarder.Then click on + button on the Domain to override.

pfsense6a

In the Services: DNS forwarder: Edit Domain Override, fill in the domain name and the ip address of the DNS server in the HO then click Save.

With all the configuration have been set up, the OpenVPN client in the pfSense will start to connect to the OpenVPN server and established the VPN tunnel. When the VPN tunnel established, all client in site-1 behind the pfSense can access resources in HO that are allowed for them.

Comments are closed.