Scribd Logo
Hochladen

Willkommen bei Scribd!

  • PFSense and OpenWRT

    Hochgeladen von

    Yahya Nursalim
    931 Ansichten6 Seiten
    In this example I use shared key, because it's easiest way to set up site-to-site tunnels using pfSense / 1 / and OpenWRT / 2 /. Bad thing for this is that I can use only one tunnel / key, but it's enough for me.

    Originalbeschreibung:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    In this example I use shared key, because it's easiest way to set up site-to-site tunnels using pfSense / 1 / and OpenWRT / 2 /. Bad thing for this is that I can use only one tunnel / key, but it's enough for me.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    931 Ansichten6 Seiten

    PFSense and OpenWRT

    Hochgeladen von

    Yahya Nursalim
    In this example I use shared key, because it's easiest way to set up site-to-site tunnels using pfSense / 1 / and OpenWRT / 2 /. Bad thing for this is that I can use only one tunnel / key, but it's enough for me.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 6

    How to configure OpenVPN shared key tunnels using pfSense and OpenWRT.

    Ver. 1.0 (11.1.2006)


    Author: Ville Leinonen

    Intro
    In this document I try to explain how to configure ssl-based site-to-site tunnels using pfSense /1/ and
    OpenWRT /2/. In this example I use shared key, because it’s easiest way to set up site-to-site
    tunnel. Bad thing for this is that I can use only one tunnel/key, but it’s enough for me. This document
    assume that reader have some experience how to use pfSense and OpenWRT.

    Enviroment

    Bellow is picture for this document example environment. WAN address for pfSense is picked up in
    my head.

    Picture 1. Example network environment.

    Home office: LAN: 10.0.0.0/24


    WAN: dhcp
    Tun0: 10.0.8.2

    pfSense: LAN: 192.168.0.0/24


    WAN: 212.212.212.1
    Tun0: 10.0.8.1

    Generating key

    You must generate shared static key.

    Step 1. Take ssh session to your pfSense firewall.


    Step 2. Select 8 and press enter.

    pfSense console setup


    ***********************
    0) Logout (SSH only)
    1) Assign Interfaces
    2) Set LAN IP address
    3) Reset webConfigurator password
    4) Reset to factory defaults
    5) Reboot system
    6) Halt system
    7) Ping host
    8) Shell
    9) PFtop
    10) Filter Logs
    11) Restart webConfigurator

    Enter an option: 8
    Step 3. Generate key
    # openvpn --genkey --secret /tmp/myshared.key

    Example key:
    # more /tmp/myshared.key
    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    ef9b9f0bff2268eb3966d6a408398db1
    f7e6f9823402c76560d1ce25b8d46be4
    1c58e656d2e7633d2481e74b9e328618
    3c9e6a7528a46b2474bc08838ae19a4c
    7f19878bd381cf8cfb0c4dc14fa52622
    7360921e50710d0af689476388df0a25
    54e1e86b2c9fcc4139dba763b97861bc
    36cd477c6f293e8ca07e1bffaba697bf
    948b65c213c5747cf0645fb7886bac4b
    893953f697640dff961b95cfd8d2c0f3
    ef976540e9c004ed72494648462496be
    969a70e7d53910f3415f8d829bdb192e
    b4aad90e91baec25cac0b260205823e9
    e945938896fdd9d33a56c44b90cbd5ce
    0d0373923e2cdd33192fdfb4d06399fd
    9eb0321402aadb116004721c5249ce61
    -----END OpenVPN Static key V1-----

    Step 4. Copy key into your computer.


    Step 5. Delete generated key file.
    # rm /tmp/myshared.key
    Step 6. Logout
    # exit
    Step 7. Choose 0 and press enter.

    Setup pfSense

    This document assumes that you have existing and working pfSense environment.

    Step 1. Select OpenVPN link.

    Step 2. Select add “new server button”.


    Step 3. Create OpenVPN server.

    - Protocol : TCP (this is communication protocol)


    - Local port 1194 (server listens this port)
    - Address pool: 10.0.8.0/24 (client takes tun0 address from this pool)
    - Cryptography: BF-CBC (128-bit) (we use this cryptography cipher algorithm)
    - Authentication method: Share key (paste here your generated key)
    - LZO compression (put mark for this)
    - Description: OPTIONAL Insert tunnel description
    - Click Save.
    Step 4. Select Rules.

    Step 5. Select “Add new rule”.


    Step 6. Add rule to allow OpenVPN tunnel traffic.

    - Action: Pass (allow traffic)


    - Interface: WAN (select WAN interface if your client connects this interface/address)
    - Protocol: TCP
    - Log: Put mark here (Yes we want to log this traffic)
    - Destination port range: 1194 (allow OpenVPN tunnel connections)
    - Description: OPTIONAL Insert rule description
    - Click Save
    Setup OpenWRT

    This document assumes that you have working OpenWRT environment.


    This document assumes that you have update your OpenWRT packages list access to backports.

    Step 1. Take ssh session to your OpenWRT box.


    Step 2. Paste your key file /etc/openvpn directory. (OpenWRT use vi editor. vi help /3/)
    # vi /etc/openvpn/myshared.key
    - Inside vi press Esc and then i
    - Paste your key
    - Press Esc
    - Write :wq! and press enter
    Step 3. Generate configuration file to /etc/config/ directory

    dev tun0 # Generate/use tunnel 0


    proto tcp-client # Use tcp
    keepalive 10 60 # Some ping like messages
    persist-tun # Some persist options
    persist-key # Some persist options
    ifconfig 10.0.8.2 10.0.8.1 # Tun0 ip-address
    route 192.168.0.0 255.255.255.0 # Route for corporate network
    remote 212.212.212.1 1194 # OpenVPN server address
    resolv-retry infinite # Some Road warrior stuff
    nobind # We don’t need to specific port number
    mute-replay-warnings # Some WLAN stuff
    secret /etc/openvpn/myshared.key # Where our secret file is located
    comp-lzo # Enable compression
    verb 3 # Log verbosity

    Example. myopenvpn.cfg file

    Step 4. Generate startup script for /etc/init.d directory.

    # Make sure that tun module is loaded


    insmod tun
    # Start OpenVPN daemon
    openvpn --daemon --config /etc/config/openvpn.oma --ifconfig-nowarn
    # Allow traffic to tunnel /4/
    iptables -A INPUT -i tun+ -j ACCEPT
    # Allow forwarding traffic from tunnel
    iptables -A FORWARD -i tun+ -j ACCEPT
    # Allow forwarding traffic from br0 interface to tunnel
    iptables -A FORWARD -i br0 -o tun+ -j ACCEPT

    Example. S98openvpn file

    Step 5. Restart your OpenWRT box and watch your pfSense firewall and OpenVPN logs.

    There should be something like this


    Jan 11 12:52:47 openvpn[9494]: Initialization Sequence Completed
    Jan 11 12:52:46 openvpn[9494]: Peer Connection Initiated with xxx.xxx.xxx.xxx:4356
    Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:4356
    Jan 11 12:52:46 openvpn[9494]: TCPv4_SERVER link local (bound): [undef]:1194
    Jan 11 12:52:46 openvpn[9494]: TCP connection established with xxx.xxx.xxx.xxx:4356

    Links
    /1/ http://www.pfsense.com
    /2/ http://www.openwrt.org
    /3/ http://unixhelp.ed.ac.uk/vi/index.html
    /4/ http://www.netfilter.org

    Das könnte Ihnen auch gefallen