Solved Simple VPN: need an advice

aragats

Daemon

Reaction score: 766
Messages: 1,664

What would be the easiest way to provide access to the "End devices" on the picture? I need accessing just a few TCP/IP ports.

I can use SSH port forwarding, maybe using security/autossh to make it persistent (in pfSense?). Would it be reliable? A fully functional VPN maybe an overkill for this case (are there good how-tos for FreeBSD anyway?).

Thanks for advises!

vpn.png
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,892
Messages: 40,608

OpenVPN is fairly easy to set up. Howtos are plentiful and don't need to be specifically for FreeBSD, OpenVPN is configured exactly the same way on Linux so you can use those howtos too. The only real differences are the locations of the configuration files and perhaps the names of the interfaces.
 

ShelLuser

Son of Beastie

Reaction score: 2,146
Messages: 3,802

I'd like to add another vote in for security/openvpn. I've been using it for quite some time now and it can perform some amazing tasks, I even managed to get it working through IPv6 <=> IPv4 gateways (my DSL connection is IPv6 and I'm connected to a IPv4 VPN, using the full certificate protection setup).

But what I liked best about it is how you can manage to connect it to already existing VPN's, as well as get Windows clients to connect to it.

And if you have issues then security/openvpn-admin might be able to help too, though I'm personally not much of a fan regarding front-ends when it comes to security issues.
 
D

Deleted member 9563

Guest


I've used OpenVPN for a few years now. Like SirDice says, it's pretty simple to set up. Look and the OpenVPN site and there's a <a href="https://openvpn.net/index.php/open-source/documentation/howto.html">very nice how-to</a>. The main configuration file in FreeBSD is /etc/openvpn/client.conf. It just needs a few lines. Make sure you specify IP addresses in a non-routable range. In case you're interested, here is my client.conf file:
Code:
dev tun0
proto udp
secret static.key
comp-lzo
verb 3
ifconfig 172.xx.xx.1 172.xx.x.2
redirect-gateway def1
remote xxx.xxx.xxx. xxx

PS: sorry, I can't really figure out the esoteric codes for this site. HTML is an internet standard, and this is a professional forum, so I'll use that for my link. :)
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,892
Messages: 40,608

The main configuration file in FreeBSD is /etc/openvpn/client.conf.
Erm, /usr/local/etc/openvpn/openvpn.conf by default actually.
 
OP
aragats

aragats

Daemon

Reaction score: 766
Messages: 1,664

Thanks, guys!
Yesterday I've followed this howto, OpenVPN server works fine on the VPS, and a client works in my notebook.
I've created a client on pfSense, but it cannot connect, probably missed something, will continue today.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,892
Messages: 40,608

I've created a client on pfSense, but it cannot connect, probably missed something, will continue today.
Make sure the firewall allows outgoing connections to UDP port 1194.
 
OP
aragats

aragats

Daemon

Reaction score: 766
Messages: 1,664

From the pfSense log:
Code:
If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache
I guess there is no such thing in the webConfigurator, I'm afraid if I add it manually to the config, it may get lost later.
But, generally speaking, is it necessary to have passphrase-protected keys? I used Easy-rsa, it's forced going that way.
 

Oko

Daemon

Reaction score: 799
Messages: 1,620

What would be the easiest way to provide access to the "End devices" on the picture? I need accessing just a few TCP/IP ports.

I can use SSH port forwarding, maybe using security/autossh to make it persistent (in pfSense?). Would it be reliable? A fully functional VPN maybe an overkill for this case (are there good how-tos for FreeBSD anyway?).

Thanks for advises!

The reason I didn't get into the discussion was that I am confused by your network topology. You also didn't tell us what is your end device. Is it a UNIX/UNIX-like workstation or Windows or some kind Android or other handheld device (even ROKY).

In general your choices are SSH, L2TP/IPsec, OpenVPN, PPTP, tinc, poptop, ocserv (open source server implementing the AnyConnect SSL VPN protocol), server implementing the AnyConnect SSL VPN protocol, mlvpn. I have worked with most of those things. IIRC pfSence comes with pre-installed, semi-configured OpenVPN, L2TP/IPsec, and PPTP (PPTP should never be used in this day and age).

If your end device is UNIX like workstation then for connection which should last up to a week SSH is perfectly fine. If you need VPN connection which will be stable for many months possibly years OpenVPN (which we use in my lab to isolate our desktop machines from the rest of our university infrastructure) is a good choice and a connection, once established, is generally stable up to 6 months when I typically upgrade our OpenVPN server which runs on OpenBSD.

L2TP/IPsec is the way to go with Windows clients less so with Linux/FreeBSD (I am not a fan of OpenSWAN). Setting L2TP/IPSec server on OpenBSD is 10 minute thing. I am not sure about FreeBSD.

I have never played with ocserv but I have long experience with Cisco VPN appliances. They are crappy but plug and play which makes them a first choice where money is not an issue but the knowledge is in short supply.

I have hard a good things about tinc but never used in production on a paid job. I have never played with mlvpn.

In general IPSec should be the number one choice if you are connecting routers and creating true private networks with multiple subnets over the Internet. I am not sure how easy is to set up IPSec on FreeBSD but on OpenBSD is a breeze.
 
OP
aragats

aragats

Daemon

Reaction score: 766
Messages: 1,664

Thank you for advises, Oko !
You also didn't tell us what is your end device.
The reason I didn't tell about the end devices is that I cannot modify their OS/software, those are small ARM computers serving very narrow tasks.
 

Oko

Daemon

Reaction score: 799
Messages: 1,620

Thank you for advises, Oko !

The reason I didn't tell about the end devices is that I cannot modify their OS/software, those are small ARM computers serving very narrow tasks.
If they are VPN capable they probably come with IPSec stack or possibly OpenSSH.
 
D

Deleted member 9563

Guest


Erm, /usr/local/etc/openvpn/openvpn.conf by default actually.

I would defer to your superior expertise. However, I don't have any /usr/local/etc/openvpn/ directory. Nor can I find any openvpn.conf file on my computer anywhere. I'm not sure how that happened since I don't recall doing anything special. In any case, the configuration which has worked for me on several installations has defaulted to /etc/openvpn and it works well.
 

Phishfry

Beastie's Twin

Reaction score: 3,219
Messages: 6,348

Generally any 'base software' configuration files go in /etc/ directory and any ports and packages configuration files should go in /usr/local/etc.
That said many programs will work with a configuration file in either location.
 
OP
aragats

aragats

Daemon

Reaction score: 766
Messages: 1,664

However, I don't have any /usr/local/etc/openvpn/ directory. Nor can I find any openvpn.conf file on my computer anywhere.
Yes, they are not there. You have to create them, there are several samples installed in /usr/local/share/examples/openvpn/sample-config-files/.
As I mentioned above, I've followed this howto, it's pretty good, although targeting 10.3. It's missing a couple of minor things, e.g. creating keys not protected with a password: the ca.crt must be created with nopass option as well. That was my issue with pfSense: it doesn't keep a persistent config file, instead it generates one out of an xml config. Thus there is no way to store that password for the keys. I've regenerated them without password, and my pfSense OpenVPN client works well now.
 
OP
aragats

aragats

Daemon

Reaction score: 766
Messages: 1,664

If they are VPN capable they probably come with IPSec stack or possibly OpenSSH.
They are commercial devices with weird network settings (for backward compatibility etc). OpenSSH is installed and enabled. That's why I was thinking of just SSH tunneling (and actually used it for some). The only thing I'm not sure about is how reliably security/autossh would be working. Also I need to tunnel serial consoles of some of them for debugging purposes, comms/ser2net works pretty well. I thought that a pfSense box would be the best an easiest way to take control over all.
 
OP
aragats

aragats

Daemon

Reaction score: 766
Messages: 1,664

Everything works! Thanks again!
The final touch was setting up comms/ser2net in pfSense. It "forwards" 2 RS-232 ports to 2 TCP ports.
To run ser2net at boot time I've installed shellcmd pfSense package.
 
Top