 All right, so we're going to talk about how to set up open VPN on PF Sense, so your Windows box can log back in to your home network or office network, however you want to set this up. Sometimes we're referred to as a road warrior VPN because it doesn't really care where you're coming from as long as it's authorized by the firewall. And on the internet, you can get in from a computer and get into the LAN side of your network is the goal here. So we have our simulated internet lab, which is the 192.168.3.0 slash 24. So that three network is our simulated network. We have a Windows machine here. The goal is be able to reach this Debian box over here, which is on the 192.168.40 network or the actual IP address is 40.50. So let me jump into our Windows box here and show you what it has and the routing information. I'm going to walk you through all the steps of how to set this up on a clean install of PF Sense. So here's our Windows box, which has the IP address of 192.168.3.152. Here's the route. All I did was a route print to get this and it shows the current routing table. So it doesn't have any other routing than to the dot three network and be able to get out on the internet. So I'm online. No problem there. But if we try to ping 192.168.40.50, no go, no route to that host. So let's get into OpenVPN and get this set up. So here we have a clean load of PF Sense, latest version 241 as of November 17. We're going to go here to systems, package manager. Now OpenVPN is built in, but this available add-on tool called the OpenVPN export tool makes your life really easy for deploying OpenVPN. So we'll run this real quick. It installs fairly quick, at least on my machine it does kind of depends on how fast your machine and your internet connection is. So that's installed. Then we're going to go to VPN, OpenVPN. Now this is where it's really handy to use the wizard. So kick off the wizard. We want to choose local user access. Now the first thing it's actually going to do is create a CA certificate. So this will be my Lawrence system. So LTS country code, I'm in the U.S. Am I, I'm actually sitting in Southgate right now, LTS office, I'll throw my email in here. Now it's adding a new CA. This is why it's great to use the wizard, if not you have to go set up all these manually. Now that we created the CA, now we're going to create the certificate, LTS VPN and everything else the same. And if you notice, and I can jump, whoop, can't jump backwards, sorry. When you created this, it actually has a default of a 10 year lifespan of the certificate. You can set this however you want, that way if you want the certificate to expire, you can set a different time, but it defaults to 10 years. Hopefully within 10 years you've probably upgraded your machine. All right, now it wants to know what interface type UDP defaults to the WAN, that's fine. Now we can actually name our VPN, we'll call it test VPN. All this can stay at default. Same here, you can change encryption algorithms and everything else, and whatever you change here does have to match the client, but with the export tool you'll see that all the changes here go into the export tool to make this really easy to do. If you have hardware crypto, you can choose that for your hardware crypto tunnel network. You do have to define that in 3.70 slash .0 slash 24 works. What the tunnel network is on OpenVPN is the tunnel that the machines will connect to. So they have to create a tunnel. This IPs will be assigned to the individual computers connecting to join your network. So what it's going to do, for example, when I connect this Windows machine, it's going to get an IP address in this range. So you can set this to be however you want and scale it to what works for you. So if your network has more than 250 clients, you're going to want to expand this out to an even bigger network, but for purposes of this, a slash 24 works just fine. This is also another option where you can say force all the client traffic through a redirected gateway if you want. That means once they get to the VPN, force everything across, there's also another parameter I believe you need to add to Windows and I'll get to that when we do the look at the client config. Local networks. You have to specify what local networks you want them to have access to. So if we want them to have access to this local network, which happens to be 40.0 slash 24, you put that in here. If you have more than one, you would put that in there as well. And you only need to put the ones you want them to have access to in here. So maybe you have multiple networks, but you don't only want them to get to one, you can set it up that way. Or maybe you have a special network because you want an outside developer in your network coming in. You can specify the only network that that person can get to. And what this does is pushes the route back across their connection. So we're just going to leave this one so it has route to this. Number of concurrent connections. This is optional if you want to have to allow want to allow multiple connections to the server or limit how many connections can come to the server DNS servers. If you're doing something like redirected gateway, you have to make sure that you specify your internal or some other external servers because if you do redirect all the traffic, you also need to give them a gateway, not a gateway, but a DNS entry so they're able to look up domain names when they're on there. So you either specify internal and this is also handy if you're if you need them because of Active Directory reasons, you can specify your AD servers internally for this. So when Windows connects through OpenVPN, then it can come through and talk to the proper DNS servers for DNS resolution, throw in open VPN, the open DNS server in here. If you want to use net bios over this, it has the option if you check the back, we're not going to do that for the sake of this discussion. And once you get the bottom, you have all the advanced features. So if you have some special parameters you wanted to throw in there, they get pushed across. So that's it for all the settings we're going to get next. I mistyped the tunnel network. If you mistyped it, it won't work. It does have some sanity checks it does. So I just it's a typo there. Check these two boxes here. These automatically create the firewall rules for you. So you don't have to next finish. Now we're almost done. And I say almost because there's a setting here. So there's different ways you can do this. You can do remote user access or remote user auth with SSL. With SSL means you can do a per user certificate, which is a nice real secure way to do it. So you have the certificate for the VPN and then an additional per user certificate. So that's username, password and certificates. So they would need all three. For simplicity sake, we're just going to do the user auth. Just make it simpler. So all we're doing is going back in here because it defaults to SSL and user auth. We're going to go all the way down to just user auth and scroll down to the bottom and hit save. All right, that part's done. Now let's talk about users. So let's go to the user manager. You probably don't want to give me your admin password for your firewall. So we're going to create a user Tom and a password for Tom. Full name, Thomas. Now here's where you would create the certificates if you wanted to go through that trouble of creating a certificate for every user you create. You don't have to give any other membership or anything else to this user. So hit save. Matter of fact, because this user doesn't have any permissions, they can't log into the firewall and do anything or give any settings to it. They don't need to. As long as this is using, when you say local database, like we did at the very beginning, we're just using the local users list to authenticate. Simple as that. There are options in there, so you could use LDAP and other options for authentication. You don't have to use local user access. That's something that PF Sense does support. So if you have a external user list and you want to connect it to there, that is possible. When you're adding it, here's the other option that supports LDAP and Radius. You want to rerun this and you have an LDAP server. It would have allowed you to specify it when you're running the wizard at the beginning, but for simplicity and sake of this video, we'll just choose local user access. All right. The VPN is set up and now we get to use the client export. And this is the cool part right here. Here's all the configs for different options. Old Windows installers, so they still have some legacy support here. Max support. And here's our Windows installer. But we don't want to install on this computer. We want this installed on our Windows machine. So let me jump over to Windows real quick. Client export. Man, we're going to hide and use where I'm Windows 10 here. So we'll run the latest installer. Go ahead and run anyway. I'll minimize, say yes. And then we just next and yes our way to open VPN being installed. The defaults are all fine. Now I have noticed when the craters update loaded, it did break open VPN. Literally the same install file next and yes through it works fine. Didn't have to uninstall or reinstall it. We've had this happen a couple times with clients. You can just keep rerunning the same installer. Anyway, he goes. Now what that installer did is really slick. So double click this. It's going to throw open VPN down here. And I'm going to change the settings on here. You just right click on it and you can say launch at Windows startup. I usually do that and then show the balloon windows. This will have it automatically launch open VPN startup. Go here. We're going to hit connect username and password. You have an option to save it here. Not going to check it and it's connecting. Now when I ping, just like it did before, I couldn't ping this. It failed. Now it pings this network. And when we go to route print, look at all the routes we have. So we have our standard default routes, but now we have the tunnel route, which is right here. And the tunnel route says things that are going to the 40 network, the network we pushed over, push across this gateway. So this network is being pushed across here. And now let's go over to the PF sense. And we see this computer connected. It was assigned 70.2. If we connected another one, it would keep going up and be assigned the next IP address. Then here is the external IP address. Pseudo external. It's part of our lab, the 192.168. The username Tom has connected. If I connected with a different user, you'd see a different username there. So you'd be able to see all of your connections and each of your users. And you can just click the kill client and it will drop that client right off of there. Now the question came up about redirecting all traffic back through the VPN. It's actually really easy to do for Linux clients. And maybe I'll do a separate video because it's a little tricky to set up the Linux clients because, well, a bunch who has the features for it, but there's a few steps you have to load. And I need to do a whole video on that. But in Windows, the way you do it is this way, according to the documentation I've read. So you're in open VPN. We're going to go ahead and go over here. Edit the config file. Now this is from the open VPN page. And you need the redirect gateway. And I'll leave a link to this and below and what you need to add in there. So it's redirect gateway. Then you have to add DEF1 for default one. So we open up this file here. And this is what we would add just at the bottom. And that basically means redirect everything to the default gateway for the tunnel traffic. So by adding this, that would mean when we connect this computer, it redirects all the traffic. Because I'm using all local IPs, there's not really any way for me to test that easily with my demo environment. Side note though, save won't let me save. You to edit this file, open up notepad, right click, run as administrator. Yes, notepad has to have administrative access. So you can go to file, open, go over here to your program files, open VPN, config, all files, config, then we would add this redirect gateway and we'll close this one. And then I'd be able to save the config. Now the other thing you may have noticed in here, this keeps things pretty simple. When the export tool ran, here is all the settings dropped right in here. So if you need to change something like the remote gateway to be your VPN, your VPN server, fully qualified domain or IP address, you can just edit this config file once it's installed if things change without having to rerun the cert. The other nice thing is here is the cert file that tells to pull the TLS off file and when it ran the installer, it did all, it copied all these files over and put them in the proper directory. So if you make any changes on the server, you just rerun the export tool and it recreates all of this and you can just install over the top or you can go in here and edit it all by hand if that's what you want it to do. But this makes deploying pretty straightforward and simple. Now I will note this to make sure this is working. So let's save, close, open up a command prompt and we'll go over here, open VPN. We're going to do a disconnect and reconnect with that new parameter we added. So this is the route before we change that. And now let's go route, print. We should probably see a different, okay so that does work. So all the traffic here covering all the routes. So not just the .40 network but all the other networks are said to use this as their default gateway. So 0, 0, 0 there, there. So it did change the routing so that should work for rerouting all of your traffic back across VPN. So this is handy if you're traveling and you have this VPN set up at home and you want your Windows box to redirect all the traffic through there. That's the way to do it. Just add that one feature and I'll leave a link below where that command is in the description below. So that's pretty straightforward for setting up the open VPN on PF Sense. It's not too difficult. Use the wizard. It automatically created the firewall rules and the routing. So the firewall rules are already in here and it says open VPN, test VPN wizard. It tells you in the description that the wizard created it. Also creates the rule here by the open VPN wizard. So you can go modify the rules if you have some restrictions you want to add for people remotely accessing your network. But pretty straightforward, not that hard to deploy. That export tool makes it very simple to do. Now let's go back real quick here. If you wanted to set this up on other devices, the client export tool is also handy for when you're doing it on Linux, for example. You can actually just download like this. So when you're setting up on Linux, you still need, you just look at the settings file to put it in Linux like so. I'm going to do a separate video sometime on that. But it also puts the two keys you need to get it in there too, the CA and the TLS key that are needed in order to get the connection going. So that'll be a separate video for how to do this from a Linux machine. But as far as setting it up from a Windows machine, it's really just beautifully easy because you can just run the Windows installer here. And this is the latest version of 2.4 of open VPN. And easily deployed is this is something we've done for a lot of clients to set these up. A lot to do for clients for extra security, we will add the per user certificate, just a little bit more to manage and more to set up. But it will do that too, if you add certificates per user. And I guess I could show that real quick here. So if we go here, open VPN, and you wanted to build it like this, we'll go down here, save. So we go to the user, edit. Add a user certificate. If you have an existing one or you can create an internal certificate. Department, LTS, common name, Tom's, cert, save. Now this user has a cert. And we go over here to the VPN, open VPN, client export. We have a specific user Tom export. And the same thing can apply if I want to go here to system, user manager, we'll create one for you. Create one for the admin. Here's the admin export and then the Tom export. So it works much the same way, but now I've added that extra level. So there's the system cert. There's the user cert. And all these certs get bundled into the installer. So it works, but it also gets trickier to install. It all depends on what level of security you want. Keep it in full head on. More security isn't bad at all. Please note though, more security also means more complexities and there sometimes is a little bit more configuration that gets involved in these. So it'll work fine. The basic and so far open VPN has been proven really solid. I went through a code audit. It's still a really solid VPN to use. So you can trust that the traffic through it is well encrypted. All right. Hopefully this was helpful, showing you how to set up open VPN and your essentially road warrior style VPN for your windows box, connecting into your home network or a remote network or office network. If you like to continue, like and subscribe. If there's something you may expand upon, let me know. Message me in the comments below or if I completely screwed this video up. Let me know that too. You never as wrong as when you're wrong on the internet. So hopefully I got all this right because I could ping and it seems to work. All right. Thanks again.