 Tommy here from Lauren systems and we're going to talk about how to set up open VPN and PF sense here in May of 2023 I've done this video before but I want to do it with a modern twist in terms of what are the new ciphers that are offered compared to When I did my previous videos and how do those affect performance or which one should you be using and for the most part? This is going to be pretty simple in terms of setting up because I'm going to limit it and scope to local users But if you're interested in how to do things like radio server I have videos on that topic linked down below, but when you get to the cipher part Hey, you can use this video for reference for that because everything else is going to be the same First we're going to cover how to set up PF sense server And then we'll cover how to set up the clients for both windows and Linux on this to be able to get things Imported and get other devices connected. It's pretty straightforward to do now I have covered the topic of overlay networks and other types of network design and those videos are also linked down below because that's a Popular topic those weren't available or weren't as widely popular when I did my previous video So I think they're worth mentioning because there's different ways to approach this We're going to focus just on the open VPN approach Which does mean you need a public IP and I'm going to be doing this in PF sense Which is a release candidate right now of 20 305 But there's not really anything different if you're using the 20 301 or even the 2.6 or even the 2.7 of C So whether using CE or PF sense plus doesn't really matter The only thing CE offers over plus one terms of open VPN is the data channel offload DCO Which is a really neat feature It's currently marked as experimental here in May of 2023 So it's not something I'm going to talk about using but hey There's the link down below where you can read the blog post or you can do a little googling and learn more about What data channel offload is and why it's pretty cool now before we get into the video here I do want to thank a sponsor and that sponsors me if you like to hires for a project Whether it's network consulting engineering or anything related to many of the things you've seen on this channel Head over to our website launch systems calm click that hires button at the top and it's greatly appreciated Now let's jump into how to set this up in PF sense now the first step We're going to do it's go over here to system package manager and we want to make sure we have the Open VPN client export utility loaded if for some reason you don't have it loaded You just go over here to the available packages and add it This makes it substantially easier to export all the settings into a client after you have open VPN set up Then we're going to go over here to open VPN from here We're going to go over to the wizard and we'll just be using local user access. So we click next Certificate authority. I have my LTS demo certificate authority in here If you'd like to add your own self-signed CA you absolutely can we're going to next We're also going to use the same certificate that I already have once again If you want to add a new certificate that's signed by the certificate you authority you created go ahead and do that And now we're going to start filling this out description YouTube demo VPN sounds good UDP UDP is faster than TCP But it is an option if you want to be able to use TCP on this but UDP is going to be the preferred It's going to be a faster VPN interface if you have multiple interfaces you could choose this such as multiple WAN, but we're just going to leave it at WAN here a local port of 1194 I'll leave it at default, but obviously this is easy enough to type in and change TLS authentication. Yes, you want to enable authentication TLS generate a new TLS key automatically generates a shared TLS authentication Key, you don't have to fill anything in here. It'll do that for you DH parameter length 2048 that is perfectly fine Next data encryption Algorithms now I don't want to get too far to scope on this but cha-cha 20 poly 1305 is a stream cipher versus AES Which is a block cipher and thus offers better performance for devices that do not have AESI hardware acceleration it can be considered also a bit more secure than AES Based encryption because the use of lookup tables makes it vulnerable to Siloed cache timing attacks on system that don't have AES and I hardware now if you want more information I'll link to a computer file video down below where they really dive deep into cha-cha 20 poly 1305 and AES and I is not by any measure in secure But if you have a client and this is not just talking about server when you negotiated an encryption algorithm with open VPN One side is the client one side's a server and they both have to be using the same ciphers So the AES and I in celebration you may have on your hardware in terms of PF sense may not be available to the client So you will have some performance limitations But of course, it's important that your PF sense have adequate hardware to support the number of users So it still may make more sense because you're not worried about the individual user speed your individual Users are only going to use so much bandwidth versus the aggregate of all the users It may be better to choose either one. So either one is still secure. You're not Causing an insecure issue, but I will mention cha-cha poly 1305 was chosen for wire guard and a lot of other modern Systems because it's a really good cipher to use and there's no risk at all of using it inside of PF sense So it's the one I'm going to recommend But you can still use the other ones if you want Now you can choose multiple as another option And for example, if you chose both of these the system would negotiate Which one it wants to use and then you would have a fallback of one of the other ones I'm gonna leave it at cha-cha poly Matter of fact, it'll just take out AES because I'm just not going to use it But you just hold the control key and select all the ones that you find relevant These three are the recommended but as I noted Open VPN has been around for a long time. So they have some of these ciphers Some of them probably really shouldn't be used because they're so old Next is our auth digest algorithm and we want that to be SHA-256. That's perfectly fine It's secure hardware crypto if you have it and as I said, I'm using cha-cha poly So this won't really matter, but we can just leave it here It doesn't hurt to do this leave it at the crypto engine that we have in here IPv4 tunnel network It is very important You choose a tunnel network because these are the IPs that are going to be assigned the tunnel IPs to the clients You have coming in that means it should not ever overlap with your clients networks Common client networks are for example 192.168.0 or 1.1 You want to make sure you do something like 192.168.169 And anything that's uncommon. So you really could put other ranges here And I'm going to do a slash 24 which leaves us plenty of room to have Many clients on this system Next is redirect IPv4 gateway Now IPv4 gateway redirect means send all traffic through the tunnel This may be something you want But usually isn't because if people have a lot of different apps open such as youtube spotify, etc Things that they may be watching streaming services. That means all that traffic is coming over there too from the client Maybe that's what you want. Maybe you don't have the bandwidth to be able to support that That is kind of a design consideration need But this is essentially the difference between split tunnel or checking this means full tunnel split tunnel means only access The resources that we've pushed speaking of resources that we've pushed IPv4 local networks. These are the local networks attached to your pf sent So we have this network here if we had another network and we'll just put it like at a different range 10 10 Maybe 10 10 10 0 you'd put each one of these in a comma in a space And these are any of the local subnets that are attached to your pf sense that you want To have pushed as a option for the clients to route traffic back over to Concurrent connections. We're going to leave that blank refuse any non-stub compression That is the most secure and this talks about compression tunnels And the problems you can have where you're trading bandwidth for the potential security risk because compression Creates prediction in terms of what the data might be. So I'm not going to dive too far off topic on that But that's an interesting type of attack on there, but we'll leave this disabled compression I don't want any inter client communication. So allow communication clients can server If you have a use case for it, you can turn it on generally You don't allow multiple concurrent connections from the clients using the same common name This is generally not recommended but needed for some scenarios It's actually an interesting problem you run into is if you do allow the duplicate connections You may want that because if a user drops and tries to reconnect until it drops on the server side There's a delay in letting them connect So you can say limit the number from the same user to two for examples That way if they have a connection drop or switch networks and they haven't expired their session They don't have to wait maybe a minute or two for that to expire I would say definitely yes on dynamic ip allow connected clients retain their connections through their ip address changes That's fine If you have special dns that you would like to push to them For example, if they're connecting in and you're expecting them to connect to your active directory And you need them to use your active directory servers dns You would then put the ip addresses of those dns servers here And then you have win servers if you're still using those i'm not so we're next Definitely we want to add the firewall rule and definitely want to add the rule Allow traffic connected clients to pass inside the tunnel add a rule to permit connections to this open vn server instance where anywhere on the internet so next And finish now the vpn is set up now before we start using this Let's edit the server and talk about the server mode. We have the option of remote access user auth We have remote access ssl tls plus user auth. Let me explain the difference Open vpn server mode ssl tls plus user auth or remote access user auth Makes it sound if you don't read all the details that you're just not verifying certificates if you use user auth And that's not how that works. It's a little bit more complicated So let's explain it if you want to use a per user certificate That is where you have ssl tls plus user auth If you just want user auth, but still verify those certificates that we created to attach to our vpn server That still works if you're just using the user authorization It still has to verify those certificates that are embedded in the config file from when we created the open vpn server So you're probably wondering well, what's the advantage of a per user certificate? Well, the way this would work and let's walk through an attack scenario that this protects against So we have user one user two user three and we first are just using user auth We create an open vpn config file. We put it on each one of these users systems It allows them to remotely access So the system's going to verify that they have the certificates that we created that tls key and the actual ca cert the self signed one and it says yes, you have both of those What's your username and password if they do not have one or the other or either one of those It says nope. I will not get you username and password What if you use the tls auth plus user auth that means we're going to ask for a third certificate So we're going to take the user one's certificate give them an install file that contains all three of these certificates in there And if user one gets compromised and their system Maybe someone got that open vpn config file off there We can create a certificate revocation list in pf sense Then we can revoke that user's certificate not delete it revoke it is specifically how you do this and you attach it to Open vpn with revocation and then the open vpn server goes. Nope That certificate is now on the revocation list therefore that user can't log in let's play scenario out if you're just using user auth You've given all three of your users exactly the same file One user gets compromised you now have to regenerate a certificate for everybody because now anyone who has a copy of that file There's no way to get rid of it. You can delete it off of open vpn But you're doing it for all three users simultaneously because they're all using exactly the same config file So this allows you to create a per user config file that will be Revocable through the revocation system in pf sense. So it's not necessarily more secure in terms of like the Encryption layer itself. It's just a further safety net So if you had a hundred users rolled out and a user gets their system compromised And someone's able to lift that open vpn config file off their system You don't have to redeploy a hundred users new vpn config because you just revoke the one certificate That was compromised and assigned to that user the downside of course is managing certificates for every individual user Becomes a different challenge, but it's worth noting. That's how that system works Now since I left the system requiring that certificate We're going to go ahead and edit the user tom here and we can say let's add a certificate for tom So we'll just hit add and all this is fine and we'll just call it as the common name tom's cert Scroll down here at the bottom hit save And now this user has a cert now if you go back over here We see we have tom too and who's belongs to no groups You don't need because we're using local user authentication any privileges for this user to log into pf sense So just here as a way to authenticate against so we can Set them up in open vpn. You know, currently there's no certificate And I want to show what the difference is here. We go over here to open vpn We got a client export with client export There's our client tom because tom has a certificate, but I can't export tom too Because no certificate. So if we go back over here to the system and then users we'll edit tom too And we'll add a certificate for tom too. Give it a common name of tom too save Now tom too has a certificate and we can see each one of these users Now these users go away if we go back into open vpn go here sir, and if we change it just to this Back over to client export and this eliminates the different users because it says no cert But technically there's still certs in there. There's just not a per user cert That's why it has no certificate name in here. I just want to make sure that is not confusing Download for most clients. Let's take a look at the client download I won't spend too much time covering this in linux, but essentially you can do sudo open vpn the name of the file enter the username Enter the password and you'll see if it connects sequence completed and now it's connected. We're able to actually Ping things behind the device and we can test that real quick by splitting the screen. We'll type in ping This ip address which is behind that firewall And if we hit ctrl c to exit this you can see it dropped Now let's show how to get this going in windows and we'll ping the same ip address for a demo For simplicity, I'm just going to log into my windows machine here go to the open vpn Client export and now we're going to choose the installer. So right here is our windows installer. So we'll click this as a download Now let's go ahead and run the installer Then we go down here to the bottom and we can click connect We can see this is the local ip of this device right here But if we now type ip config now that we're connected, we can see the tunnel network This is works the same in linux. I just didn't demonstrate that and now we can ping that same ip address And if we turn the vpn off over here If we Disconnect it, you'll see that that ping stops. We're no longer going to be able to ping it Now in terms of troubleshooting, we are obviously connecting fine So there's no troubleshooting to do here But make sure you take the time to look at the logs both here Whether it's your linux client your windows client start with the client logs to see if any of these errors are pertaining to Why you can't connect and if you go to status system logs open vpn You can see that there's any log errors that you may have that are related to your problem here Of note for anyone wondering why there's so many errors. These are unrelated to this demo This is because when I set up a new pfSense server a other demo that i'm working on is still trying to connect to this And it doesn't exist anymore So these are the type of handshake errors you get because it's trying to present the wrong certificate And I can't quite express just how important it is that you take the time to look at the client and the server logs When you have a connection failing Before you post any form it'll be one of the first things people and especially myself ask is Where's the logs so you can't just say it didn't connect or it doesn't work without some Little bit of research into the logs of why because the why is pretty detailed out in the logs in pfSense or even on the client side Nonetheless, I love hearing from you. Let me know your thoughts and comments on this in other videos And if you want to have a more in-depth discussion about this however to my forums is a place to reach me engage with me And dive into some of the particulars and maybe argue about ciphers because I have a feeling There's going to be some opinions on that little piece there Nonetheless, check out the rabbit holes. You can go down the computer files awesome for explaining cha cha poly It's why I left a link to them down below so you can get a better understanding of how that cypher works Like and subscribe is always appreciated It really helps out the channel and lets you know that there's more content coming and let you get notified of it Hopefully youtube's not the best at that but it at least gives a suggestion that they should do it Thank you for watching and I'll see you over in the forums. Take care