 Tom here from Lawrence Systems and we're going to talk about OpenVPN and PF Sense. I've done videos on this before, but I want to do a 2020 edition of this particular video and talk about all the details because a few options have changed since the last couple of years since I did a video. If you want to learn more about me or my company head over to LawrenceSystems.com. If you'd like to hire a short project, there's a Hire Us button up at the top. If you want to support the channel in other ways, there are some affiliate links down below to get you deals and discounts on products and services that we talk about on this channel. Now I want to start out with our lab setup. So this is the first part of this where we have to kind of describe where everything is to get you an idea. I have a Windows 10 running in VirtualBox locally on my computer here. VirtualBox has its own NAT firewall and I did this on purpose so I could show you that OpenVPN working through NAT because generally while you use OpenVPN and where you'll be using it, whether you want to connect from home to your office or from one office to another office or whenever you're out and about, you want to use OpenVPN to connect to get to resources on the other side of the network or just tunnel all your traffic. So this is NATed. This is the VirtualBox NAT. This is our pseudo internet, if you will. So 192.1683.24 network and that attaches to the WAN side of a PF sense in my lab here. So it's got a WAN address of 192.1683.195 and then we're going to focus on the fact that it has a 192.168.40 address. Yes, it has a 10 address. We're going to briefly mention it. I just pointed out it exists, but we're trying to get to the goal when we have this configured is to get to this 40 network that is behind this particular firewall. So 192.168.40.1 is the gateway. So it's 40 slash 24 and we have this server running Debian on it at 192.168.40.119. So the goal is to get from this network to this network using OpenVPN. So we're going to walk you through how the wizard works. And that's the easiest way to get started with OpenVPN. I've already got some other advanced videos and you're going to do some really tricky things with it. But we'll start with the basics here to get you started and walk through what these steps mean. So go over here to VPN OpenVPN. And this is where you're going to run the wizard. Now I guess I should probably back up real quick here and go over to the package manager because this will make your life a lot easier. The OpenVPN client expert utility. It's a free plugin. I've already got it loaded. You just go in and develop packages, look for OpenVPN client export. It'll save you a lot of trouble you'll see after we run the wizard. So the wizard will configure everything for you in terms of OpenVPN. The client export is really helpful in making it simple when you want to export all the settings and import them in the window. So right now the client export is loaded but there's nothing in here because there's no VPNs configured. And the way it works is you'll have a list of servers here. You can configure more than one OpenVPN server inside a PF sense. And there's special use cases that you want to do for that. I've already got another video on how to use Radius. LDAP is another option. If you have other authentication methods, they are available. But for the basics, we're just going to cover local user access. Now, if it didn't have a certificate authority, the wizard lets you create one. Pretty simple. You just fill out the information of your made up self-sign certificate authority where it's going to click next as I have one. I already have a certificate called LTS VPN. Pretty straightforward there. So we'll go ahead and choose that. WAN, protocol, UDP, multi-home, or just TCP, IDP4. I'm going to say the best way to do this is going to be TCP, IPv4. But it's up to you. You can leave it at default and it'll work perfectly fine and have both enabled. But some people have asked me and I don't have a lot of knowledge on IPv6 myself. It does have support for it but I know there's limitations to it. So don't ask me anything about IPv6 support. Now, if you have the hybrid acceleration, turn that on. I don't in this particular lab environment but all these other defaults are pretty much fine here. So we're going to go down here. Tunnel network. This is important. Make sure this tunnel network does not conflict with any other network. It's defaulting to 192.168.70.0 slash 24. And the tunnel network is basically the bridging methodology in between. So even though you see on this here going from this network through right here and getting to here, the tunnel network is essentially an intermediary that is going to be created in here. So we can technically add it to this and we call it ton 192.168.70.1 slash 24. And what these are is kind of a virtual network that is the broker to get the data across. And as long as it doesn't conflict with any other networks, you're fine. If it does change it, it's kind of arbitrary that it's set to 70. Now this part here, redirect gateway. This one can be a bit of a challenge because this is a big design decision. So we have the local networks down here that we want to push through. As we want to say, hey, you have access to these networks and it pushes the routing information for 192.168.40.0 slash 24 and 1.10.1.10.0 slash 24. But forcing all generated traffic through the tunnel, let me give you a better idea of that. So this is going to come through here, come across here, go into here, and have access to this resource. But how does it get back out to the internet? Well, right now it's going to go from here through the VBox NAT and away we go this way out to the net internet. And when you redirect the gateway, that works differently. So if you redirect the gateway, that means we're going to take and that computer actually goes out of here. So it's going to come in here and come back out and go out the internet this way. This is redirected gateway to give you an idea. So if you want to use this, that's great, except the problem you run into. Now this is an excellent scenario for when you're out of the office and you want to tunnel all your network back through your office network because you want to make sure that everything you do is encrypted within that tunnel. That works great. But if you have a business and you have a lot of remote users and you want all of their traffic tunneled through the network, now that means all of their traffic. That means if they have YouTube open, Netflix open, anything that that particular computer has VPNed in, it's now redirecting all the traffic there. And this can apply as well. If you're doing a site to site VPN with open VPN, do you want all that site's traffic to completely tunnel through and over this sometimes creates bandwidth problems, restrictions, because you only have so much resources to dedicate to open VPN. Now, if you have a really fast server and a lot of bandwidth, it's not a big deal, but this is a big design consideration. Like I said, as you want to make sure you have the ability to handle the bandwidth, one user, not a big deal, 10 users, 20 users, 30 users later, and all of them have different things open and are not just trying to access this one lonely server down here. They're tunneling all their traffic through and then back out here. So through and back out and it can take a lot of resources to run that. So decide whether or not you want to redirect the gateway. Push whatever networks that you want to have access to. And this is, you know, advantage when you set up multiple VPNs. You can say, maybe I only want to push certain networks over this. You can set up multiple servers inside a PF sense on different ports. This, because I actually set this up a few times just to fall to the port 1195, but you can actually choose any really high level port you want for open VPN. It doesn't have to be on 1194 or 1195, whichever port you choose. Just make sure you have the matching firewall rules for it. Concurrent connections specify the maximum number of clients connected to the server, something if you want to put some restrictions on there, omit the preference for compression. Set the TOS IP header of tunnel packets value. Never really need to set that. Maybe there's some special circumstances where you do. I'm not going to dive into that. Inter-client communication. Allow communication between clients on the server. As I said, this 192.168.70.0 network will be where each one of these IP addresses gets assigned. That being said, do you want them to be able to inter-communicate with each other? Probably not. Duplicate connections. Allow multiple concurrent connections from clients with the same company name. No, this is not generally recommended, but maybe needed for some scenarios. You run into a problem occasionally if someone drops and tries to connect right away. You may see that be a problem because maybe they dropped and didn't have enough time for it to drop them from the firewall so they'll not be able to connect. So there are scenarios sometimes where you want to have this on there where you allow duplicate connections. It's only temporary because the other one will drop off over time. But maybe you want it or maybe they have more than one computer. The downside of doing it that way if they have more than one computer logging in is you don't know which one's which. So you can have some confusion. So I recommend creating different users if they have multiple computers they want logged in, but do that as you will. You can leave all this at default. Dynamic IP allow connected retainer client connections if the IP changes. Subnet, one IP address per client per subnet. That's fine at default. This is where you can push if you had specific DNS servers that you wanted to force across the network. So it allows you to specify them. Maybe you have internal DNS servers that you want to specify, but it gives you some options here if you want to force certain ones over the network because you want them to have resolution over local resources that they're going to be accessing. You can leave all these other things at default all the way through on the bottom right here. They're kind of special use cases. Add the firewall rule. Yes. And add the open VPN rule. Yes. Go ahead and do those things on there. Let it do that. You can always change them later, but the defaults are just basically wide open rules to allow the open VPN to connect and work. So we're going to go ahead and hit Finish. Now let's go back in and do some fine tuning if you want. This is optional. So the default of the box, this will work. And we have a TLS key for TLS authentication. I dive deeper into hardening open VPN. I've got a lot of open VPN videos on some of these other special use cases or special hardening. You may or may not want to have multiple cipher options. You can disable this if you want. This expands more ciphers. This shouldn't be a problem at all because someone will see SHA-160 and go, hey, isn't SHA-1 broken? This is part of the HMAC authentication and capsulations. So don't really worry about that. Client certificate depth. So do you want each client to have their own client server certificate depth? And what this means is, and all the way over here, this is checking the certificate on a per client basis, as well as all the other settings in here. And this is an extra layer of security. But if you are looking for simplicity and you don't want to deal with any certificates per user, you can set it just on this. We're going to leave it at default, but I'll show you at the client export what that means. So all these can be left at default as well. I did another video on fine tuning the VPNs as well, like I said, for performance. And you can tweak some of these and try them. But the best thing to do right here is just try it when you have the default set up. So it didn't change any settings. Now here's where the client export will help you a lot. We only have one VPN. So test VPN, TCP port 95. This is that multiple client certificate. So we have an admin and a Tom. We got two users on this. The reason you have to get a specific export is because there's a different bundled certificate with each one of these. That's that extra feature. And I'll just show you if we turn it off. Go here. And let's say we're only going to be user off. We'll go ahead and save by an export. Now it doesn't matter. We're only going to do no per client certificates. That means the configuration stays the same, but there's not a certificate for every user. Like I said, this comes down to different methodologies. Maybe you want just a standard installer that we can just change the usernames and add them as needed and not have to deal with certificates, especially if you're using another device to authenticate those certificates. So that's an optional one on there. It still requires, and we're going to dive into this now by first testing this in Linux. So we'll download this file and we'll show you what's inside of it. So we'll go over here. And it still has a certificate. It just doesn't have the per user. So here's that TLS key down at the bottom. Here's certificate needed. So all these parameters are needed in order to get in there. There's our remote client. Here's the resolve retry infinite and the NCP cipher options plus the cipher option right here. So here's all the little details regarding all the settings that are in this particular file. Now we're going to get into Windows, but first let's show you how it works on Linux. And the reason I'm doing this because it's kind of easier to do because Linux has open VPN built in but we'll get to the Windows installer next. So obviously I can't ping 192.168.40, whoops, 119. And if you remember from our map here, 40.119 is this server because it's behind there. And right now I'm on my computer which happens to be 192.168.3.9. Don't worry, we're going to get to the Windows one next. So what we're going to do is from the command line here, I have other videos on how to set this up to be through the actual UI, but we're just going to do it from the command line because this is an easy way to test it. Open VPN, EF Sense Lab. Now you have to run sudo because you need to run Open VPN as a privileged user. This is true both in Windows and Linux. So login is my privileged user then username, password, and away we go. And see if it connects? Absolutely it connects. And we can go down here and ping. Actually first let's disconnect it. So we'll ping that right now and just show you it doesn't work. 40.119, can't ping it. If we do route, the only routes I have are this 192.168.3 network. Go just up arrow and sudo open VPN, that same one again, log in. All right, now we've done it. And the first thing I'm gonna do before I even ping this because we already seen two transmitted, none working. We're gonna put route again. And here was the route. I only have this one network. Now I have all these networks. Here's that intermediary network, 192.168.70. Then we have 192.168.40. Then it says the 40 network has a gateway of the 70.1. So if we want something on the 40 network, go out 70.1. You notice those didn't exist in a route. This is a very important piece to make sure that this route is here. So now we can ping and I can get to that devian server, no problem. Actually, I don't think I have SSH turned on in that particular box at the moment, but we can ping it. But the point is we can get to this network and that's what the goal was here. So we're able to get to the network. I'm able to ping it. It's working. Next. Now let's do this inside a window. So we're gonna go ahead and cancel this and get rid of it. So don't really need to do anything else. We're just gonna go RM. So I deleted the file, it's gone and we're gonna do the same thing, but we're gonna do it with Windows. So we go down here, current Windows installer, no problem. Now this is great. This installer here has everything we need inside of it. So show folder, open VPN, lab, TCP, Windows 7 install. Now it says Windows 7, but if you notice here, it supports Windows 7, 8, 8.1, 2012 R2, and also Windows 10. So all of them are supported actually. I need this installer, I grabbed the wrong one. This is the one, that's the 7, 8, 1 and this is the Windows 10 installer right next to it. I actually did download the wrong one. There we go. Nothing like doing it all live, right? Here's our Windows 10 installer I was looking for. So go ahead and delete this one. Here's our Windows 10 installer. And if I move it over to this folder, I can copy it onto right there and then we're gonna go back over to our Windows machine and run that wizard. Here's this Windows machine, 10.20.2.15. We're gonna do a route print. So you can see here's the local routes that it has, the 10.network and that's really it. It can't go anywhere else. Now it can get on the internet, it is online, but we are certainly not going to be able to ping because there's no route to this. Being 192.168.40, oops, 40.119, nine, there we go. Can't ping anything. All right, go over here. Get this OpenVPN installer copied over and we'll go ahead and run the installer. Windows does a security scan, there we go. Yes, minimize this. You can just next and yes, all the default options work perfectly fine for this. All right, so OpenVPN is loaded and let's go ahead and open it up. So from here, now we have a little icon down here and we're gonna go ahead and connect. Before we do that, pull this route back up again, print. So you can see all the routes. You can see there's no 192.168.40 network to route two. So if we tried to ping anything, it's just not gonna work. So ping 192.168.40.119, can't get to it because the route doesn't exist. We're gonna go ahead and connect username, put in the password and it looks like it's connecting. There we go. PF Sense connected, all right. We'll do a route print now and there's those extra networks. There's that 40 network, there's the 10 network. It's saying that a gateway is gonna be that tunnel network 192.168.70. So if you wanna get any resources on there, that's the gateway to use on this tunnel network. Matter of fact, if you were to IP config with Windows, it now has two different network connections. Here's the 70 network and here's this particular network here. So let's go back over route print that works and now we should be able to ping. So ping and away we go, we're able to get to that server and get to the resources on that side of the network. So that's pretty much it for getting it set up in Windows or in Linux and being able to get to the resources on a network of open VPN is pretty straightforward to do. Now, troubleshooting is another topic. One, read the error messages. This is the biggest thing I see that people don't do and it's so many people that can go through and solve the problem by a quick Google search. If you go here, we're gonna go to the, if you've seen we went to system, system logs, you go over here to open VPN. It details out all the steps, everything that's happening for the users connecting. This is really easy and a lot of times you can go through and literally Google by right-clicking Google search and you wouldn't believe how many times you just find the answer. You'll say error because this happened, error because of that happened, failed this, failed that and those are really quick ways you can start doing it, especially if you're trying to fine tune and tweak things and you've changed a bunch of settings and you're not really familiar with open VPN, you'll lead to breaking it. Also feel free to delete everything and run the wizard. Sometimes starting it back over is a good way to start and start from a base known working. Also, once you get it working, before you do the tuning, do a backup restore. If you grab the backup file before, once you know it's working, before you start tuning it, you can then easily roll back to the known working state and a lot of times I'll download a backup called known working good. That way worst case scenario, I can always just restore back to the known working good state of the system. Now, another note here, when you go here to open VPN, you can go here. So I went open VPN and I go this and this will show you the users connected. So I got user time. Now, because I'm running virtual box on my computer, 192.1683.9 is my computer and this Windows computer, as this 10 address behind here, it shows my computer's IP address, just FYI. It shows the public IP of whatever that user is connecting from. So even if they're three nats deep behind something else, you'll actually see their public IP right here from where they're coming in. And the virtual address that they're assigned, this is that 70.1 is the gateway for the tunnel network inside of PF Sense. 70.2 has been assigned to user time when they connected and what kind of data they're sending right here. Now you can also add over here at PF Sense, go to the dashboard and you can click add this open VPN right here. Won't let me add it twice, I don't think. Nope, doesn't look like it. Oh yeah, I will, neat. I've never tried adding it twice. So if you wanted to put this in more than one spot on the dashboard you can, I'm kind of fine with one spot. But this will list out all the users, especially if you're dealing with a lot of VPN traffic, you can kind of narrow it down and make some determinations of how many users are logged in and go from there. Once again, it kind of goes to defined tuning. So hopefully this helps get you started with open VPN. There's lots of advanced videos I have on how to use different authentication like free radius for this, even loading a free radius server within PF Sense is the video demo I have on that fine tuning and what the different settings mean as far as the cryptographic settings and some of the performance tuning goes with it. There's a lot of settings you can tweak because the wizard only exposes so many, but obviously once it's all configured and set up, everything's exposed, including if there's anything that they didn't have inside of here, custom options are in there as well. So if you have some custom configuration things you wanna do with open VPN, you can actually push different settings right here as well in addition to, for example, it's gonna be pushing routes and I'll do another video on that a later time. All right, thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon. If you like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you wanna carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general, even suggestions for new videos, they're accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you and once again, thanks for watching and see you next time.