No announcement yet.

PFSense VPN Easy Peasy way

  • Filter
  • Time
  • Show
Clear All
new posts

    PFSense VPN Easy Peasy way

    Note this is a post from over here on Cocoontech. PFSense navigation / gui has been updated a bit over the years and this post relates to using current beta version.

    Base: 2.3.2-DEVELOPMENT (amd64) - Note PFSense interface has been rewritten. Much easier navigation.

    Using IPSec VPN you do not have to create rules for individual applications. One tunnel all applications will work. Here you basically use your own home firewall for internet / myhomeseer dot com / direct connectivity for HSTouch clients / CCTV / et al stuff.

    1 - Log in to your pfSense box and select
    VPN -> IPsec. Go to the Tunnels tab and make sure Enable IPsec is checked.
    Then, add a phase 1 entry and make sure, the following values are set:
    • Section Setting Value General Information Disabled Unchecked
    • Internet Protocol IPv4
    • Interface WAN
    • Description (empty) Phase 1 proposal (authentication) Authentication method Mutual PSK + Xauth
    • Negotiation mode aggressive
    • My identifier My IP address
    • Peer identifier Type: Distinguished name
    • Value: <identifier> Pre-Shared Key <pre-shared secret>
    • Policy Generation Unique
    • Proposal Checking Default
    • Encryption algorithm AES 256 bits
    • Hash algorithm SHA1
    • DH key group 2 (1024 bit)
    • Lifetime 86400 seconds Advanced Options NAT Traversal Enable
    • Dead Peer Detection Unchecked

    2 - In my case, I have choosen vpnusers as value for <identifier>, but you can choose whatever you like. Just choose some simple to remember name here. Once it works, do not forget to choose something stronger. Save your settings and go back to the VPN -> IPsec menu. Now, add a phase 2 entry to the already existing phase 1 entry having the following values set:
    • Section Setting Value General Information Disabled Unchecked
    • Mode Tunnel IPv4
    • Local Network Type: LAN subnet
    • Description (empty) Phase 2 proposal (SA/Key Exchange) Protocol ESP
    • Encryption algorithms AES 256 bits
    • Hash algorithms SHA1
    • PFS key group off
    • Lifetime 28800 seconds
    • Advanced Options Automatically ping host (empty)

    3 - Again, save your changes and go back to VPN -> IPsec menu. Now select the Mobile clients tab and make sure the following values are set as follows:
    • Section Setting Value
    • IKE Extensions Enable IPsec Mobile Client
    • Support Extended Authentication (Xauth) User Authentication Source: Local Database
    • Group Authentication Source: system Client Configuration (mode-cfg)
    • Virtual Address Pool Provide a virtual IP address to clients: Checked
    • Network:
    • Network List
    • Provide a list of accessible networks to clients: Unchecked
    • Save Xauth
    • Password Allow clients to save Xauth passwords: Checked
    • DNS Default Domain Provide a default domain name to clients: Checked
    • Value: localdomain
    • Split DNS Provide a list of split DNS domain names to clients: Unchecked
    • Value: (empty)
    • DNS Servers Provide a DNS server list to clients: Checked
    • Server #1:
    • Server #2: (empty)
    • Server #3: (empty)
    • Server #4: (empty) WINS Servers Provide a WINS server list to clients: Unchecked
    • Server #1: (empty)
    • Server #2: (empty) Phase 2 PFS
    • Group Provide the Phase 2 PFS group to clients: Unchecked
    • Group: off
    • Login Banner Provide a login banner to clients: Checked
    • Value: (Whatever text you like)

    4 - Save your changes. Now go to System -> User Manager and select the Group tab.
    • Add a new group called vpnusers. Make sure, the group has the privilege User – VPN – IPsec xauth Dialin set. Save it.
    • Now go to the Users tab and create a user which will later be used to connect to your VPN box. Make sure the user has the group vpnusers set.

    5 - Now we need to open the firewall to allow VPN connections to pass through. Go to Firewall -> Rules and select the WAN tab. Configure the following rules:
    • Proto Source Port Destination Port Gateway Queue Schedule Description IPv4 UDP * * * 500 (ISAKMP) * None (empty) IPsec IPv4 UDP * * * 4500 (IPsec NAT-T) * None (empty) IPsec
    • Select the IPsec tab and add a rule which allows all traffic to go through the VPN connection: Proto Source Port Destination Port Gateway Queue Schedule Description IPv4 * * * * * * None (empty) Allow all

    6 - Configuring Your iPhone:
    In order to get your iPhone, iPad or MacBook running, just enter the following parameters:
    • Parameter Value VPN Type IPsec Description <Description>
    • Server <IP/hostname of your VPN endpoint>
    • Account <user> Password <password>
    • Group <identifier>
    • Shared Secret <pre-shared secret> Proxy Off

    7 - Configuring Your Android Device
    • Parameter Value Name <Description>
    • Type IPSec Xauth PSK Server address <IP/hostname of your VPN endpoint> IPSec identifier <identifier>
    • IPSec pre-shared key <pre-shared key>

    8 - Configuring Your Windows PC. Use the Shrew Soft VPN client. The current version is 2.2.2. Personally tested on Windows XP embedded and connected VPN to a wireless T-Mobile tether (LTE).

    The configuration options I use are as follows:
    • Tab Section/Tab Setting Value General
    • Remote Host Host Name or IP Address <IP/hostname of your VPN endpoint>
    • Port 500
    • Auto Configuration ike config pull
    • Local Host Adapter Mode Use a virtual adapter and assigned address Obtain automatically Checked
    • MTU 1380
    • Client Firewall Options NAT Traversal enable
    • NAT Traversal Port 4500
    • Keep-alive packet rate 15
    • IKE Fragmentation enable
    • Maximum packet size 540
    • Other Options Enable Dead Peer Detection Checked
    • Enable ISAKMP
    • Failure Notifications Checked
    • Enable Client Login Banner Checked
    • Name Resolution DNS Enable DNS Checked
    • Obtain Automatically Checked
    • Obtain Automatically (DNS Suffix) Checked
    • WINS Enable WINS Unchecked Authentication
    • Authentication Method Mutual PSK + XAuth
    • Authentication Local Identity Identification
    • Type User Fully Qualified Domain Name
    • UFQDN String <identifier>
    • Remote Identity Identification Type IP Address
    • Address String (empty)
    • Use a discovered remote host address Checked
    • Credentials Server Certificate Authority File (empty)
    • Client Certificate File (empty)
    • Client Private Key File (empty)
    • Pre Shared Key <pre-shared key> Phase 1 Proposal Parameters Exchange Type aggressive
    • DH exchange group 2
    • Cipher Algorithm auto
    • Cipher Key Length (empty)
    • Hash Algorithm auto
    • Key Life Time limit 86400 seconds
    • Key Life Data limit 0 Kbytes Phase 1
    • Enable Check Point Compatible Vendor ID Unchecked
    • Phase 2 Proposal Parameters Transform Algorithm auto
    • Transform Key Length (empty)
    • HMAC algorithm auto
    • PFS Exchange disabled
    • Compress Algorithm disabled
    • Key Life Time limit 3600 seconds
    • Key Life Data limit 0 Kbytes Policy IPSEC Policy Configuration Policy Generation Level auto
    • Maintain Persistent Security Associations Unchecked
    • Obtain Topology Automatically or Tunnel All Checked
    • Remote Network Resource (empty)

    8 - Configuring Your Linux PC

    use vpnc as a VPN client on Linux. VPNC should also be available on Ubuntu and Debian systems.
    It is command-line based and works pretty well. Install it using the command:

    sudo apt-get install vpnc

    After that, navigate to /etc/vpnc/ and create a copy of the default.conf configuration file, for example:

    cp default.conf my-vpn.conf

    Edit the newly created file and fill in the parameters like this:

    IPSec gateway
    IP/hostname of your VPN endpoint
    IPSec ID
    IPSec secret
    IKE Authmode psk
    Xauth username
    Xauth password

    <identifier> and <pre-shared secret> are the values choosen earlier during pfSense configuration and are the values entered for the user in pfSense user manager.

    To connect using vpnc, just enter the following command:

    sudo vpnc /etc/vpnc/my-vpn.conf

    If you would like to disconnect later, just enter the following command to restore the previous routing configuration:

    sudo vpnc-disconnect
    Last edited by Pete; June 13, 2016, 04:34 AM.
    - Pete

    Auto mator
    Homeseer 3 Pro - (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb- Mono 6.8X
    Homeseer Zee2 (Lite) - (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.8X
    HS4 Pro - V4.1.2.0 - Ubuntu 18.04/VB W7e 64 bit Intel Kaby Lake CPU - 32Gb - Mono
    HS4 Lite -

    X10, UPB, Zigbee, ZWave and Wifi MQTT automation. OmniPro 2, Russound zoned audio, Smartthings hub, Hubitat Hub, and Home Assistant