Netgate’s ® virtual appliances with pfSense ® software extend your applications and connectivity to authorized users everywhere, through Amazon AWS and Microsoft Azure cloud services. Network your employees, partners, customers, and other parties to share resources in site-to-cloud, cloud-to-cloud, and virtual private cloud (VPC) connectivity. OpenVPN Client Export provides a very easy method to export VPN connection configurations for Windows, Mac, Android and iOS. It recognises which hostnames, dynamic dns addresses set in pfSense and which remote access server you wish to use. Overall a pick of the bunch when it comes to pfsense packages, it just works! Other pfSense Packages. PfSense is a free, mature open source project that runs on top of FreeBSD, for firewall/router installations. It has been around since 2004, when it was spun-off from m0n0wall. Where m0n0wall is designed for embedded systems, pfSense is geared toward x86 commodity hardware. Suricata is an open source IDS project to help detect and stop network attacks based off of predefined rules or rules that you wrote yourself! Luckily, there is a pfSense package available for you to download and easily configure to stop malicious traffic from accessing your network.
In this article, we’ll configure the certificates necessary to set up an IKEv2 VPN in pfSense.
Articles in This Series:
Part 1 (Current Article)
Part 2 – VPN Configuration
Part 3 – Mobile Profile Configuration
Part 4 – On Demand VPN
This was setup and configured with the following: macOS 10.13 High Sierra Beta (should work with 10.12+, possibly older), and Apple Configurator 2.5 Beta (available from the Apple Developer site/release available on the App Store; should work with prior versions).
This tutorial has its foundation in a thread1 on the pfSense Forums, however I have made some changes that will be outlined here. Let’s get started!
Part 1 – Certificates
1. Create the CA Certificate (SystemCert. ManagerCAs)
- Click the + Add button to add a new CA and use the following settings:
Figure 1 pfSense Create CA Page - Descriptive Name: An easily identifiable description. I use “Internal VPN CA”.
- Method: Create an Internal Certificate Authority
- Key Length: 2048
- Digest Algorithm: SHA256
- Lifetime: 3650 days
- Country Code: Your Country Code (e.g. “US” for the United States)
- State: Full State Name (e.g. “California”, not “CA”)
- City: City Name
- Organization: As Desired
- Organizational Unit: Optional (I usually put something like “VPN Users”)
- Email address: As Desired
- Common Name: An easily identifiable name, with no spaces, for the certificate to use. I use “internalVPNCA”
Save the certificate.
2. Create the Server Certificate (SystemCert. ManagerCertificates)
- Click the + Add/Sign button to add a new certificate and use the following settings:
Figure 2 pfSense Create Server Certificate Page - Method: Create an internal certificate
- Descriptive Name: An easily identifiable description. I use “Internal VPN Server Certificate”.
- Certificate Authority: Internal VPN CA (or the name you used in the previous section)
- Key Length: 2048
- Digest Algorithm: SHA256
- Lifetime: 3650 days
- Country Code: Your Country Code (e.g. “US” for the United States)
- State: Full State Name (e.g. “California”, not “CA”)
- City: City Name
- Organization: As Desired
- Email address: As Desired
- Common Name: The external DNS name of your pfSense machine.
- Certificate Type: Server Certificate
- Add an alternative name
- Type: DNS (case sensitive)
- Value: Same as Common Name (external DNS name)
- Add an alternative name (for static IP only)
- Type: IP (case sensitive)
- Value: External IP of your pfSense machine
Save the certificate.
3. Create the User Certificate(s) (SystemCert. ManagerCertificates)
We are only creating one in this example, but you can create as many user certificates as you need for multiple users/devices.
- Click the + Add/Sign button to add a new certificate and use the following settings:
Figure 3 pfSense Create User Certificate Page - Method: Create an internal certificate
- Descriptive Name: An easily identifiable description. I use “User Certificate – name“.
- Certificate Authority: internalVPNCA (or the name you used in the CA section)
- Key Length: 2048
- Digest Algorithm: SHA256
- Certificate Type: User Certificate
- Lifetime: 3650 days
- Country Code: Your Country Code (e.g. “US” for the United States)
- State: Full State Name (e.g. “California”, not “CA”)
- City: City Name
- Organization: As Desired
- Email address: As Desired
- Common Name: An identifier for this user/device (e.g., “bob”, “iPhone”, etc.)
- Add an alternative name
- Type: DNS (case sensitive)
- Value: Same as Common Name (user/device name)
Save the certificate.
3. Download the Certificates (SystemCert. Manager)
- On the CA tab, click the Export CA icon () to the right of the CA you created and save your CA certificate.
- On the Certificates tab, click the Export Certificate icon () to the right of the Server Certificate you created and save your server certificate.
- Still on the Certificates tab, click the Export Certificate icon () to the right of the User Certificate you created and save your user certificate. Then click the Export Key icon () to the right of the User Certificate you created and save your user certificate’s private key.
4. Create PKCS#12 File from User Certificate/Key
- For this step, you’ll need openssl installed. Hopefully you’re doing this on a Mac (as the tutorial is geared toward that), because it’s built in!
- Open the Terminal app, change to the directory where you saved your certificate files, and run the following command (replace file names with what you saved):
When asked to enter an export password, choose something you’ll remember, as you will need it later when we get to the Apple Configuration portion.
Now, let’s configure a VPN! Take me to Part 2!
References
- …IKEv2 VPN for iOS and OSX Thread on pfSense Forums
In this article, we’ll configure On Demand VPN for iOS and macOS devices to connect to the VPN we created.
Articles in This Series:
Part 1 – Certificate Configuration
Part 2 – VPN Configuration
Part 3 – Mobile Profile Configuration
Part 4 (Current Article)
Part 4 – On Demand VPN
So you want to get your hands dirty and force your VPN to connect based on network states? You’ve come to the right place! First and foremost, you’ll need an editor that handles XML. I recommend Atom.
Inspired by a Reddit post1, I began to look into Apple’s options for forcing VPN connections through the use of Mobile Configuration Profiles2. One resource I found that was helpful was this post from derman.com. So open up your Mobile Configuration file and let’s get to work!
Here’s the gist of it:
– You force connections through the use of conditions defined in the XML of the Mobile Configuration Profile.
- The matchine criteria can include any of the following:
- DNS Domain or DNS Server Settings (with Wildcard Matching)
- SSID
- Interface Type
- Reachable Server Detection
The type of matching you want to do is really up to personal preference. Below is an example of the very simple rules I use and where you want to place your own rules:
The most important part is the section that enables On Demand VPN:
The section that follows defines the rules you want to use. In my example, I only use two rules. Each <dict></dict>
section defines one rule. Within each rule is an Action and at least one criteria. In my first rule, the action is to Disconnect when a URLStringProbe can contact a server of mine that is only accessible within my network. The final rule is the default action. This is very important. Per the Apple Developer Library, “Dictionaries are checked sequentially, beginning with the first dictionary in the array.” Therefore, if none of your rules match, you need a default to fall back on. In my case, if it can’t reach my internal server (is on the local network), then it should connect the VPN.
Below are some more examples of rules to give you a better idea of how they’re used.:
Disconnect when I have a specific DNS server and am connected to one of two specific wireless networks, otherwise connect (default):
Disconnect when I have a specific DNS server and am connected to any Ethernet connection, otherwise connect (default):
Disconnect when I am connected to any cellular connection, otherwise connect (default):
Pfsense For Mac Pro
Connect when I am connected to any cellular connection and I can reach Google.com, otherwise disconnect (default):
Disconnect when I am connected to Ethernet and I can reach an internal URL, connect if I am on cellular, otherwise disconnect (default):
This should give you a decent idea of what is possible with manual editing of the Mobile Configuration Profile. Once you’ve set the parameters you want, save the file and follow Step 4 or 5 in Part 3 – Mobile Profile Configuration to add the profile to your mobile device.
Pfsense For Mac Upgrade
References