Wednesday, January 24, 2018

pfSense router and EasyNews VPN

With the little help of the internet, a little trial and error, and previous knowledge, I was able to get pfSense setup to use the VPN service provided by EasyNews.  This was done for the following reasons. 
  • Price is good for the VPN servers about $12 and it gets you access to NNTP servers
  • Logging in not kept and many VPN endpoints
  • Already have it and why not use what already paying for
  • No one has a tutorial on how to setup pfSense with EasyNews VPN, so good to be the first
Please note that these directions were originally built for pfSense 2.2.5-6, but then finished on pfSense 2.3.1.  While the directions are almost the same, did not see the need or had the time to redo the pictures that were in the 2.2.x format.


Creating an Internal CA

 

Creating a local certificate from the Internal CA


Create the CA Certificate

  1. Select menu item: System->Cert Manager
  2. Select CAs tab
  3. Click Plus symbol to add CA Certificate
  4. Configure as follows:
    1. Descriptive Name = EasynewsVPN
    2. Method = Import an existing Certificate Authority  (Location of certificate is here)
      --BEGIN CERTIFICATE--

      --END CERTIFICATE--
    3. Certificate Private Key = Leave Blank
    4. Serial for Next Certificate  = Leave Blank
    5. Click Save

[ref1],[ref2]

Create OpenVPN Client

  1. Select menu: VPN->OpenVPN
  2. Select Client tab
  3. Click Plus symbol to add client
  4. Configure as Follows:
    • Disabled = unchecked
    • Server Mode = Peer To Peer (SSL/TLS) 
    • Protocol = UDP
    • Device Mode = TUN
    • Interface = WAN 
    • Server Host Address = nyc-a01.wlvpn.com (or other server address from EasyNews.  full list is here)
    • Server Port = 1194 or 443
    • Proxy Host or address = (Leave Blank)
    • Proxy Port = (Leave Blank)
    • Proxy Authentication Extra Options = none
    • Server host name resolution = Checked
    • Description = easynewsVPN (or whatever you want)
    • Username = username@easynews
    • Password =  (Your password for easynews)
    • TLS Authentication = Unchecked
    • Peer Certificate Authority = easynewsVPN
    • Client Certificate = None
    • Encryption Algorithm = AES-256-CBC (256-bit)
    • Auth Digest Algorithm = SHA1 (160 bit)
    • Hardware Crypto = No Hardware Crypto Acceleration
    • IPv4 Tunnel Network = (leave blank)
    • IPv6 Tunnel Network = (leave blank)
    • IPv4 Remote Network/s = (leave blank)
    • IPv6 Remote Network/s = (leave blank)
    • Limit outgoing bandwidth = (leave blank)
    • Compression = No Preference
    • Type of Service = Unchecked
    • Disable IPv6 = Checked
    • Don't Pull routes = Unchecked
    • Don't add/remove routes = Unchecked
    • Advanced remote-cert-tls server
      resolv-retry infinite
      persist-key
      persist-tun
      persist-remote-ip
      comp-lzo
      verb 3
      auth SHA256
      keysize 256
      tls-cipher DHE-RSA-AES256-SHA
      auth-nocache
  5. Click Save



[ref1],[ref2]

Updates of custom settings from other implementations

Other documents detailed of the advanced settings as thus:

remote-cert-tls server
resolv-retry infinite
persist-key
persist-tun
persist-remote-ip
comp-lzo
verb 3
auth SHA256
keysize 256
tls-cipher DHE-RSA-AES256-SHA

but my configuration is as this:

remote-cert-tls server
resolv-retry infinite
persist-key
persist-tun
persist-remote-ip
comp-lzo
verb 3
auth SHA256
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
auth-nocache

I changed the tls-cypher because when opening connection, the logs said that DHE-RSA-AES256-SHA was depreciated and TLS-DHE-RSA-WITH-AES-256-CBC-SHA should be used.
Also there was a warning that credentials were cached and adding auth-nocache would be more secure.  Since the connection still worked with these extra settings, I left them in place

 Create new Interface for OpenVPN

  1. Go to [Interfaces -> Assign]
  2. Under {Interface Assignments} there will be "Available Network Ports", drop down to ovpnc1() and click ADD, the Network interface OPT1 will be created
  3. Click on the OPT1 interface to edit it.
  4. Configure as follow:
    1. Description: ENVPN
    2. IPv4 Configuration Type: None
    3. IPv6 Configuration Type: None
    4. MAC Controls: Leave blank
    5. MTU: Leave Blank
    6. MSS: Leave Blank
    7. Block Private Network: Unchecked
    8. Block Bogon Network: Unchecked
  5. Save this configuration

 Configure NAT Rules

  1. Go to [Firewall -> NAT]
  2.  Go to {Outbound}
  3. Change from "Automatic outbound NAT rule generation. (IPsec passthrough included)" to "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)"

 References:
https://www.privateinternetaccess.com/pages/client-support/pfsense
http://www.giganews.com/support/vyprvpn/vpn-setup/dd-wrt/openvpn.html
https://forum.pfsense.org/index.php?topic=35292.0
https://www.easynews.com/vpn/setup.html#ubuntu
https://www.easynews.com/vpn/setup.html#routers
https://support.code42.com/CrashPlan/4/Configuring/Excluding_Networks_Used_For_Backup_And_Restore
https://www.reddit.com/r/OpenVPN/comments/3tmfjz/showing_connected_to_vpn_but_still_getting_actual/