Using VMs for Routing VPNs and Tor: Creating pfSense OpenVPN Client

Discussion in 'privacy technology' started by mirimir, Jan 9, 2012.

Thread Status:
Not open for further replies.
  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Create pfSense VM

    Go to -http://www.pfsense.org/mirror.php?section=downloads, select a nearby mirror, and download "pfSense-2.0.1-RELEASE-amd64.iso.gz" (or "pfSense-2.0.1-RELEASE-i386.iso.gz" if you're running 32-bit). Extract "pfSense.iso". There's more about pfSense versions at -http://www.pfsense.org/index.php?option=com_content&task=view&id=43&Itemid=44

    Create a pfSense VM, basically as I described for the test Ubuntu VM. Name it "pfSense201x64Test". Select "BSD" as the OS, and "FreeBSD (64 bit)" as the version. Specify 128MB memory. Create a new hard disk using defaults (VDI, dynamically allocated, 2GB) and finish. Then edit the VM details. Disable shared clipboard, change the boot order to "Hard Disk, CD/DVD" and enable PAE/NX. Add "pfSense.iso" to the virtual CD/DVD drive. Disable audio and USB support.

    You can either leave the default network adaptor ("Adapter_1)" attached to NAT, or you can attach it to an existing internal network that routes another VPN service (which is what I did). Add a second network adaptor ("Adapter_2") and attach it to the internal network "pfsense".

    Now start the pfSense VM, and hit "I" to start the installer when asked. On the "Configure Console" screen, select "Accept these Settings". On the "Select Task" screen, select "Quick/Easy Install". Under "Are you SURE?", select "OK". Wait a while. On the "Install Kernel(s)" screen, select "Symmetric multiprocessing kernel ...". On the "Reboot" screen, select "Reboot". While it's rebooting, using the "Devices | CD/DVD Devices" menu at the top, select "Remove disk from virtual drive".

    Hit "F1" and then "1" as it boots (or do nothing and it will just do that, but more slowly). Enter "n" to decline setting up VLANs. Type "em0" as the WAN interface, and hit enter. Type "em1" as the LAN interface, and hit enter. Hit enter to pass on OPT interface setup. Enter "y" to accept choices, and wait for pfSense to finish booting. [By the way, it's just as easy to install pfSense on a real computer.]

    Now start an Ubuntu VM that's connected to the internal network "pfsense". Open Firefox, and check your IP address. It should correspond to whatever network you connected "Adapter_1" to. Browse to -https://192.168.1.1 (and create a server certificate exception). Login as "admin", with password "pfsense". You're looking at the pfSense Dashboard. Using "System | User Manager" in the top pfSense menu, change the default password.

    Create an OpenVPN Client for the VPN Service

    Using "Devices | Shared Folders" in the top VirtualBox menu of the Ubuntu VM, create a transient shared folder (so you can get the OpenVPN configuration information from the host machine). For the folder path, type your home path (which is "/home/username", replacing "username" with yours). The wizard will use "username" as the share name. Now open a terminal ("Applications | Accessories | Terminal"). Type "mkdir host" and hit "Enter". Then type "sudo mount -t vboxsf sharename ~/host" (replacing "sharename" with the name of the share that you just created) and hit "Enter". Supply your password to authenticate, and hit "Enter".

    Drawing from the configuration files supplied by your provider, create a file ("Config.txt") containing essential information for configuring the pfSense OpenVPN client. Please see the example file at the end of these instructions. Most services supply the security credentials ("ca.crt", "client.crt", "client.key" and "ta.key") as individual files. But OpenVPN's PrivateTunnel service provides them inline as part of the OVPN file, marked by <foo> and </foo> tags. Have "Config.txt" in "/home/username/Downloads" on your host machine. Copy it to the Ubuntu VM. In terminal on the Ubuntu VM, type "sudo cp ~/host/Downloads/Config.txt ~/Downloads/" and hit "Enter". Open "Config.txt" in gedit (text editor) on the Ubuntu VM to verify. Then type "sudo umount ~/host" in terminal to unmount the shared folder (and get into the habit of unmounting host-VM shares when done with them).

    In the pfSense Dashboard, select "System | Cert Manager" from the top pfSense menu. In the "CAs" tab, click the plus sign at right to create one, and name it "ca.crt". In the "Certificate data" window, paste the certificate block under "ca.crt" in "Config.txt", and click "Save". In the "Certificates" tab, click the plus sign at right to create one, and name it "client.crt". In the "Certificate data" window, paste the certificate block under "client.crt" in "Config.txt". In the "Private key data" window, paste the key block under "client.key" in "Config.txt", and click "Save". You should see "ca.crt" as the issuer of this client certificate.

    In the pfSense Dashboard, select "VPN | OpenVPN" from the top pfSense menu, and then select the "Client" tab. Click the plus sign at right to create a new client, and click "Disable this client" for now (so we don't flap at the OpenVPN server). Leave the defaults, except where specified below. Use the provider's access URL or IP address for "Server host or address". Change "UDP" to "TCP" if necessary for your provider. Enable "Infinitely resolve server". Deselect "Automatically generate a shared TLS authentication key". By the way, I haven't yet encountered VPN services that do so. For services that provide a “ta.key”, paste the key block in the window that appears. For services that don't provide a “ta.key”, deselect “Enable authentication of TLS packets”. Don't worry about doing this. TLS authentication protects the OpenVPN server from DOS attacks by evil clients. Disabling it doesn't mean that your tunnel won't be encrypted, or will be less secure.

    For "Client Certificate", select "client.crt". For "Encryption algorithm", select "BF-CBC (128-bit)" unless your provider has specified a different one. Enable LZO compression. In the "Advanced" window at the bottom, paste the long line of ";-separated" paramenters under "Advanced" in "Config.txt". Save the configuration (still disabled).

    Now we add the client-cred file containing your username (which is your account email address for PrivateTunnel) and password to pfSense. That allows unattended boot. In the pfSense Dashboard, select "Diagnostics | Edit File". In the big window, paste your username and password (under "client-cred" in "Config.txt"). Browse to "/var/etc/openvpn", add "/client-cred" to the address, and hit "Save".

    Go back to "VPN | OpenVPN", and select the "Client" tab. Click the "e" button to edit, deselect "Disable this client", and hit "Save". Go to "Status | OpenVPN" and see if it worked. If OpenVPN status is "up", that's a good sign. We're almost done! Otherwise, go back and figure out what went wrong.

    Now we must tweak the pfSense setup a little. Go to "Status | System Logs", and select the "OpenVPN" tab. Find the "PUSH" line in the connection log, and see what DNS servers were specified by the provider ("dhcp-option DNS ..."). Go to "Services | DHCP Server”, enter their IP addresses under "DNS servers", and hit "Enter". This ensures that the pfSense DHCP server gives the VPN provider's DNS servers to clients (and doesn't just forward the DNS servers that pfSense uses on WAN).

    Now we must route LAN through the VPN tunnel. Go to "Firewall | NAT | Outbound", select "Manual Outbound NAT rule generation", hit "Save" and then "Apply Changes". Click the "e" button to the right of "Auto created rule for LAN to WAN" to edit it. Change the "Interface" from "WAN" to "OpenVPN", edit the "Description" to reflect the change, hit "Save" and then hit "Apply Changes".

    Now go to Firefox, and check your IP address. It should have changed. If so, good. If Firefox hangs, there's probably something wrong with the DNS server setup. If you have no luck with the provider's DNS servers, use OpenDNS or other public servers in "Services | DHCP Server”, and see if that works. If it does, maybe you don't have the right DNS servers for your provider.

    Now we check what DNS servers the VPN tunnel is using. Go to -http://grc.com/dns, and initiate the standard DNS test. If all is well, you should see just one or two DNS servers, and none of them should be your ISP's (or whatever pfSense sees on its WAN adaptor).

    Create OpenVPN Clients for Other VPN Services

    Now you can create OpenVPN clients for other VPN services that you use. I typically create one for each route of each service, and incorporate the service and route information in the VM's name, and also in the name of the VirtualBox internal network that's attached to that VM's LAN adaptor. Track which VPN providers know your true identity, and connect directly to them. Conversely, also track which VPN providers do not know your true identity, because you paid anonymously (cash in the mail, Liberty Reserve or equivalent) and have never connected directly to their websites or OpenVPN servers. Make sure that you never connect directly to them. Only connect through another VPN service, or through Tor.

    Install Ra's Tor Gateway

    Install Ra's "Tor gateway 0.3.5" or "Tor fast gateway 0.0.2" from -http://ra.fnord.at/ They are OVA packages, Import into VirtualBox using "File | Import Appliance". There's no configuration required. You can edit them somewhat to run hidden services and so on, but I won't get into that now.

    Now you're ready to play with networking in VirtualBox. I'll say more about that later today in another topic.

    ============================================================

    Edit: I wrote this for OpenVPN's PrivateTunnel service. Upon reflection, I'm not going to post my credentials. And, in any case, PrivateTunnel 100MB accounts are free.

    So, "Config.txt" as used above should contain:

    Advanced

    ns-cert-type server;auth-user-pass /var/etc/openvpn/client-cred;key-direction 1;redirect-gateway def1;verb 5

    client-cred

    username
    password

    ca.crt

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

    client.crt

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

    client.key

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

    tls-auth

    #
    # 2048 bit OpenVPN static key (Server Agent)
    ...
    -----END OpenVPN Static key V1-----
     
    Last edited: Jan 9, 2012
  2. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
  3. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I have a WiFi router I need, as long as I go straight into the modem I get this after setup and I reboot;

    WAN (wan) --> em0 -->10.0.2.15 (DHCP)
    LAN (lan) --> em1 --> 192.168.1.1

    So how would I now get back to going into the router?


    THANKS
     
    Last edited: Jan 11, 2012
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    If the pfSense VM's WAN (em0) is NATed to the host, it will connect through whichever of the host's network interfaces is active. The WAN IP address (10.0.2.15) of the pfSense VM is provided by the VirtualBox DHCP server (10.0.2.1). If you start the pfSense VM, and then change the active host interface from wired to WiFi, the pfSense VM probably won't even notice (although it will transiently lose connectivity). At worst, you may need to refresh the VM's WAN lease.
     
  5. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Sorry I'm talking about the LAN, if I'm behind the router I don't get any address when I first installed pfSense...

    Ok I'm also dead in the water here, I can't get OpenVPN up, it's always down...

    In my client config these are the options, so I have them all in Advanced, I take it I am suppose to place all them in correct?

    client;dev tun;proto udp;route-method exe;route-delay 3;comp-lzo no;remote-random;resolv-retry 10;nobind;persist-key;keepalive 3 10;ns-cert-type server;verb 1;mute 20

    VPN - OpenVPN - Client Certificate says --> webConfigurator default *In Use

    At this point in time, why I can't get this up, I just need to know the correct Encryption Algorithm, I hope... :blink:

    Do we also want to paste in the;

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

    Part of the certs/keys, or just the cert/key info is all?


    THANKS
     
    Last edited: Jan 11, 2012
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    OK, I get it now. I'm not sure why that would happen. I don't use WiFi at home, so I can't readily test. It's probably related to the way DHCP leases get negotiated over WiFi. I suspect that the pfSense VM isn't getting any DNS servers from the host. Adding OpenDNS (or whatever you like) servers in the pfSense VM's "System | General Setup" screen will probably make it work. I'll google it tomorrow.

    From what you say here, it should be down ;)

    Yes, you do. Unless I've made mistakes, it should work for PrivateTunnel if you configure the client exactly as I've explained. For a different provider, what I do is configure all of the GUI options appropriately, and then put the rest in Advanced (except for the ones that, from experience, are best ignored).

    That's the pfSense default for its webConfigurator GUI. What you want to use for the OpenVPN client is the ca.crt from the provider. You add it to pfSense using the "System | Cert Manager" screen, as I described (and then the client.crt with its key).

    If there's no Encryption Algorithm specified in the configuration file from the provider, you can assume that it's "BF-CBC (128 bit)", which is the OpenVPN default.

    You need to include those lines as well as the stuff between them. Also, keep in mind that the software is very picky: "----BEGIN CERTIFICATE-----" is not the same as "-----BEGIN CERTIFICATE-----"!
     
  7. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Sorry I'm not talking LAN,WAN or Wifi, I'm talking sitting behind a router is all, hehe... :)

    From what you say here, it should be down, what do you mean, you said;

    Go back to "VPN | OpenVPN", and select the "Client" tab. Click the "e" button to edit, deselect "Disable this client", and hit "Save". Go to "Status | OpenVPN" and see if it worked. If OpenVPN status is , "up"that's a good sign.

    UP? I'm at that point to check the status, anyhow no worries on it, I just found out the VPN is down for the moment so when I get it back up I'll check again...

    My mistake I didn't add the client.crt under the Certificate tab, all good now... :)

    I found out I use; "BF-CBC (128 bit)"...

    Ok I did include the lines and the STUFF between them, LOL...

    Stuff between them what a laugh... :)
     
    Last edited: Jan 12, 2012
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    If you haven't added the VPN provider's ca.crt, the client shouldn't connect. If the parameters aren't set right, the client shouldn't connect. That's all that I meant.

    :)

    Good.

    OK, how about "text" or "body" o_O
     
  9. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Ok just call me the surfing fool, LOL, 5-6 hours later and I'm UP and surfing with OpenVPN through pfSense! WoOt :D

    But it was tricky for me, having iptables running on the host and guest and behind a router, LMAO...

    Also if I plug the DNS into the network adapter settings on the host, the dns show up in the pfSense panel, so it makes me wonder if the DHCP Server setting really needs the DNS in there? Hmm...

    Ok time to plug back into the router and see how that goes... :argh:

    Wheeew for a while there I was ready to shoot myself... :p
     
    Last edited: Jan 12, 2012
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Congratulations! I typically keep my VPNs connected 24/7. pfSense is very good at that.

    I don't think that you really need iptables on the VM. pfSense is a firewall! It can't hurt, I suppose.

    By default, pfSense uses DNS servers that it gets from WAN for its own purposes. Any DNS servers that you put in "System | General Setup" override them. Also, by default, pfSense has "Services | DNS Forwarder" enabled. It forwards the DNS servers that it gets from WAN to LAN clients. Here's the explanation from that pfSense webAdmin screen:

    By default, pfSense also has "Allow DNS server list to be overridden by DHCP/PPP on WAN" enabled. If you're getting DNS servers properly from the VPN provider, connections through the VPN will use the VPN's DNS servers, and not any DNS servers provided by pfSense. That's the case for the Private Tunnel example that I used.

    However, some VPN providers use OpenVPN server options that provide DNS servers in ways that pfSense (FreeBSD) doesn't understand. That's especially likely for VPN providers that use client-side scripting for Windows clients. In that case, you need to disable both "Services | DNS Forwarder" and "Allow DNS server list to be overridden by DHCP/PPP on WAN" in "System | General Setup". Then you enter the DNS servers provided by your VPN provider in "Services: DHCP Server".

    Even that may not work, maybe because there are routing restrictions for using the provider's DNS servers, In that case, I just use OpenDNS etc servers. DNS queries get routed through the VPN, in any case. As long as you're not using your ISP's DNS servers, you're cool.

    Good luck :)

    The first time is always hard, in my experience ;)
     
  11. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Well in time, I'd like to either build or buy a really small form factor box, like the size of a mac mini, but then I'm not sure how you'd go about dealing with WiFi needed for other systems, for now this is why I stick to a small router, inexpensive and not a waste on electricity...

    Hey I know how to use Shorewall, it's easy for me, I've been using it, so I figure why not...

    I never use the VPNs DNS, I always use either OpenDNS or Comodo's Secure DNS and I put them into the network adapter on my host, then as you say it's getting seen from the Host to pfSense, so I guess no need to put it anywhere else, correct?

    Here's a screen shot on my host, I use Wicd on both, but I just put in the DNS in the Global Preferences of Wicd on the host is all;

    http://imageshack.us/f/828/wicddns.jpg/

    I found this link, which is pretty much what you stated about DNS Forwarding;

    http://doc.pfsense.org/index.php/DNS_Forwarder

    So having it configured on the Host Adapter, I want to keep dns forwarding enabled?

    I got it working behind the router, boy did I get lucky being able to run iptables on the host and guest, behind a NAT/SPI router and pfSense, LOL and everything routes and works... :cool:

    DNS Forwarder Cache, hmm interesting;

    http://doc.pfsense.org/index.php/How_do_I_clear_the_DNS_Forwarder_cache%

    Think that cache is something we should clear out often?

    What are you using for the Firewall Optimization Options?

    By the way, any hand cleaning security tips that helps for maintaining this?

    THANKS
     
    Last edited: Jan 12, 2012
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    That would work. However, it might be good for obscurity to use different DNS servers on the host and pfSense.

    Even with DNS Forwarding enabled, DNS servers pushed by the VPN won't get overrided unless you enter DNS servers in "Services: DHCP Server".

    I gather from what you've written that you have no DNS servers entered in "System | General Setup". Therefore, pfSense itself should be using the DNS servers that it gets from the host (which the host gets from the router). I also gather that you have DNS Forwarding enabled, but have not entered any DNS servers in "Services: DHCP Server". Therefore, using the configuration that I described for Private Tunnel, pfSense should be pushing the Private Tunnel DNS servers to clients.

    Is that what you find?

    Indeed :)

    You could. My VM host has encrypted LVM, so I don't worry. My VMs are also quite "contaminated", so I don't worry about DNS cache.

    All I do is backup the xml whenever I change something. pfSense is designed to just run forever without complaint. You could update periodically if you want.
     
  13. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Ahhh different DNS on the hosts and guest adapters, sounds interesting...

    In Linux DNS aren't going to get pushed to you unless the client config has been written to do so, but it's my understanding you typically use the client.up and client.down for OpenVPN to accomplish this, but I don't use them.

    I don't have any DNS entries in pfSense...

    By the way is the default pfsense_ng skin off centered for you? The window sits more to the left, seems goofy this thing isn't centered...

    Hey did you check out in the shell var/log/dmesg.boot?

    LOL, what's with all the license agreements hehe... o_O

    First time I've ever seen an opensource project where you needed to do something like this...
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Yes, I see that too. It doesn't bother me.

    I watch all that stuff go by as it boots, sometimes. But no, I've never looked at the log. Why do you mention it?

    BSD has a long and colorful history. Basically, CSRG geeks at UC-Berkeley "liberated" Unix after AT&T became more possessive.
     
  15. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Drives me nutts being off centered, always looking to the left instead of the center of the screen, makes me dizzy, LOL... o_O

    dmesg.boot, for the license agreements, is what I meant and of course telling to you read them in usr/share/doc/legal which is not there. :ouch:

    BSD is certainly colorful, I also filed a bug report about the theme, it's not correct and there was a license agreement bug was filed by someone I just followed up on...

    pfSense Appliances;

    http://www.pfsense.org/index.php?option=com_content&task=view&id=44&Itemid=50

    These might be really nice in certain situations, rather then running it on a box, I'm going to have to keep an eye out for a CHEAP pfSense router...
     
    Last edited: Jan 12, 2012
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    pfSense is a pretty amazing product. It can be installed on an appliance for home use. It needs more resources than OpenWRT, but not that much. It can also handle major enterprise loads, running on adequate hardware. I run pfSense on my perimeter router/firewall: dual WAN with failover, vLANs. Check out "System | Packages. When I have some time, I'm going to install Snort.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Try installing the pfSense widescreen package.
     
  18. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Ahh, I overlooked that one... :)

    To bad it isn't Final yet, but hey we're in a VM, so I'll back it up before installing...


    THANKS

    P.S. This isn't just the mirimir & DasFox show people! 496 views and no thanks? Hey this man has taught you something great, that you can do on Windows too with VirtualBox! :argh:
     
    Last edited: Jan 15, 2012
  19. Asus125

    Asus125 Registered Member

    Joined:
    Sep 8, 2009
    Posts:
    33

    Thanks, mirimir. It's the best tutorial here in Wilders.:thumb:
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    If OpenVPN isn't connecting properly, it's helpful to check the OpenVPN connect log (what you see when you run it in terminal) at "Status | System Logs | OpenVPN". I thank addi6584 for mentioning that in the "Playing with Virtual Networks" thread.
     
Loading...
Thread Status:
Not open for further replies.