1.
Remote Access VPNs
September 2015 Hangout
Jim Pingle

2.
Project Notes
● 2.2.5 coming in the next few weeks
● 2.3 progressing fast, huge amount of work
happening
– Updates via pkg are working well
– Bootstrap GUI update is nearly complete, but needs
testing and refinement
– New package system is shaping up well
● vBSDCon Presentation “Made to Measure: Network
Performance Analysis in FreeBSD” is up on YouTube:
https://www.youtube.com/watch?v=9BcdRHNTdf4

3.
Remote Access VPN Hangout
● Overview
● Concepts
● Do's and Don'ts
● Authentication
Choices
● OpenVPN vs IPsec
● Client Availability
● OpenVPN Walkthroughs
– Choosing a setup style
– SSL/TLS + User Auth
– OpenVPN Client Export Package
– Client Setup
● IPsec VPN Walkthroughs
– Choosing a setup style
– IKEv2 EAP-MSCHAPv2
– Client Setup
– Xauth+PSK
– Client Setup
● Extra Features

4.
Overview
● Why use a VPN?
– Secure means of accessing LAN/DMZ/etc resources or even the Internet across
untrusted networks
● Types of Remote Access “Road Warrior” VPNs on pfSense
– OpenVPN
● SSL/TLS, User Auth, SSL/TLS + User Auth
– IPsec
● IKEv2 EAP-MSCHAPv2, IKEv2 EAP-TLS, Xauth+PSK, Xauth+RSA
● VPN types to avoid
– PPTP – Zero security, worthless, will be removed from pfSense 2.3
– L2TP/IPsec – Client support/behavior is inconsistent, especially from Windows behind
NAT
– Plain IPsec with only PSK – Limited client support, weak security
● What isn't available
– Browser-based “clientless” type VPN
– SSTP

5.
Concepts
● Third-Party Clients
– Needed by many VPNs, depending on type/style
● Split Tunneling vs Tunnel All
– Tunnel only specific subnets over VPN, support varies by client and VPN type
● All OpenVPN clients can split tunnel
● IPsec depends on client/OS (Typ: Windows native = no, iOS/OS X = yes, Android maybe)
– Tunnel all traffic over VPN (incl. Internet)
● Be sure to check outbound NAT and client DNS
● Getting a client config to a device
– Avoid using e-mail unless you have no other choice
– Do not transfer over an insecure connection (e-mail, HTTP, FTP, etc)
– iOS- iTunes or e-mail
– Android – USB connection, USB OTG media, file manager via network share, scp, etc.
– Windows/OS X, thumb drive or physical transfer if possible, network share, scp, many
other choices

6.
Concepts
●
Certificate Structure
– Some knowledge is required, too much to cover here, refer to the book
– Used for OpenVPN and also for IPsec with IKEv2 or RSA
– Manage on the firewall, System > Cert Manager
– OR Manage Elsewhere and import CA cert, server cert/key, (and user/cert keys if using the export pkg)
– Use a different CA/Cert set for each VPN with different security requirements
● For example, don't use the same CA set for vendors and network admins
– Do NOT use a “real” cert structure from a trusted root provider. It has no benefit to VPNs and actually
makes it less secure
●
Subnets for VPNs
– Use a unique, unused subnet for each remote access VPN
●
Bridging to LAN
– Only OpenVPN in tap mode can do it. Support varies by platform. Generally a bad idea
●
Multi-Factor Auth
– Something you have (SSL Cert, TLS Key, etc) and something you know (User/Pass/PSK)
– Auth with external tokens/keys/etc may be possible via RADIUS, check with RADIUS vendor

7.
Do's and Don'ts
● Do use a VPN instead of passing sensitive data unencrypted
● Do use as many security layers as possible for the VPN
● Do use separate VPNs for different groups or purposes
● Don't limit yourself to only one VPN!
● Don't share or re-use certificates or credentials
● Don't store passwords insecurely (e.g. in plain text files)
● Don't be afraid of third-party clients, requiring a native client
today is irrational
● Don't give in to the temptation to bridge a VPN to LAN if it can
be avoided

8.
Authentication Choices
● OpenVPN...
– Local Users on the Firewall (User Manager)
– Remote authentication via RADIUS or LDAP
● IPsec varies by mode
– Xauth modes can use User Manager users, RADIUS, or
LDAP
– EAP-MSCHAPv2 users entered on PSK tab
– Plain PSK entries can be on PSK tab or on user accounts
– L2TP has users in L2TP settings or it can use RADIUS

9.
OpenVPN vs IPsec
● Both can be run at once, no need to pick only one!
● OpenVPN is a more consistent experience across all platforms
● OpenVPN is more flexible in what it can do and how it operates
● OpenVPN requires an external client/app
● OpenVPN can obtain some settings via RADIUS (client IP, routes, firewall rules, DNS)
● IPsec is a widely accepted standard
● IPsec clients are typically built into the OS, though these are often quite limited and vary greatly between
operating systems
● OpenVPN and IPsec in xauth mode can authenticate via RADIUS or LDAP
● IPsec in EAP-MSCHAPv2 mode can only have local users currently
● No limit to number of OpenVPN instances and configurations
● Only one mobile IPsec type at a time currently (will be more in the future)
● OpenVPN has no issue with being behind NAT
● IPsec can have issues with NAT in some cases, but mobile types generally use NAT-T which helps
● IPsec cannot assign a specific IP address to a user, OpenVPN can
● OpenVPN can assign specific settings to any user (IP address, routes, etc)
● OpenVPN can run on TCP, but don't use it unless it can't be avoided

10.
Client Availability
OpenVPN IPsec
Operating
System
PSK Xauth+PSK Xauth+RSA IKEv2-EM IKEv2-ET
Windows XP 3PA 3PA 3PA 3PA ? ?
Windows
Vista/7/8
3PA 3PA 3PA 3PA Yes (8.1) Yes (8.1)
Windows 10 3PA ? ? ? Yes Yes
Android <4 3PA ? Bug Yes ? ?
Android 3PA ? Bug Yes 3PA 3PA
IOS <9 3PA ? Yes Yes ? ?
IOS 9 3PA ? Yes Yes Yes Yes
OS X <El Cap 3PA ? Yes Yes ? ?
OS X El Cap 3PA ? Yes Yes Yes Yes
SNOM/Yealink Yes No No No No No
3PA = Third-party app, ? = not native, maybe 3pa, Bug = Known bug in client OS, Windows XP/Vista/7/8 can use Shrew Soft VPN
Client for most IPsec modes but NOT Win 10.

11.
Client Availability
● Windows
– Native IPsec for IKEv2 EAP-MSCHAPv2 or IKEv2 EAP-TLS (Win 8.1+)
– On Windows <10, Shrew Soft for more flexible IPsec (PSK, Xauth+PSK, Xauth+RSA, etc)
– OpenVPN via external client, export package bundles client and config/certs/etc
– Client must run as administrator, can optionally run as a service (Vista/7/8/10)
● Android
– Must have a lock setup to use VPN (PIN, pattern, etc)
– OpenVPN app (Not the connect app!)
– Native IPsec for xauth+RSA, main mode (PSK won't work, racoon+android bug)
– strongSwan app for IKEv2
● OS X
– Native IPsec for xauth+PSK or xauth+RSA, IKEv2 on El Capitan and later
– OpenVPN via Tunnelblick or Viscosity
● iOS
– Native IPsec for xauth+PSK or xauth+RSA, IKEv2 on iOS 9 and later
– OpenVPN via OpenVPN Connect app
● SNOM/Yealink Phones
– OpenVPN
– CA/Certs can only be SHA1, SSL/TLS only, No auth

12.
Choosing an OpenVPN setup style
● TLS Key – All Remote Access modes
– Unless the client does not support TLS keys, use it!
– Extra factor of auth, can also protect against some SSL attacks
● OpenVPN SSL/TLS + User Auth
– Most secure, multi-factor
– Use strict user/cn matching
– For external auth, make certs manually
– For local auth, add local users with certs on user
● OpenVPN SSL/TLS
– Useful for embedded devices like Phones (Yealink/snom)
● OpenVPN Auth
– More convenient for external auth. Less secure, no certs.

13.
OpenVPN Walkthrough
SSL/TLS + User Auth
● Can setup manually or via Wizard
● If manual, setup CA/Server Cert and auth
server first
● Full details on the wiki:
https://doc.pfsense.org/index.php/OpenVPN_
Remote_Access_Server
● Setup CA/Certs, Server, add firewall rules to
WAN & OpenVPN tab, Users

14.
OpenVPN Client Export Package
● Install from System > Packages
● VPN > OpenVPN, Client Export tab
● Host Name Resolution, default is IP, can use host/dyndns
● OpenVPNManager can be optionally used to run it as a service on Windows
without the need for admin privileges
● Config Options
– Archive – .zip containing config, certs, etc
– Inline configurations – supported by most recent versions, has certs and keys inline in one
plain text configuration file
– Windows installers
● “XP” installers will work on any version of Windows XP or later, “win6” installers will work on Vista and
later.
● 32 and 64-bit versions, 32-bit will work on 64-bit platforms also
– Viscosity bundle, easy to use on OS X

15.
OpenVPN Client Setup
● Windows
– XP
– Vista/7/8/10 (10 Shown)
● Set properties of the shortcut to run as admin
● Android
– OpenVPN for Android app
– https://play.google.com/store/apps/details?id=de.bl
inkt.openvpn

16.
IPsec – Choosing a setup style
● IPsec xauth+PSK
– Works fine in many cases, but not on current Android devices
● IPsec xauth+RSA
– Works better than PSK, and more secure, though more difficult to deploy
– No current way to tie user to specific cert
● IPsec IKEv2 EAP-MSCHAPv2
– Ideal option for Windows, Linux, Android, iOS 9+, OS X El Capitan+
– User auth, but no per-user certs
– Can be picky about certificate properties
● IPsec IKEv2 EAP-TLS
– Same as above but with user certs instead of user authentication
● IPsec L2TP/IPsec (probably not)
– Problems with Windows systems behind NAT, strongSwan says it's a Windows client problem,
but both sides have moved on to focus on IKEv2

17.
IPsec – IKEv2 EAP-MSCHAPv2
– Show setup demo
– Full details on wiki:
https://doc.pfsense.org/index.php/IKEv2_with_E
AP-MSCHAPv2

18.
IPsec Client Setup
– IKEv2 EAP-MSCHAPv2
● Windows 8.1/10 (Maybe 7)
● Android with strongSwan app

19.
IPsec – Xauth+PSK
– Show settings
– Full details on the wiki
https://doc.pfsense.org/index.php/IPsec_Road_War
rior/Mobile_Client_How-To

20.
IPsec Client Setup
– Xauth+PSK
● Windows XP with Shrew Soft Client

21.
Extra Features
● Multi-WAN for OpenVPN
– Bind to localhost
– Setup port forwards on each WAN
● Run OpenVPN on multiple ports
– Add port forwards to 'main' port
● OpenVPN port sharing
– Check wiki for details, can share 443 with an
HTTPS server behind the firewall.

22.
Conclusion
● All of the Virtual Machines for this hangout were
running under ESX from a 4860 unit!
● Quick peek at 2.3 if there is time
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc