This document provides an overview and walkthrough of setting up remote access VPNs using OpenVPN and IPsec on pfSense. It discusses authentication options, client availability, and setup for both OpenVPN and IPsec VPNs. For OpenVPN, it covers choosing between SSL/TLS with user authentication versus SSL/TLS only. It also demonstrates exporting an OpenVPN client configuration package and setting up the client. For IPsec, it discusses choosing between Xauth+PSK, Xauth+RSA, and IKEv2 EAP-MSCHAPv2. It shows configuring and setting up clients for IKEv2 EAP-MSCHAPv2 and Xauth+PSK. Extra features like multi-WAN

1. Remote Access VPNs
September 2015 Hangout
Jim Pingle

2. Project Notes
● 2.2.5 coming in the next few weeks
● 2.3 progressing fast, huge amount of work
happening
– Updates via pkg are working well
– Bootstrap GUI update is nearly complete, but needs
testing and refinement
– New package system is shaping up well
● vBSDCon Presentation “Made to Measure: Network
Performance Analysis in FreeBSD” is up on YouTube:
https://www.youtube.com/watch?v=9BcdRHNTdf4

3. Remote Access VPN Hangout
● Overview
● Concepts
● Do's and Don'ts
● Authentication
Choices
● OpenVPN vs IPsec
● Client Availability
● OpenVPN Walkthroughs
– Choosing a setup style
– SSL/TLS + User Auth
– OpenVPN Client Export Package
– Client Setup
● IPsec VPN Walkthroughs
– Choosing a setup style
– IKEv2 EAP-MSCHAPv2
– Client Setup
– Xauth+PSK
– Client Setup
● Extra Features

4. Overview
● Why use a VPN?
– Secure means of accessing LAN/DMZ/etc resources or even the Internet across
untrusted networks
● Types of Remote Access “Road Warrior” VPNs on pfSense
– OpenVPN
● SSL/TLS, User Auth, SSL/TLS + User Auth
– IPsec
● IKEv2 EAP-MSCHAPv2, IKEv2 EAP-TLS, Xauth+PSK, Xauth+RSA
● VPN types to avoid
– PPTP – Zero security, worthless, will be removed from pfSense 2.3
– L2TP/IPsec – Client support/behavior is inconsistent, especially from Windows behind
NAT
– Plain IPsec with only PSK – Limited client support, weak security
● What isn't available
– Browser-based “clientless” type VPN
– SSTP

5. Concepts
● Third-Party Clients
– Needed by many VPNs, depending on type/style
● Split Tunneling vs Tunnel All
– Tunnel only specific subnets over VPN, support varies by client and VPN type
● All OpenVPN clients can split tunnel
● IPsec depends on client/OS (Typ: Windows native = no, iOS/OS X = yes, Android maybe)
– Tunnel all traffic over VPN (incl. Internet)
● Be sure to check outbound NAT and client DNS
● Getting a client config to a device
– Avoid using e-mail unless you have no other choice
– Do not transfer over an insecure connection (e-mail, HTTP, FTP, etc)
– iOS- iTunes or e-mail
– Android – USB connection, USB OTG media, file manager via network share, scp, etc.
– Windows/OS X, thumb drive or physical transfer if possible, network share, scp, many
other choices

6. Concepts
●
Certificate Structure
– Some knowledge is required, too much to cover here, refer to the book
– Used for OpenVPN and also for IPsec with IKEv2 or RSA
– Manage on the firewall, System > Cert Manager
– OR Manage Elsewhere and import CA cert, server cert/key, (and user/cert keys if using the export pkg)
– Use a different CA/Cert set for each VPN with different security requirements
● For example, don't use the same CA set for vendors and network admins
– Do NOT use a “real” cert structure from a trusted root provider. It has no benefit to VPNs and actually
makes it less secure
●
Subnets for VPNs
– Use a unique, unused subnet for each remote access VPN
●
Bridging to LAN
– Only OpenVPN in tap mode can do it. Support varies by platform. Generally a bad idea
●
Multi-Factor Auth
– Something you have (SSL Cert, TLS Key, etc) and something you know (User/Pass/PSK)
– Auth with external tokens/keys/etc may be possible via RADIUS, check with RADIUS vendor

7. Do's and Don'ts
● Do use a VPN instead of passing sensitive data unencrypted
● Do use as many security layers as possible for the VPN
● Do use separate VPNs for different groups or purposes
● Don't limit yourself to only one VPN!
● Don't share or re-use certificates or credentials
● Don't store passwords insecurely (e.g. in plain text files)
● Don't be afraid of third-party clients, requiring a native client
today is irrational
● Don't give in to the temptation to bridge a VPN to LAN if it can
be avoided

8. Authentication Choices
● OpenVPN...
– Local Users on the Firewall (User Manager)
– Remote authentication via RADIUS or LDAP
● IPsec varies by mode
– Xauth modes can use User Manager users, RADIUS, or
LDAP
– EAP-MSCHAPv2 users entered on PSK tab
– Plain PSK entries can be on PSK tab or on user accounts
– L2TP has users in L2TP settings or it can use RADIUS

9. OpenVPN vs IPsec
● Both can be run at once, no need to pick only one!
● OpenVPN is a more consistent experience across all platforms
● OpenVPN is more flexible in what it can do and how it operates
● OpenVPN requires an external client/app
● OpenVPN can obtain some settings via RADIUS (client IP, routes, firewall rules, DNS)
● IPsec is a widely accepted standard
● IPsec clients are typically built into the OS, though these are often quite limited and vary greatly between
operating systems
● OpenVPN and IPsec in xauth mode can authenticate via RADIUS or LDAP
● IPsec in EAP-MSCHAPv2 mode can only have local users currently
● No limit to number of OpenVPN instances and configurations
● Only one mobile IPsec type at a time currently (will be more in the future)
● OpenVPN has no issue with being behind NAT
● IPsec can have issues with NAT in some cases, but mobile types generally use NAT-T which helps
● IPsec cannot assign a specific IP address to a user, OpenVPN can
● OpenVPN can assign specific settings to any user (IP address, routes, etc)
● OpenVPN can run on TCP, but don't use it unless it can't be avoided

10. Client Availability
OpenVPN IPsec
Operating
System
PSK Xauth+PSK Xauth+RSA IKEv2-EM IKEv2-ET
Windows XP 3PA 3PA 3PA 3PA ? ?
Windows
Vista/7/8
3PA 3PA 3PA 3PA Yes (8.1) Yes (8.1)
Windows 10 3PA ? ? ? Yes Yes
Android <4 3PA ? Bug Yes ? ?
Android 3PA ? Bug Yes 3PA 3PA
IOS <9 3PA ? Yes Yes ? ?
IOS 9 3PA ? Yes Yes Yes Yes
OS X <El Cap 3PA ? Yes Yes ? ?
OS X El Cap 3PA ? Yes Yes Yes Yes
SNOM/Yealink Yes No No No No No
3PA = Third-party app, ? = not native, maybe 3pa, Bug = Known bug in client OS, Windows XP/Vista/7/8 can use Shrew Soft VPN
Client for most IPsec modes but NOT Win 10.

11. Client Availability
● Windows
– Native IPsec for IKEv2 EAP-MSCHAPv2 or IKEv2 EAP-TLS (Win 8.1+)
– On Windows <10, Shrew Soft for more flexible IPsec (PSK, Xauth+PSK, Xauth+RSA, etc)
– OpenVPN via external client, export package bundles client and config/certs/etc
– Client must run as administrator, can optionally run as a service (Vista/7/8/10)
● Android
– Must have a lock setup to use VPN (PIN, pattern, etc)
– OpenVPN app (Not the connect app!)
– Native IPsec for xauth+RSA, main mode (PSK won't work, racoon+android bug)
– strongSwan app for IKEv2
● OS X
– Native IPsec for xauth+PSK or xauth+RSA, IKEv2 on El Capitan and later
– OpenVPN via Tunnelblick or Viscosity
● iOS
– Native IPsec for xauth+PSK or xauth+RSA, IKEv2 on iOS 9 and later
– OpenVPN via OpenVPN Connect app
● SNOM/Yealink Phones
– OpenVPN
– CA/Certs can only be SHA1, SSL/TLS only, No auth

12. Choosing an OpenVPN setup style
● TLS Key – All Remote Access modes
– Unless the client does not support TLS keys, use it!
– Extra factor of auth, can also protect against some SSL attacks
● OpenVPN SSL/TLS + User Auth
– Most secure, multi-factor
– Use strict user/cn matching
– For external auth, make certs manually
– For local auth, add local users with certs on user
● OpenVPN SSL/TLS
– Useful for embedded devices like Phones (Yealink/snom)
● OpenVPN Auth
– More convenient for external auth. Less secure, no certs.

13. OpenVPN Walkthrough
SSL/TLS + User Auth
● Can setup manually or via Wizard
● If manual, setup CA/Server Cert and auth
server first
● Full details on the wiki:
https://doc.pfsense.org/index.php/OpenVPN_
Remote_Access_Server
● Setup CA/Certs, Server, add firewall rules to
WAN & OpenVPN tab, Users

14. OpenVPN Client Export Package
● Install from System > Packages
● VPN > OpenVPN, Client Export tab
● Host Name Resolution, default is IP, can use host/dyndns
● OpenVPNManager can be optionally used to run it as a service on Windows
without the need for admin privileges
● Config Options
– Archive – .zip containing config, certs, etc
– Inline configurations – supported by most recent versions, has certs and keys inline in one
plain text configuration file
– Windows installers
● “XP” installers will work on any version of Windows XP or later, “win6” installers will work on Vista and
later.
● 32 and 64-bit versions, 32-bit will work on 64-bit platforms also
– Viscosity bundle, easy to use on OS X

15. OpenVPN Client Setup
● Windows
– XP
– Vista/7/8/10 (10 Shown)
● Set properties of the shortcut to run as admin
● Android
– OpenVPN for Android app
– https://play.google.com/store/apps/details?id=de.bl
inkt.openvpn

16. IPsec – Choosing a setup style
● IPsec xauth+PSK
– Works fine in many cases, but not on current Android devices
● IPsec xauth+RSA
– Works better than PSK, and more secure, though more difficult to deploy
– No current way to tie user to specific cert
● IPsec IKEv2 EAP-MSCHAPv2
– Ideal option for Windows, Linux, Android, iOS 9+, OS X El Capitan+
– User auth, but no per-user certs
– Can be picky about certificate properties
● IPsec IKEv2 EAP-TLS
– Same as above but with user certs instead of user authentication
● IPsec L2TP/IPsec (probably not)
– Problems with Windows systems behind NAT, strongSwan says it's a Windows client problem,
but both sides have moved on to focus on IKEv2

17. IPsec – IKEv2 EAP-MSCHAPv2
– Show setup demo
– Full details on wiki:
https://doc.pfsense.org/index.php/IKEv2_with_E
AP-MSCHAPv2

18. IPsec Client Setup
– IKEv2 EAP-MSCHAPv2
● Windows 8.1/10 (Maybe 7)
● Android with strongSwan app

19. IPsec – Xauth+PSK
– Show settings
– Full details on the wiki
https://doc.pfsense.org/index.php/IPsec_Road_War
rior/Mobile_Client_How-To

20. IPsec Client Setup
– Xauth+PSK
● Windows XP with Shrew Soft Client

21. Extra Features
● Multi-WAN for OpenVPN
– Bind to localhost
– Setup port forwards on each WAN
● Run OpenVPN on multiple ports
– Add port forwards to 'main' port
● OpenVPN port sharing
– Check wiki for details, can share 443 with an
HTTPS server behind the firewall.

22. Conclusion
● All of the Virtual Machines for this hangout were
running under ESX from a 4860 unit!
● Quick peek at 2.3 if there is time
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc