AWS pfSense VPN Server
Well, this one may be a little late for some. But, I thik it can come in handy for others, as the informatiom I will share can be a way to fix or understand a existing problem.
Once again my IT friends ask me for help, as they know my previous expertise with datacenter services. Here is the scenario:
- VPN Server was deployed
- Remote access for all employes was delivered
- Employes that work on the same home (AKA Husband and Wife) can’t simultaneosly access the VPN
- Nobody really understands why this is happening…
I know that some people doesn’t like IPSec because of it’s complexity. In the past, I used to had hard times debuging and understandig why some IPSec VPNs was beahving badly or simply are doesn’t working at all.
I understand that most of people uses OpenVPN, as it is easier to deploy and manage. But, if you are deploying it on Public Clouds, things can became a little expensive over time, as OpenVPN requires per user licenses (unless you are a Linux Pro). OpenVPN also needs more computing power than IPSec, as it uses SSL.
In this article, I will teach you how to create a cheap, functional, and easy to manage VPN Server based on Netgate pfSense to address the current VPN needs that was caused by covid-19 pandemic.
The VPN server will serve the current market operating systems: Windows, MacOS, Android and IOS.
You are using AWS Cloud, and has at your disposal a t2.small instance with Netgate pfSense deployed, and you have added a second NIC to it (for WAN/LAN individual routing). You can check it out here. Of course this deploy will work with any public cloud, as the pfSense works on them all.
Make sure you setted up your SSH access by public keys!
Why Netgate pfSense? Because it is FreeBSD based, wich makes it extremely stable and computational resource friendly.
A t2.small instance has 1vCPU and 2Gb RAM. Seems low, right? But it will do just fine for 100 simultaneously connected IPSec VPN users. Trust me.
But, if you want to add more functionalities to your VPN Server (reports, custom graphics, external monitoring, centralized AD authentication, etc), you may need more computing power.
Enough talk. Hands-on!
Part 1: Create the Certificates
IKEv2 Certificate Structure
If a suitable Certificate Authority (CA) is not present in the Cert Manager, creating one is the first task:
- Navigate to System > Cert Manager on the pfSense® firewall
- Click “+” Add to create a new certificate authority
- Select Create an internal Certificate Authority for the Method
- Fill in the rest of the fields as desired with company or site-specific information
- Click Save
Create a Server Certificate
Follow these directions exactly, paying close attention to how the server certificate is created at each step. If any one part is incorrect, some or all clients may fail to connect.
- Navigate to System > Cert Manager, Certificates tab on the pfSense firewall
- Click “+” Add to create a new certificate
- Select Create an internal certificate for the Method
- Enter a Descriptive Name such as IKEv2 Server
- Select the appropriate Certificate Authority created in the previous step
- Choose the desired Key Type, Key length, Digest algorithm, and Lifetime
- Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here instead
- Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is
- Set the Certificate Type to Server Certificate
- Click “+” Add to add a new Alternative Name
FQDN or Hostnamein the Type field
- Enter the hostname of the firewall as it exists in DNS again in the Value field
- Click “+” Add to add another new Alternative Name
IP Addressin the Type field
- Enter the WAN IP address of the firewall in the Value field
- Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect
- Click Save
As an alternative, the ACME package (ACME package) can generate a server certificate which will be trusted natively by many clients.
If you need more information, please check this link.
Part 2: Configuring IPSec VPN Mobile Access
IPSec VPNs have the characteristic of having an immense number of configurable options, where many of these need to fit in order for everything to work correctly. Be sure to pay attention to the details provided, as they are important. Think of IPSec as a machine, where some moving parts need to work together.
In order to have a high level of compatibility, where users’ VPN will be able to connect from any residential and corporate structure, we will need to use IKEv2 and MS-CHAP v2, as this combination does not have the limitations imposed by IKEv1 when it comes to access from a home where more than one user or computer needs to use the mobile VPN.
You will be able to connect to your company’s VPN from your computers and cell phones, simultaneously.
- A very long IPSec Client Pre-Shared key (as for example: f7f5f3A71cd83153e9d6b7473141cbd2edb54eccc7663f0302b93e7c)
- A Internet Domain and 2 FQDNs: vpnipsec.yourdomain.goes.here and netgate.yourdomain.goes.here
Client Minimum Requirements
- OSX 10.15
- Windows 10
- IOS 12
- Android 10
Make sure to allow in your SGs:
- UDP ports 500 and 4500
- TCP ports 22 and 443 (temporarily while the server is being configured)
When everything is ready, for security reasons, administrative access to the VPN server can only be performed if the administrator is connected to the VPN. Be sure to adjust your SGs to limit such accesses. In case of problems, the management console can be used.
Make sure to configure your environment exactly as shown below.
Part 3: Creating User Accounts for VPN Access
Access the web configurator:
Browse Menus: VPN > IPsec > Pre-shared Keys
Fill in the username. The password will be the Pre-shared Key.
A 16-character Pre-Shared Key is required. Use the website https://passwordsgenerator.net/ to generate a secure passkey.
Obtaining the User Access Profile
Browse Menus: VPN > IPsec Export (Apple Profile or Windows)
The contents of the “Server Address” field must be: vpnipsec.yourdomain.goes.here
Select the user in “VPN Client” menu, and download the configuration file.
In the windows menu we do not have the option “VPN Client” on the export screen:
Just download the VPN configuration file. It is called something like “VPN_ (netgate) _-_ Mobile_IPsec_clients.zip”. When unzipping it, we will get 2 files:
The PS1 file is a PowerShell that automatically installs the digital certificate, and sets up the VPN connection. Attention: Windows 10 restricted PowerShell, unless a somewhat complex procedures for regular users be executed. May be a good idea to convert this PS1 to EXE. This article talks about the conversion.
Part 4: Configuring the Clients
Click on the file provided to automatically configure the IPsec VPN. On the screen that will appear, enter the user name and the 16-character key.
The file name is something like:
An alert regarding Profiles/MDM may be displayed, regarding the attempt to change the system’s network settings. This is normal. Use the MacOS user password to confirm changes.
When the configuration is complete, a screen similar to the one shown below will be displayed:
To access the VPN, click on the characteristic icon that appears in the bar at the top of the screen. Select the options according to the image below, and click on “Connect VPN (netgate)”.
Successful login will display the following message:
This is a 3 part process. The VPN configuration file comes in ZIP format, and is named “VPN_ (netgate) _-_ Mobile_IPsec_clients.zip”. When unzipping it, we will get 2 files:
1) Import the Digital Certificate
Right click on the file “pfSense_ikev2_5f9c6e4977416.cer”, and select “Install Certificate”:
On the screen that will open, click on the “Install Certificate” button.
On the next screen, select “Local Machine”.
As you proceed, make sure that the certificate is stored in “Trusted Root Certification Authorities”.
Click “Next”, and check if the certificate is in “Trusted Root Certification Authorities”.
Click “Finish”, and wait for the message stating that the certificate has been imported.
2) Configure the VPN
Just right-click on the file “add_pfSense_vpn_client.exe”, and select “Run as Administrator”. A black screen will be displayed briefly, and the configuration will be carried out without the need for interactions.
3) Connect to the VPN
Click on the Windows network icon, then click on “VPN (netgate) - Mobile IPsec Clients” and then “Connect”. You will be prompted for your user and password information.
A successful connection will present a screen similar to the following:
The first step is to gain access from the cell phone to the PEM file “pfSense_ikev2_5f9c6e4977416.pem”. It is a digital certificate. Temporarily use Google Drive to gain access to the file.
Access the Play Store and install the “strongSwan VPN Client” application.
- Open the strongSwan app
- Import the digital certificate (PEM file):
- Touch the settings icon (three vertical dots in the upper right corner)
- Touch CA Certificates
- Touch the settings icon (three vertical dots in the upper right corner)
- Touch Import Certificate
- Locate the previously copied certificate and tap it.
- Go to Imported and check if there is a CA Netgate VPN
- Touch Add VPN Profile
- In Server, enter vpnipsec.yourdomain.goes.here
- In Type, select IKEv2 EAP (username / password)
- Enter username
- Enter the password to be remembered, or leave it blank to request the password on each connection.
- Check Select automatically in CA Certificate
- Enter the profile name Company Mobile VPN
The first step is to gain access from the cell phone to the PEM file “pfSense_ikev2_5f9c6e4977416.pem”. It is a digital certificate. Email the attached file to yourself. For the process to work, use the iPhone’s native email application. The Gmail application is not suitable for this process. Then, follow the process of importing the certificate as described in this link.
Now, configure an IPSec IKEv2 VPN as described in this link, but using this information to fill in the data:
- Server: vpnipsec.yourdomain.goes.here
- Remote ID: vpnipsec.yourdomain.goes.here
- Username: as provided by the IT staff.
- Password: as provided by the IT staff.
This is a 4 part process.
1) Copy the PEM file “pfSense_ikev2_5f9c6e4977416.pem” to your “home” directory. It is a digital certificate, and will need to be used. It is necessary to set the privilege of the digital certificate in the user’s home directory (Ex: /home/user).
$ chmod 644 pfSense_ikev2_5f9c6e4977416.pem
2) Install the necessary packages:
$ sudo apt-get install network-manager-strongswan
$ sudo apt-get install libcharon-extra-plugins
3) Now go to: Settings > Network Connections > VPN > + > IPsec/IKEv2 (strongswan)
Fill in the fields as follows:
- Name: Company
- Address: vpnipsec.yourdomain.goes.here
- Certificate: Select the PEM file stored in the “home” directory.
- Authentication: EAP
- Username: fill in the user name.
- Password: will be requested at the VPN connection time.
- Check: Request an inner IP address.
4) To connect to the VPN:
Click on the Network Manager icon, and go to VPN> Connect. A successful connection will show a lock icon next to the Network Manager icon.
If you need more information, follow the procedure as described in this link.
Troubleshooting OSX Connection Problems
Check the IPSEC debug using the Console tool. Filter the messages of the “NEIKEv2Provider” process. Look in the logs for markings with a yellow ball, to interpret the error. It should contain a string similar to this:
[IKE_AUTH R resp1 082720D3DD6C05D6-A63D769D39E1B07E]
I hope this post has been helpful to you. If you need help, leave a message.