AWS pfSense VPN Server

Well, this one may be a little late for some. But, I thik it can come in handy for others, as the informatiom I will share can be a way to fix or understand a existing problem.

Once again my IT friends ask me for help, as they know my previous expertise with datacenter services. Here is the scenario:

  • VPN Server was deployed
  • Remote access for all employes was delivered
  • Employes that work on the same home (AKA Husband and Wife) can’t simultaneosly access the VPN
  • Nobody really understands why this is happening…

I know that some people doesn’t like IPSec because of it’s complexity. In the past, I used to had hard times debuging and understandig why some IPSec VPNs was beahving badly or simply are doesn’t working at all.

In this article, I will teach you how to create a cheap, functional, and easy to manage VPN Server based on Netgate pfSense to address the current VPN needs that was caused by covid-19 pandemic.

The VPN server will serve the current market operating systems: Windows, MacOS, Android and IOS.

Assunptions

You are using AWS Cloud, and has at your disposal a t2.small instance with Netgate pfSense deployed, and you have added a second NIC to it (for WAN/LAN individual routing). You can check it out here. Of course this deploy will work with any public cloud, as the pfSense works on them all.

Make sure you setted up your SSH access by public keys!

Why Netgate pfSense? Because it is FreeBSD based, wich makes it extremely stable and computational resource friendly.

A t2.small instance has 1vCPU and 2Gb RAM. Seems low, right? But it will do just fine for 100 simultaneously connected IPSec VPN users. Trust me.

But, if you want to add more functionalities to your VPN Server (reports, custom graphics, external monitoring, centralized AD authentication, etc), you may need more computing power.

Enough talk. Hands-on!

Part 1: Create the Certificates

IKEv2 Certificate Structure

If a suitable Certificate Authority (CA) is not present in the Cert Manager, creating one is the first task:

  • Navigate to System > Cert Manager on the pfSense® firewall
  • Click “+” Add to create a new certificate authority
  • Select Create an internal Certificate Authority for the Method
  • Fill in the rest of the fields as desired with company or site-specific information
  • Click Save

Create a Server Certificate

Follow these directions exactly, paying close attention to how the server certificate is created at each step. If any one part is incorrect, some or all clients may fail to connect.

  • Navigate to System > Cert Manager, Certificates tab on the pfSense firewall
  • Click “+” Add to create a new certificate
  • Select Create an internal certificate for the Method
  • Enter a Descriptive Name such as IKEv2 Server
  • Select the appropriate Certificate Authority created in the previous step
  • Choose the desired Key Type, Key length, Digest algorithm, and Lifetime
  • Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here instead
  • Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is
  • Set the Certificate Type to Server Certificate
  • Click “+” Add to add a new Alternative Name
  • Enter FQDN or Hostname in the Type field
  • Enter the hostname of the firewall as it exists in DNS again in the Value field
  • Click “+” Add to add another new Alternative Name
  • Enter IP Address in the Type field
  • Enter the WAN IP address of the firewall in the Value field
  • Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect
  • Click Save

As an alternative, the ACME package (ACME package) can generate a server certificate which will be trusted natively by many clients.

If you need more information, please check this link.

Part 2: Configuring IPSec VPN Mobile Access

IPSec VPNs have the characteristic of having an immense number of configurable options, where many of these need to fit in order for everything to work correctly. Be sure to pay attention to the details provided, as they are important. Think of IPSec as a machine, where some moving parts need to work together.

In order to have a high level of compatibility, where users’ VPN will be able to connect from any residential and corporate structure, we will need to use IKEv2 and MS-CHAP v2, as this combination does not have the limitations imposed by IKEv1 when it comes to access from a home where more than one user or computer needs to use the mobile VPN.

You will be able to connect to your company’s VPN from your computers and cell phones, simultaneously.

Server Requirements

  • A very long IPSec Client Pre-Shared key (as for example: f7f5f3A71cd83153e9d6b7473141cbd2edb54eccc7663f0302b93e7c)
  • A Internet Domain and 2 FQDNs: vpnipsec.yourdomain.goes.here and netgate.yourdomain.goes.here

Client Minimum Requirements

  • OSX 10.15
  • Windows 10
  • IOS 12
  • Android 10

Security Groups

Make sure to allow in your SGs:

  • UDP ports 500 and 4500
  • TCP ports 22 and 443 (temporarily while the server is being configured)

When everything is ready, for security reasons, administrative access to the VPN server can only be performed if the administrator is connected to the VPN. Be sure to adjust your SGs to limit such accesses. In case of problems, the management console can be used.

Phase 1

Make sure to configure your environment exactly as shown below.

Phase 1 Tunnels
Phase 1 Tunnels
Phase 1 Pre-Shared Key
Phase 1 Encryption Algorithm
Phase 1 Encryption Algorithm
Phase 1 Advanced Options
Phase 1 Advanced Options

Phase 2

Phase 2 Mobile Clients
Phase 2 Proposal (SA/Key Exchange)

Part 3: Creating User Accounts for VPN Access

Access the web configurator:

https://netgate.yourdomain.goes.here/

Browse Menus: VPN > IPsec > Pre-shared Keys

Fill in the username. The password will be the Pre-shared Key.

Defining VPN username and password

A 16-character Pre-Shared Key is required. Use the website https://passwordsgenerator.net/ to generate a secure passkey.

Secure Password Generator

Obtaining the User Access Profile

Browse Menus: VPN > IPsec Export (Apple Profile or Windows)

The contents of the “Server Address” field must be: vpnipsec.yourdomain.goes.here

Apple Profile

Select the user in “VPN Client” menu, and download the configuration file.

Apple Client Export Screen

Windows

In the windows menu we do not have the option “VPN Client” on the export screen:

Windows Client Export Screen

Just download the VPN configuration file. It is called something like “VPN_ (netgate) _-_ Mobile_IPsec_clients.zip”. When unzipping it, we will get 2 files:

  • add_pfSense_vpn_client.ps1
  • pfSense_ikev2_somehash.pem

The PS1 file is a PowerShell that automatically installs the digital certificate, and sets up the VPN connection. Attention: Windows 10 restricted PowerShell, unless a somewhat complex procedures for regular users be executed. May be a good idea to convert this PS1 to EXE. This article talks about the conversion.

Part 4: Configuring the Clients

MacOS Users

Click on the file provided to automatically configure the IPsec VPN. On the screen that will appear, enter the user name and the 16-character key.

Username and Password Fields

The file name is something like:

VPN_(netgate)_-_Mobile_IPsec_clients.user.name.mobileconfig”.

An alert regarding Profiles/MDM may be displayed, regarding the attempt to change the system’s network settings. This is normal. Use the MacOS user password to confirm changes.

Waring Screen

When the configuration is complete, a screen similar to the one shown below will be displayed:

MacOS VPN Configured

To access the VPN, click on the characteristic icon that appears in the bar at the top of the screen. Select the options according to the image below, and click on “Connect VPN (netgate)”.

Connectig to the VPN

Successful login will display the following message:

MacOS VPN Connected

Windows Users

This is a 3 part process. The VPN configuration file comes in ZIP format, and is named “VPN_ (netgate) _-_ Mobile_IPsec_clients.zip”. When unzipping it, we will get 2 files:

  • add_pfSense_vpn_client.exe
  • pfSense_ikev2_5f9c6e4977416.cer

1) Import the Digital Certificate

Right click on the file “pfSense_ikev2_5f9c6e4977416.cer”, and select “Install Certificate”:

On the screen that will open, click on the “Install Certificate” button.

Install certificate screen

On the next screen, select “Local Machine”.

Select Local Machine

As you proceed, make sure that the certificate is stored in “Trusted Root Certification Authorities”.

Trusted Root Certification Authorities

Click “Next”, and check if the certificate is in “Trusted Root Certification Authorities”.

Trusted Root Certification Authorities

Click “Finish”, and wait for the message stating that the certificate has been imported.

2) Configure the VPN

Just right-click on the file “add_pfSense_vpn_client.exe”, and select “Run as Administrator”. A black screen will be displayed briefly, and the configuration will be carried out without the need for interactions.

Run As Administrator

3) Connect to the VPN

Click on the Windows network icon, then click on “VPN (netgate) - Mobile IPsec Clients” and then “Connect”. You will be prompted for your user and password information.

Connecting to the VPN on Windows

A successful connection will present a screen similar to the following:

Windows VPN connected

Android Users

The first step is to gain access from the cell phone to the PEM file “pfSense_ikev2_5f9c6e4977416.pem”. It is a digital certificate. Temporarily use Google Drive to gain access to the file.

Access the Play Store and install the “strongSwan VPN Client” application.

  1. Open the strongSwan app
  2. Import the digital certificate (PEM file):
  3. Touch the settings icon (three vertical dots in the upper right corner)
  4. Touch CA Certificates
  5. Touch the settings icon (three vertical dots in the upper right corner)
  6. Touch Import Certificate
  7. Locate the previously copied certificate and tap it.
  8. Go to Imported and check if there is a CA Netgate VPN
  9. Touch Add VPN Profile
  10. In Server, enter vpnipsec.yourdomain.goes.here
  11. In Type, select IKEv2 EAP (username / password)
  12. Enter username
  13. Enter the password to be remembered, or leave it blank to request the password on each connection.
  14. Check Select automatically in CA Certificate
  15. Enter the profile name Company Mobile VPN
Android VPN Setup

iPhone Users

The first step is to gain access from the cell phone to the PEM file “pfSense_ikev2_5f9c6e4977416.pem”. It is a digital certificate. Email the attached file to yourself. For the process to work, use the iPhone’s native email application. The Gmail application is not suitable for this process. Then, follow the process of importing the certificate as described in this link.

Now, configure an IPSec IKEv2 VPN as described in this link, but using this information to fill in the data:

  • Server: vpnipsec.yourdomain.goes.here
  • Remote ID: vpnipsec.yourdomain.goes.here
  • Username: as provided by the IT staff.
  • Password: as provided by the IT staff.

Linux Users

This is a 4 part process.

1) Copy the PEM file “pfSense_ikev2_5f9c6e4977416.pem” to your “home” directory. It is a digital certificate, and will need to be used. It is necessary to set the privilege of the digital certificate in the user’s home directory (Ex: /home/user).

$ chmod 644 pfSense_ikev2_5f9c6e4977416.pem

2) Install the necessary packages:

$ sudo apt-get install network-manager-strongswan

$ sudo apt-get install libcharon-extra-plugins

3) Now go to: Settings > Network Connections > VPN > + > IPsec/IKEv2 (strongswan)

Fill in the fields as follows:

  • Name: Company
  • Address: vpnipsec.yourdomain.goes.here
  • Certificate: Select the PEM file stored in the “home” directory.
  • Authentication: EAP
  • Username: fill in the user name.
  • Password: will be requested at the VPN connection time.
  • Check: Request an inner IP address.

4) To connect to the VPN:

Click on the Network Manager icon, and go to VPN> Connect. A successful connection will show a lock icon next to the Network Manager icon.

If you need more information, follow the procedure as described in this link.

Troubleshooting

Troubleshooting OSX Connection Problems

Check the IPSEC debug using the Console tool. Filter the messages of the “NEIKEv2Provider” process. Look in the logs for markings with a yellow ball, to interpret the error. It should contain a string similar to this:

[IKE_AUTH R resp1 082720D3DD6C05D6-A63D769D39E1B07E]

That’s It!

I hope this post has been helpful to you. If you need help, leave a message.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andre Rocha

I'm just a SysAdmin with some experience in OpenSource, DevOps and Datacenter Services, who likes to share knowledge.