Hey guys, I’m networking up our house with a pfSense router and Ubiquity AP. I want to add an OpenVPN server and access it though my .tech Domain at a subdomain.
Any ideas on how to configure my router?
Thanks in advance!
I am not an expert on this subject, but I do have some ideas that might help you. First, the best free videos series I have found on Pfsence is produced by Mark Furneaux.
Second, I have some questions that might help other forum members who are more experienced in this area. What type of equipment are you going to use to build your Pfsence rooter? There are only three different types of equipment that can be used for a Pfsence rooter, by a preconfigured system from the delveloper’s of Pfsence, repurpose an old computer you have lying around, build your own system.
Third it seems to me it would be better to install an openvpn server on your tech domain than setup Nat rules on your future Pfsence rooter to connect your home network to your tech domain Pfsence server.
Hi Shadowbane, thanks for helping out here! I’m using this Protectli mini PC as my router: Firewall micro appliance with 4x Gigabit Intel LAN Ports with 4GB RAM / 8GB mSATA https://www.amazon.com/dp/B01AJEJG1A/ref=cm_sw_r_cp_apa_FXxgAbS8F678A
I actually do have an openvpn server running on my .tech domain in a Digital Ocean droplet. I don’t want all of my house traffic to go through that VPN since it has a transfer limit.
In the past I have set up dynamic DNS through ASUS router software and hosted an OpenVPN server on a raspberry pi.
Hi HarlemSquirrel, I meant to answer you earlier, but I spent all last night and early this morning doing research for my own Voip phone system. The Quad-Core Celeron J1900 Bay Trail 2.0GHz, 2MB L2 Cache seems to have all functions needed to set up a Pfsence server with a few limitations.
First, only Pfsence version 2.4 will be able to run on it, because 2.5 will have a requirement for Intel® AES New Instructions sets on the CPU and the Celeron J1900 Bay Trail 2.0GHz doesn’t have that instruction set on it. You will be able to use all the current settings but any new settings or features requiring version 2.5 will not be able to work on this device.
Second, I don’t like that it only has 8GB mSata I would prefer 32GB to 120GB so I would have plenty of storage space for all the add Pfsence plugins.
One of the nice features of Pfsence is you can use the firewall rules to send only certain traffic to your OpenVPN server hosted on your tech domain, thus creating a secure tunnel for that certain traffic.
In terms of linking your pfsense router to the server and routing select traffic to it, then your basic steps are as follows:
- Add a new client under
VPN->OpenVPN->Clients - Add a new interface using the OpenVPN tunnel.
- Add a new gateway.
- Define firewall rules to shuffle stuff to the correct gateway.
So the first step of the client is pretty simple. You will need to add the server certificate authority under System->Cert Manager->CAs before you add the OpenVPN client.
Other than that its fill in the blanks.
Key details:
- Server IP
- Service Port (so the port used by OpenVPN to establish connection (1194 by default unless changed on the server))
- Description (this shall become your interface name, so make sure there are no spaces in it (use underscores instead))
- TLS Key
- Peer Certificate Authority (the cert added in the Cert Manager)
- Match the Encryption and Auth digest Algorithms
Other things to note under the advance settings and Custom Options is you may need the addition of remote-cert-tls server and key-direction 1.
To add a new interface for OpenVPN go to Interfaces->Assignments and add a new interface. In the drop down of “Avaliable Network Ports” should be one that matches the description you gave the OpenVPN client in the previous steps.
For the IPv4 and IPv6 configurations select “None”.
To be able to route certain information to it you will then need to add another gateway. This is done under System->Routing->Gateways.
Select “New” and chose the interface as the one create in the previous step, name it what you like and set the Address Family as IPv4 (unless you got IPv6 setup on the tunnel network) and the Gateway as “dynamic”.
Do not select “Default Gateway” as all your traffic will start routing down the tunnel.
For the firewall rules, If you are doing a site to site VPN you will need to play with the interface that corresponds to the one created earlier to allow traffic to pass out of it.
To make certain clients (and/or traffic types) go down the tunnel you will need to on your LAN interfaces add a rule that filters by host, traffic type or both and select the gateway as the openvpn one.
If done correctly, then the hosts that are filtered to go down the tunnel should show the tunnel network as the first hop when doing a “traceroute”.
That’s about it in terms of rough outlining of how this is setup.
There is a little more detail to it, but this should get you pointed in the right direction.
3 Likes
You’ll need a DDNS service. If you use a DNS that supports DDNS as the DNS server for your domain that will be the easiest route. Try freedns. Otherwise you’ll want to set up a DDNS and then have your .tech dns point to the DDNS domain name using a CNAME record.
So instead of something.tech having an A record which points to an IP it will have a CNAME record which points to something.whatever.com which points to your dynamic IP.
Then just configure DDNS on pfsense to use whatever DDNS service you use.
2 Likes
pfsense has a few options for auto updating different ddns under pfsense>services>dynamic DNS
that will keep your ddns updated
go to the dns area of your domain account settings and make a cname entry for your root site and the subs you want to use, point them all to the ddns address as it is without any subs.
would look like this
main.tech mainddns.ddns.net
vpn.main.tech mainddns.ddns.net
plex.main.tech mainddns.ddns.net
will take a day or so for the dns to propagate
2 Likes
Hey guys, thank you so much for the detailed replies! I’ll be diving into this in a few days once I have some free time.
heads up
pfsense has a timeout of 900 seconds making certs, if your running on a lower powered box it will not be able to make a 4096 or above CA or cert before timing out. you may be able to make a 2048.
if you want to make something you can cause the error and post it, its a value in pfsense somewhere you can edit.
There is a You Tuber called Darren Kitchen (Hack 5) who setup OpenVPN Server on an Intel Nic which would allow you to have more than two concurrent clients without the need of a paid license. I always wondered why he didn’t make his certs and CA with more than 2048 characters.
I have included a link to this episode of Hack 5 Linux Server Build: OpenVPN From Scratch - Hak5 2019.
Is there a way to set up a DDNS server on my Pfsence server, so instead of using Googles DNS Servers or your IP DNS Server or someone else’s DNS Server to reresolve web pages or domain names.
I love his and Snubs content, im sure most of us have followed her and Patrick Norton from the days of techtv.
im assuming what your doing making a ddns to call home so you can always access your home
pfsense has most of the major ddns built in, if your public ip changes it updates your ddns address to point at it.
type in your account info and what ddns address you want pfsense to use and it will handle this
1 Like
I have decided to purchase this Protectli device to host my Pfsence server. Add G.Skill Ripjaws Serie DDR4-2133 260-pin SODIMM, and Samsung MZ-M5E250BW 850 EVO mSATA SSD 250GB and I will have a ready to go Pfesence server for a total cost of 542.00
You can use the dns resolver in pfsense to resolve domains without using an external dns server like Google, although it’s also recommended to have some external servers configured as a backup.
But if you mean you want to use pfsense as the dns for your domain then technically you could do that but you shouldn’t. If you were going to do that then you’d want to set up a separate dns server to use, but even that is not a good idea on a home network and you would need a static ip anyway, actually I think you need two but I’m not sure about that.
1 Like
Let’s pretend I could convince my IP to issue me two static IP’s, why should I not use Pfsence as my DNS Server?
The reason I ask is I think my IP is redirecting domain names. What I mean by that is I run into issues sometimes where I type the web address for my bank into Firefox’s website bar and instead of The Homepage of my Bank a completely different webpage comes up. One time the home page for Penthouse came up instead of my Banks Homepage. It was very embarrassing my wife thought I was looking for porn. I need to get this issue fix, so I thought if there was a way I could internally resolve www.householdbank.com without resorting to external means it might fix my some time issue.
You can do that, I mean you shouldn’t use it as the DNS server for your domain. Just set up the DNS resolver in pfsense and disable the option to use your ISP DNS servers and you should be okay. However I’d say that if your bank is being redirected to penthouse that probably isn’t your ISP and may be some malware on your computer. Also using your own DNS resolver will only prevent having your DNS results altered if they are only doing it on their server, if they are intercepting and manipulating DNS traffic then you need to use something like dnscrypt to get around that, or get a less dodgy ISP.
You don’t need a static IP for that, you would need that to run a DNS server for your domain, which you don’t want to do.
1 Like
Thanks, @Dexter_Kane I looks like your idea of adding the network protocol Dnscrypt to my network will fix a sometimes issue of pulling up Penthouse’s homepage when I am trying to pull up a different webpage.
How is your project going? Need any more help. As soon as I can fix my laptop’s hard drives issues, I am going to virtualize Pfsence, so I can learn how to use it, so when I save the money needed to purchase my Pfsense box, I will have the knowledge to be able to set it up.
I haven’t yet had a chance to tackle the dynamic DNS settings yet. I ran into an issue yesterday with updating the router: PHP Fatal error: Call to undefined function update_repos() and haven’t found anything while doing a quick DuckDuckGo search. I SSH’ed in and ran an update check via the CLI options and it reported everything was up to date with no errors so perhaps it’s just a UI error.
I am sorry to hear you are having some problems, I almost got my laptop ready to install Linux. I had to back up about 250 GB of video files I found on the disk that I am going to install Fedora 27 on. So hopefully I will be able to run Pfsence in a virtual machine, so I can at least learn how to set it up properly.