OPNsense & pfSense Store
Cart 0

Connecting an GL.iNet GL-MT300N-V2 to pfSense OpenVPN

Connecting an GL.iNet Router via OpenVPN to a pfSense firewall is described step by step in this article. Authentication will be configured to use certificates.

Use it to connect your Laptop securely when traveling, or connect a VoIP phone from a shared office to your main office's PBX, or perhaps a webcam?

The GL.iNet GL-MT300N-V2 Mango Mini Smart Router is an inexpensive device that runs OpenWRT/LEDE with a custom Web UI. It can be purchased from the manufacturers website, Amazon, eBay, and perhaps many other places.

Other devices in the GL.iNet range may have the same configuration steps, but have not been examined for this document.

Configure your pfSense Firewall

Note: pfSense 2.4.4 was used to create the steps.

Prerequisites

It is assumed that you have a functioning pfSense Firewall already connected to the internet and with a static public IPv4 address.

Configurations using Dynamic DNS to compensate for a Dynamic IP address or having pfSense behind a perimeter firewall with port forwarding, may be possible but are not attempted in this guide.

You will create private Certificate Authority which will sign all certificates, and is how your pfSense server knows that a client is allowed to connect. You will then create a certificate for your pfSense Firewall (Server Certificate), then a Client Certificate. Finally, a client configuration file will be exported making configuration of the GL.iNet device a trivial single step.

Begin by logging in to your pfSense firewall as root or an equivalent admin user.

Install "OpenVPN Client Export" Package

From the top menu click System, then Package Manager.

In the Available Packages tab, find the opevpn-client-export package and install it.

Create a private Certificate Authority

From the top menu click System, then Cert. Manager.

In the CAs tab, click the +Add button.

Create your VPN CA

Enter details as follows:

Descriptive Name: Whatever you like

Method: Select "Create an internal Certificate Authority"

Key length (bits): 2048 (or higher if you like)

Digest Algorithm: Select "sha256"

Lifetime (days): 3650 (or more if you like)

Common Name: internal-ca

Country Code: Select yours

State or Province: Enter yours

City: Enter yours

Organization: Enter yours

Organizational Unit: Optional

 

Now click Save

 

Create your Server's Certificate

From the top menu click System, then Cert. Manager.

In the Certificates tab, click the +Add/Sign button.

Create your Server's Certificate

Enter details as follows:

Method: Select "Create an internal Certificate"

Descriptive name: Whatever you like

Certificate authority: Select the CA you created in the previous step

Key length (bits): 2048 (or higher if you like)

Digest Algorithm: Select "sha256"

Lifetime (days): 3650 (or more if you like)

Common Name: Your pfSense Servers host name

Country Code: Select yours

State or Province: Enter yours

City: Enter yours

Organization: Enter yours

Organizational Unit: Optional

Certificate Type: Select "Server Certificate"

Alternative Names: Select "FQDN or Hostname" and enter your pfSense Firewall's host name

 

Now click Save

 

Create your Client's Certificate

From the top menu click System, then Cert. Manager.

In the Certificates tab, click the +Add/Sign button.

Create client Certificate

Enter details as follows:

Method: Select "Create an internal Certificate"

Descriptive name: Whatever you like

Certificate authority: Select the CA you created in the previous step

Key length (bits): 2048 (or higher if you like)

Digest Algorithm: Select "sha256"

Lifetime (days): 3650 (or more if you like)

Common Name: Enter the default dynamic DNS of your GL.iNet device

Country Code: Select yours

State or Province: Enter yours

City: Enter yours

Organization: Enter yours

Organizational Unit: Optional

Certificate Type: Select "Server Certificate"

Alternative Names: Select "FQDN or Hostname" and enter the default dynamic DNS of your GL.iNet device

 

Now click Save

 

Configure the OpenVPN Server

From the top menu click VPN, then OpenVPN.

In the Servers tab, click the +Add button.

General Information for your VPN Server For the General Information section, enter values as follows:

Disabled: untick

Server mode: Select "Remote Access ( SSL/TLS )"

Protocol: Selecting "TCP on IPv4 only" is recommenced. TCP will be more robust for clients behind poorly configured firewalls. Selecting "UDP on IPv4 only" may provide better throughput.

Device mode: Select "tun - Layer 3 Tunnel Mode"

Interface: Select your WAN interface

Local port: Enter 1194

Description: Anything you like

Cryptographic Settings For the Cryptographic Settings section, enter values as follows:

TLS Configuration: tick both "Use a TLS Key" and "Automatically generate a TLS Key"

Peer Certificate Authority: Select the private CA you created earlier

Server certificate: Select the VPN server certificate you created earleir

DH Parameter Length: Select "2048 bit"

ECDH Curve: Select "Use Default"

Encryption Algorithm: Select "AES-256-CBC (256 bit key, 128 bit block)" - we want this to match whats supported by Hardware Crypto if possible

Enable NCP: tick

NCP Algorithms: Select everything "AES-256..."

Auth digest algorithm: Select "SHA256 (256-bit)"

Hardware Crypto: If possible, select "BSD cryptodev engine..."

Certificate Depth: Select "On (Client+Server)"

Tunnel Settings

IPv4 Tunnel Network: Enter a subnet and mask to be used between the pfServer Firewall and it's VPN clients

IPv6 Tunnel Network: Leave blank

Redirect IPv4 Gateway: tick

Redirect IPv6 Gateway: untick

IPv6 Local networks(s): Leave blank

Concurrent connections: Leave blank

Compression: Select "Disable Compression..."

Push Compression: untick

Type-of-Service: untick

Inter-client communication: untick (maybe tick, if you like)

Duplicate Connection: untick (maybe tick, if you want to)

Client Settings etcFor the Client Settings, Advanced Client Settings, and Advanced Configuration section, enter values as follows:

Dynamic IP: untick (maybe tick if you like)

Topology: Select "Subnet"

DNS Default Domain: untick

DNS Server enable: untick

Block Outside DNS: untick

Force DNS cache update: untick

NTP Server enable: untick

NetBIOS enable: untick

Custom options: Leave blank

Send/Receive Buffer: Select "Default"

Gateway creation: Select "Both"

Verbosity level: Select "default"

 

Now click the Save button

 

Check the OpenVPN Server Status

From the top menu click Status, then OpenVPN. The status should be a green tick.

OpenVPN Server Status

 

Create a Firewall rule for the OpenVPN Server

From the top menu click Firewall, then Rules.

On your WAN interface, click either Add button.

OpenVPN firewall rule

Enter values as follows:

Action: select "Pass"

Disabled: untick

Interface: Select your WAN interface

Address Family: Select "IPv4"

Protocol: Select either "TCP" or "UDP", depending what you selected when configuring the OpenVPN Server

Source: Select "any"

Destination: Select "WAN address" or the equivalent based upon your WAN interface name

Destination Port Range: Select "OpenVPN (1194)"

Log: untick

Description: Whatever you like

 

Now click the Save button.

On the rules list screen, drag this new rule to a position that you like. Click the Save button, then apply the rules.

Your OpenVPN server is now configured and live on the Internet.

TODO: add rule on OpenVPN interface

TODO: ensure NAT is correct

 

Export Client Configuration

From the top menu click VPN, then OpenVPN.

Click the Client Export tab.

Client Export Enter values as follows:

Remote Access Server: Select the server we just configured

Host Name Resolution: Select "Interface IP Address"

Verify Server CN: Select "Automatic..."

Block Outside DNS: untick (or tick if you like)

Legacy Client: untick

Use Random Local Port: tick

PKCS#11 Certificate Storage: untick

Microsoft Certificate Storage: untick

Password Protect Certificate: untick

Use A Proxy: untick

Additional configuration options: Leave blank

 

Click the Save as default button.

Scroll down to the OpenVPN Clients

Client Export

Find the Client you created earlier, then under Inline Configurations click the Most Clients button and save the file when prompted.

 

You can now log out of your pfSense Firewall.

 

Configure your GL.iNet GL-MT200N-V2 Device

Prerequisites

It is assumed that you have a functioning GL-MT200N-V2 device. You should ensure that the latest firmware is installed.  By default the WAN interface is configured as a DHCP client, and the label on the device has other default values including IP address and WiFi password.

If you do not use the WiFi function, you should turn it off.

In this section you will upload the client configuration file that was exported. The device will then connect to your pfSense Firewall, making devices attached to the LAN interface or WiFI able to access the remote network.

Begin by logging in to your GL.iNet device.

Configure OpenVPN Client

OpenVPN Client Tab

Click the OpenVPN tab, then click in the Upload ovpn box.

Select the client configuration file you downloaded from your pfSense Firewall in the previous steps.

You will get a message as follows:

Confirmation Message

Click the OpenVPN tab again, you will see new options available.

Enable OpenVPN Client

Next to Enable tick the box, optionally tick next to Force VPN, then click the Apply button.

The device will then connect to the VPN.

Devices on the LAN or WiFi will be able to access the network behind your pfSense Firewall, and all internet access will be routed through the VPN and out your pfSense firewall.



Older Post


Leave a comment

Please note, comments must be approved before they are published