Connecting an GL.iNet Router via OpenVPN to a pfSense firewall is described step by step in this article. Authentication will be configured to use certificates.
Use it to connect your Laptop securely when traveling, or connect a VoIP phone from a shared office to your main office's PBX, or perhaps a webcam?
The GL.iNet GL-MT300N-V2 Mango Mini Smart Router is an inexpensive device that runs OpenWRT/LEDE with a custom Web UI. It can be purchased from the manufacturers website, Amazon, eBay, and perhaps many other places.
Other devices in the GL.iNet range may have the same configuration steps, but have not been examined for this document.
Configure your pfSense® Firewall
Note: pfSense 2.4.4 was used to create the steps.
Prerequisites
It is assumed that you have a functioning pfSense® Firewall already connected to the internet and with a static public IPv4 address.
Configurations using Dynamic DNS to compensate for a Dynamic IP address or having pfSense behind a perimeter firewall with port forwarding, may be possible but are not attempted in this guide.
You will create private Certificate Authority which will sign all certificates, and is how your pfSense server knows that a client is allowed to connect. You will then create a certificate for your pfSense Firewall (Server Certificate), then a Client Certificate. Finally, a client configuration file will be exported making configuration of the GL.iNet device a trivial single step.
Begin by logging in to your pfSense firewall as root or an equivalent admin user.
Install "OpenVPN Client Export" Package
From the top menu click System, then Package Manager.
In the Available Packages tab, find the opevpn-client-export package and install it.
Create a private Certificate Authority
From the top menu click System, then Cert. Manager.
In the CAs tab, click the +Add button.
Enter details as follows:
Descriptive Name: Whatever you like
Method: Select "Create an internal Certificate Authority"
Key length (bits): 2048 (or higher if you like)
Digest Algorithm: Select "sha256"
Lifetime (days): 3650 (or more if you like)
Common Name: internal-ca
Country Code: Select yours
State or Province: Enter yours
City: Enter yours
Organization: Enter yours
Organizational Unit: Optional
Now click Save
Create your Server's Certificate
From the top menu click System, then Cert. Manager.
In the Certificates tab, click the +Add/Sign button.
Enter details as follows:
Method: Select "Create an internal Certificate"
Descriptive name: Whatever you like
Certificate authority: Select the CA you created in the previous step
Key length (bits): 2048 (or higher if you like)
Digest Algorithm: Select "sha256"
Lifetime (days): 3650 (or more if you like)
Common Name: Your pfSense Servers host name
Country Code: Select yours
State or Province: Enter yours
City: Enter yours
Organization: Enter yours
Organizational Unit: Optional
Certificate Type: Select "Server Certificate"
Alternative Names: Select "FQDN or Hostname" and enter your pfSense Firewall's host name
Now click Save
Create your Client's Certificate
From the top menu click System, then Cert. Manager.
In the Certificates tab, click the +Add/Sign button.
Enter details as follows:
Method: Select "Create an internal Certificate"
Descriptive name: Whatever you like
Certificate authority: Select the CA you created in the previous step
Key length (bits): 2048 (or higher if you like)
Digest Algorithm: Select "sha256"
Lifetime (days): 3650 (or more if you like)
Common Name: Enter the default dynamic DNS of your GL.iNet device
Country Code: Select yours
State or Province: Enter yours
City: Enter yours
Organization: Enter yours
Organizational Unit: Optional
Certificate Type: Select "User Certificate"
Alternative Names: Select "FQDN or Hostname" and enter the default dynamic DNS of your GL.iNet device
Now click Save
Configure the OpenVPN Server
From the top menu click VPN, then OpenVPN.
In the Servers tab, click the +Add button.
For the General Information section, enter values as follows:
Disabled: untick
Server mode: Select "Remote Access ( SSL/TLS )"
Protocol: Selecting "TCP on IPv4 only" is recommenced. TCP will be more robust for clients behind poorly configured firewalls. Selecting "UDP on IPv4 only" may provide better throughput.
Device mode: Select "tun - Layer 3 Tunnel Mode"
Interface: Select your WAN interface
Local port: Enter 1194
Description: Anything you like
For the Cryptographic Settings section, enter values as follows:
TLS Configuration: tick both "Use a TLS Key" and "Automatically generate a TLS Key"
Peer Certificate Authority: Select the private CA you created earlier
Server certificate: Select the VPN server certificate you created earleir
DH Parameter Length: Select "2048 bit"
ECDH Curve: Select "Use Default"
Encryption Algorithm: Select "AES-256-GCM (256 bit key, 128 bit block)" - we want this to match whats supported by Hardware Crypto if possible
Enable NCP: tick
NCP Algorithms: Select everything "AES-256..."
Auth digest algorithm: Select "SHA256 (256-bit)"
Hardware Crypto: If possible, select "BSD cryptodev engine..."
Certificate Depth: Select "On (Client+Server)"
IPv4 Tunnel Network: Enter a subnet and mask to be used between the pfServer Firewall and it's VPN clients
IPv6 Tunnel Network: Leave blank
Redirect IPv4 Gateway: tick
Redirect IPv6 Gateway: untick
IPv6 Local networks(s): Leave blank
Concurrent connections: Leave blank
Compression: Select "Disable Compression..."
Push Compression: untick
Type-of-Service: untick
Inter-client communication: untick (maybe tick, if you like)
Duplicate Connection: untick (maybe tick, if you want to)
For the Client Settings, Advanced Client Settings, and Advanced Configuration section, enter values as follows:
Dynamic IP: untick (maybe tick if you like)
Topology: Select "Subnet"
DNS Default Domain: untick
DNS Server enable: untick
Block Outside DNS: untick
Force DNS cache update: untick
NTP Server enable: untick
NetBIOS enable: untick
Custom options: Leave blank
Send/Receive Buffer: Select "Default"
Gateway creation: Select "Both"
Verbosity level: Select "default"
Now click the Save button
Check the OpenVPN Server Status
From the top menu click Status, then OpenVPN. The status should be a green tick.
Create a Firewall rule for the OpenVPN Server
From the top menu click Firewall, then Rules.
On your WAN interface, click either Add button.
Enter values as follows:
Action: select "Pass"
Disabled: untick
Interface: Select your WAN interface
Address Family: Select "IPv4"
Protocol: Select either "TCP" or "UDP", depending what you selected when configuring the OpenVPN Server
Source: Select "any"
Destination: Select "WAN address" or the equivalent based upon your WAN interface name
Destination Port Range: Select "OpenVPN (1194)"
Log: untick
Description: Whatever you like
Now click the Save button.
On the rules list screen, drag this new rule to a position that you like. Click the Save button, then apply the rules.
Your OpenVPN server is now configured and live on the Internet.
TODO: add rule on OpenVPN interface
TODO: ensure NAT is correct
Export Client Configuration
From the top menu click VPN, then OpenVPN.
Click the Client Export tab.
Enter values as follows:
Remote Access Server: Select the server we just configured
Host Name Resolution: Select "Interface IP Address"
Verify Server CN: Select "Automatic..."
Block Outside DNS: untick (or tick if you like)
Legacy Client: untick
Use Random Local Port: tick
PKCS#11 Certificate Storage: untick
Microsoft Certificate Storage: untick
Password Protect Certificate: untick
Use A Proxy: untick
Additional configuration options: Leave blank
Click the Save as default button.
Scroll down to the OpenVPN Clients
Find the Client you created earlier, then under Inline Configurations click the Most Clients button and save the file when prompted.
You can now log out of your pfSense Firewall.
Configure your GL.iNet GL-MT200N-V2 Device
Prerequisites
It is assumed that you have a functioning GL-MT200N-V2 device. You should ensure that the latest firmware is installed. By default the WAN interface is configured as a DHCP client, and the label on the device has other default values including IP address and WiFi password.
If you do not use the WiFi function, you should turn it off.
In this section you will upload the client configuration file that was exported. The device will then connect to your pfSense Firewall, making devices attached to the LAN interface or WiFI able to access the remote network.
Begin by logging in to your GL.iNet device.
Configure OpenVPN Client
Click the OpenVPN tab, then click in the Upload ovpn box.
Select the client configuration file you downloaded from your pfSense Firewall in the previous steps.
You will get a message as follows:
Click the OpenVPN tab again, you will see new options available.
Next to Enable tick the box, optionally tick next to Force VPN, then click the Apply button.
The device will then connect to the VPN.
Devices on the LAN or WiFi will be able to access the network behind your pfSense Firewall, and all internet access will be routed through the VPN and out your pfSense firewall.
Hi,
This guide still works really well! Thank you for the write up. One question, what would you need to do to allow the LAN traffic traverse the other way? i.e. for devices on the pfsense LAN to connect to the gl device LAN? Thanks :)