PFSense + Teardop (VPS) and OpenVPN

pete_c

Guru
Document using PFSense +, Oracle VPS and installing an OpenVPN client on PFSense for use with T-Mobile LTE / 5G modem and Starlink Satellite.
 
Note will be replicating this DIY on the PFSense forum here  ==> PFSense + Teardop (VPS) and OpenVPN 
 
Created a testing environment here using:
 
1 - PFSense + running on hardware / motherboard with two NICs
2 - LTE combo modem (Firewall, switch, WAP with RJ11 telephone jacks)
3 - Oracle VPS account.
 
Here is a quickie simple drawing of the transport.
 
[sharedmedia=gallery:images:1520]
 
Converting your PFSense CE to PFSense +
 
1 - register on the Netgate sales website here ==> Netgate Sales
2 - purchase PFSense + (free) 
3 - enable registration code to update your PFSense CE to PFSense +
 
Using an Oracle VPS (free)
 
Register and configure your Oracle account here ==>  Oracle Cloud Free Tier

29th of April, 2022

Created an OpenVPN server on Oracle - will document step by step.

Testing it for access to the internet via Oracle with Linux and Windows clients. Initially from XFinity ISP then from T-Mobile ISP and finally from the PFSense OpenVPN client configured with PFSense + wizard.
 
4th of May, 2022
 
Steps to create an OpenVPN server on Oracle Cloud.
 
1 - Create your free account on Oracle here ==> Oracle Cloud Free Tier
 
Note: you will need to provide a CC#.  You will not be charged for anything unless you decide to purchase services.
 
Login to your new account.
 
Read this tutorial and watch the video.
 
How to Launch OpenVPN Access Server on Oracle Cloud
 
[youtube]http://youtu.be/6FMMuJS13WM[/youtube]
 
To install Access Server in your OCI tenancy, follow the steps below:
 
1. Find the BYOL listing of OpenVPN Access Server in the Oracle Marketplace
 
2. Click on the Get App button
 
3. Select an OCI Region from the drop-down list and click on the Sign In button
 
4. Provide your Cloud Tenant identifier and Click on Continue button
 
5. Sign In to your OCI account
 
6. Choose a Compartment  from the drop-down list
 
7. Accept the terms and click on the Launch Stack button
 
8. Click on the Next button on Step-1 of the Stack Creation workflow
 
9. Review, fill or change the values of the variables that appear in the sections below. Variables in bold deserve special attention
 
9 A. Compute Configuration
  A1.  OpenVPN Access Server Name: Change the name of the Instance if desired
    A2. Compute Shape: Select one of the compatible compute shapes from the drop- down
 
9 B. Application Configuration
  B1. Administrator Username: type in a username for the Administrator to log into the administration portal. It needs to start with a letter and can only contain alphanumeric values. Do NOT use openvpn as the administrator's username.
  B2. Administrator Password: type in a password for the Administrator to log in.It should have a minimum length of 8 and no special characters
  B3.Activation Key: Activation key is needed to handle more than two VPN connections. Purchase from https://openvpn.net
 
9 C. Network Configuration
  C1. Network Strategy: Choice of Create New VCN or Use Existing VCN 
          - If  Create New VCN is chosen, you can change the value of these variables:
          - Virtual Cloud Network (VCN): The name of the new Virtual Cloud Network (VCN)
          - VCN CIDR BLOCK: The CIDR of the new Virtual Cloud Network (VCN). If you plan to peer this VCN with another VCN, the VCNs must not have o verlapping CIDRs.
          - VCN DNS Label: Only letters and numbers, starting with a letter. 15 characters max.
            - Subnet Span: Choose between regional and AD specific subnets
            - Subnet: The name of the new Subnet
            - Subnet CIDR: The CIDR of the new Subnet. The new subnet's CIDR should not overlap with any other subnet CIDRs.
            - Subnet DNS Label: Subnet DNS Label. Only letters and numbers, starting with a letter. 15 characters max.
C2. If Use Existing VCN is chosen:
            - Existing Network: Choose an existing Virtual Cloud Network (VCN) in which to create the compute instances, network resources, and load balancers. If not specified, a new VCN is created.
- Existing Subnet: Choose an existing subnet to use for compute instances. This subnet must already be present in the chosen VCN.
 
9 D. Additional Configuration
            - Compartment: Change or choose the compartment in which to create all resources
            - Public SSH Key: paste your public SSH Key to access VM via SSH
 
10. Click on the Next button to proceed to Step-3
 
11. Review and click on the Create  button
 
12. The job will start to run and you will see the job is In Progress
 
13. Once the job has succeeded, click on the Application Information tab
 
14. Wait for a few minutes for the configuration to take and then click on the Login to Administer button
 
15. Refresh the browser as needed till you see the Security warning
 
16. The security warning is generated due to the use of self-signed web certificate, please take steps to bypass this warning and proceed
 
17. Login using the username and password you had provided during the Stack configuration. This information is also shown on the Application Information tab
 
18. Review and click Agree on the terms web page

 2 - Go to Oracle cloud Marketplace and pick 
 
OpenVPN Access Server
VPN solution for Virtual Cloud Network (VCN). Two connections for FREE. Buy license for more
Software Price: BYOL
 
On the right side of the screen you will see "get app" - click on this.
 
3 - Download client configurations for testing.  Here testing with laptops, Android phone, Windows tablet on Internet, et al.
 
Today tested a variety of clients accessing the VPN server (and Internet).   Worked fine.
 
Next steps will be to configure PFSense as a VPN client to the Oracle OpenVPN server.  Easy peasy way is to update your PFSense CE box to PFSense +.  There is a client import utility on the PFSense + add ons which is not available on the PFSense community edition.
 
 
 
 
 
 
 
 
 

JimS

Active Member
Good idea to document this Pete!
 
This is to enable VPN access to local network behind CGNAT which seems to becoming more popular - Starlink and others use it.  VPS will be OpenVPN server.  PFsense will be client as will the remote phone or PC.  PFsense+ has a module (maybe not the right word...) to allow import of ovpn file from server to set up the connection details.  I have remote and pfsense connecting to the server but need to set up the rules or routes to allow data through to the local network.  I want internet traffic that originates on the local network to not go through the VPN.
 

pete_c

Guru
Yeah also documenting this on the PFSense Forum as the question has come up a few times there and the client wizard is not available with PFSense CE.
 

JimS

Active Member
I was able to get the access from my phone back to my network.  One the server account for the pfsense box checked options for

Allow Access From:

all server-side private subnets



Allow Access From:

all other VPN clients
Then select yes for configure vpn gateway and enter subnet in the box
Allow client to act as VPN gateway
for these client-side subnets:
Something like  192.168.1.0/24 allows access to any 192.168.1.x addresses on lan.
download the ovpn client file and load it into the pfsense box.
 
Still having trouble getting lan traffic to go out the wan port.  Logs show it is blocked but the way I read the rules seem to say it should be allowed.  Obviously I am missing something.
 
 

JimS

Active Member
I got lan to wan working.  For some reason (that I need to read more on) the rule should be to pass lan traffic to all rather than pass lan to wan.  Don't think I had messed with the default rule - it seems setting up VPN affected this.  Not at all clear how it directs to wan and not the VPN connection - maybe because of some of the VPN server settings doesn't allow it? 
 
I broke the vpn operation somehow in fiddling with things that I need to go back and fix. 
 

JimS

Active Member
Pete,
 
Some of your links don't work.  I have added some of the process I figured out here with your help here...
Create your free account on Oracle here ==> Oracle Cloud Free Tier  %5Burl="https://www.oracle.com/cloud/free/"]https://www.oracle.com/cloud/free/[/URL]
 
Then get an OpenVPN application for it here:  %5Burl="https://cloudmarketplace.oracle.com/marketplace/listing/67830324"]https://cloudmarketplace.oracle.com/marketplace/listing/67830324[/URL]
 
Set up accounts for each device you want to connect.  Your local network can use one account if you install the client on the pfsense box.  
You need to include a password even if you set to log in the client without password.  
 
Once client settings are configured on the server, log in as that user and download the .ovpn file.  That can be imported into the 
client to set it up to connect.
 
I have a pfsense firewall so that is what I will describe how to set up.  You can get a free personal license file to upgrade to pfsense+ here:  %5Burl="https://shop.netgate.com/account/register"]https://shop.netgate.com/account/register[/URL]
 
If you need to change the client settings on the server I just downloaded a new .ovpn file although there may be other ways to do it.  To load a new file you need to delete the vpn port on the client (pfsense).  I found that this is needed to clear everything (the order matters as you can't delete some things until other things are deleted).
    Delete VPN interface
    Delete VPN client
    Delete CA (under system -> cert manager)
    Delete certificate
    Import new ovpn file
    Add interface for VPN
 
On the server account for the pfsense box checked options for

Allow Access From:

all server-side private subnets



Allow Access From:

all other VPN clients
Then select yes for configure vpn gateway and enter subnet in the box
Allow client to act as VPN gateway
for these client-side subnets:
Something like  192.168.1.0/24 allows access to any 192.168.1.x addresses on lan.
download the ovpn client file and load it into the pfsense box.


 
 
I probably missed a few things so if someone else tries this let us know any corrections/additions.
 

pete_c

Guru
Thank you Jim....
 
Added steps to create OpenVPN server.  Will clean it up a bit...shortly.
 

JimS

Active Member
Got the network switched to route everything through the pfsense box and just use the router as an access point for wifi.  Got the WAN blocking for the cameras in place.  Found I had one old box that had set IP in the box when the internet no longer worked on it.  Switched it to DHCP by MAC like everything else and that works now.  Somehow in all that I broke the VPN so have to figure that out...
 

pete_c

Guru
Good news Jim!
 
What MFG / model cameras are you using?
 
The PFSense Client should be dynamic unless maybe your Satellite WAN IP changed??
 
You can delete the old PFSense VPN client and using the original Oracle config file redo it.
 

JimS

Active Member
Reloading the VPN client solved it.  Not sure why as it shouldn't matter if my dynamic IP from Starlink changed but I changed quite a bit in reconfiguring the network so probably due to something I did there.  You have to delete it in a particular order in order to replace it.  Order is:
 
First delete the VPN interface (under Interface)
Delete VPN client (VPN/OpenVPN clients)
Delete CA  (system/cert manager)
Delete certificate (system/cert manager)
Import new ovpn file
Add interface for VPN
 
For cameras I have this:  https://www.amazon.com/gp/product/B07NVG5H8Y/
Have had them a couple years with no issues so far.  For the doorbell cam I have this:  https://www.amazon.com/gp/product/B0837BTDT2/  Was only about $90 when I got it a year ago.  Use them with zoneminder.
 

pete_c

Guru
Thank you Jim.  
 
Same Doorbell here too with Zoneminder and Blue Iris.
 
Helped write this a couple of years ago on the IP Cam talk forum.
 
HIKVISION DOORBELL101
 
and this a bit:
 

New RCA HSDB2A 3MP Doorbell IP Camera
 
I am Pete_C on the IP Cam talk forum.
 
Still working on the PFSense to Oracle VPS.  I am doing this on a little test lab set up and had to move it last week.
 
Been off on a tangent here create tiny RPi Nut Servers for UPS's.  One on the rack for 3 UPS's, one in the telco area and one in the office.
 
I have not tinkered with an RPi in a long time and the new Debian OS is very nicely done.  
 
In the attic here have a Z-Wave RPI, Lightning sensor RPi and a SD Radio RPi for NOAA satellite mapping downloads.  I have not touched these in years now.
 

pete_c

Guru
My Oracle trial is officially over.  That said I can continue to use it as long as I utilize it.  This will get me to push myself to re configuring my PFSense-VPN lab...
 

JimS

Active Member
Yes, they apparently have a trial period where you can use more features/users/etc for free to make sure it works for the application but if you are only using the forever free features it continues to be free.  Not sure when the account might get shutdown for non-use.
 

pete_c

Guru
This is getting me to re set up my little test lab with PFSense computer and T-Mobile LTE CPE.  I have been using the Oracle VPN server and it works fine via the XFinity ISP and T-Mobile CPE and Mobile hotspots.
 
Have yet to test the inter connectivity between two VPN clients...well then the routing one way or another.
 
Top