Because of the annoying Windows 10 DNS LEAK problem in combination with the native windows vpn, I decided to setup an OpenVPN Applicance with pfSense to provide an alternative VPN Dial-In Gateway which addressed already the problem.



This image has an empty alt attribute; its file name is OpenVPN019.png


You will find many articles on how to avoid this by set a couple of group policy settings and switch to a low static metric for the vpn adapter, but there are no guaranty that windows 10 will not still use the dns response from your local gateway first instead from the corporate network.






What is OpenVPN?

OpenVPN is open-source commercial software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License Version 2 (GPLv2).

OpenVPN runs a custom security protocol based on SSL and TLS rather than supporting IKE, IPsec, L2TP or PPTP. OpenVPN offers support of smart cards via PKCS#11-based cryptographic tokens.

Source: https://en.wikipedia.org/wiki/OpenVPN




OpenVPN vs IKEv2 vs PPTP vs L2TP/IPSec vs SSTP – Ultimate Guide to VPN Encryption
https://proprivacy.com/vpn/guides/vpn-encryption-the-complete-guide

OpenVPN vs SSTP VPN: Which Protocol is Best for Your Use?
https://www.purevpn.com/blog/openvpn-vs-sstp-vpn/

About SSTP
https://www.vpnmentor.com/blog/how-to-use-a-vpn-with-sstp-secure-socket-tunneling-protocol/





Set up the RADIUS Authentification Server (Windows Server Network Policy and Access Services Role)

For RADIUS Authentification of course we need a RADIUS Server which will provide Microsoft with the Network Policy and Access Services Server Role.

So if still not installed yet in your network first thing is to provide this Role.

This image has an empty alt attribute; its file name is OpenVPN031.png




On the Network Policy Server we must add the pfSense Appliance as a new RADIUS Client. Here you must enter a friendly Name for the client and it’s internal IP Address. Further a shared secret which we also must set at pfSense.

This image has an empty alt attribute; its file name is OpenVPN032.png


To allow Clients to dialin we must further create a Network Policy which grant dialin permission.

This image has an empty alt attribute; its file name is OpenVPN033-1024x746.png


Create or select an Active Directory Group and place all users in it who should be allowed to dialin from remote.

Attach this windows group in the Specify Conditions dialog.

This image has an empty alt attribute; its file name is OpenVPN034.png


Grant Access for this group.

This image has an empty alt attribute; its file name is OpenVPN035-1024x741.png


Leave the default settings for Authentification and also for the next two dialogs with Configure Contraints and Settings.

This image has an empty alt attribute; its file name is OpenVPN036.png
This image has an empty alt attribute; its file name is OpenVPN037-1024x640.png


So far configuration of the RADIUS Server is complete!




pfSense Configuration

RADIUS Configuration

Let’s go to pfSense and there we first add and setup an Authentification Server.

Go to SystemUser MangerAuthentification Servers and click Add

For the description name we use RADIUS or any other name as it’s only for our information. The Type must be RADIUS of course and for the protocol you can leave MS-CHAPv2. Further we need to enter the ip address of the RADIUS Server and the shared secret we choose previous at adding the RADIUS Client in our NPS console. Leave the ports and the default timeout. Last Step here is to select the internal interface of pfSense for RADIUS NAS IP Attribute.

This image has an empty alt attribute; its file name is OpenVPN002-1024x747.png


Next we must create or import a Certification Authority. In this case we import our existing internal company CA from the Active Directory Certification Services (ADCS).

For an only working purpose a self signed newly created CA will be enough and works also. I used our internal CA as the root certificate is on each corporate computer deployed and therefore be trusted from all.

When exporting and installing the Client, the root certificate from the CA will be installed into the config folder from OpenVPN, so it doesn’t matter if it is trusted or not from the computer itself, OpenVPN will trust it. Even if you use a trusted CA for the OpenVPN Server certificate, OpenVPN client will still need the root certificate in the config folder, otherwise you cannot connect to the server.

So now we export the Root Cert with the corresponding Private Key that we later can import them into pfSense. The Private key is also needed that the CA can be used to create new certificates or CRL entries on pfSense.


Export the Private key and CA Certificate:

This image has an empty alt attribute; its file name is OpenVPN004.png
This image has an empty alt attribute; its file name is OpenVPN005.png
This image has an empty alt attribute; its file name is OpenVPN006.png
This image has an empty alt attribute; its file name is OpenVPN007.png


To use this PKCS File we first had to export the private and public key from it. So we need openssl.


Extract the private key:

Don’t be confused if the Enter PEM pass phrase is requested mutiple times! This depends on how many previous CA certificates exists on your PKI.

This image has an empty alt attribute; its file name is OpenVPN008-1024x334.png

Extract the certificate:

This image has an empty alt attribute; its file name is OpenVPN009-1024x366.png

Run the following command to decrypt the private key:

This image has an empty alt attribute; its file name is OpenVPN010-1024x338.png


After this we can import the CA into pfSense, therefore go to SystemCert ManagerCAs and click Add

Here select Import an existing Certification Authority

This image has an empty alt attribute; its file name is OpenVPN012-1024x282.png


Insert the previous exported public and private key and enter an serial number for the next certificate, can be 1.

This image has an empty alt attribute; its file name is OpenVPN011-1024x658.png
This image has an empty alt attribute; its file name is OpenVPN013-1024x318.png
This image has an empty alt attribute; its file name is OpenVPN014-1024x399.png


Now we must create a Server Certificate which is then signed from our internal CA.

Don’t forget the Common Name and SANs (Alternative Names) if needed at the end!

This image has an empty alt attribute; its file name is OpenVPN017-1024x762.png
This image has an empty alt attribute; its file name is OpenVPN016-1024x339.png
This image has an empty alt attribute; its file name is OpenVPN018-1024x455.png




pfSense OpenVPN Configuration

As we setup the RADIUS Server and configured the CA and server certificate, now we come to the actually setup of the OpenVPN Server, therefore go to VPNOpenVPN and click under Servers the Add button.

As you can see, I used here for the protocol UDP with the local Port 1194 which ist reserved for OpenVPN. Best performance you will get with UDP but OpenVPN can also run with TCP and any other Port.

Therefore you can run OpenVPN with TCP and Port 443 like SSTP. This brings the benefit that users can dial-in from remote networks with restricted outbound traffic rules as HTTP and HTTPS over Port 80 and 443 in most networks outbound allowed.

At Server mode I used Remote Access (User Auth). Recommended and more secure is the Remote Access (SSL/TLS + User Auth).

But as we authenticate against RADIUS Server and Active Directory, I don’t want to create for each user a certificate and therefore a separate client install package. Therefore be sure to check Use a TLS Key which enhances the security by adding a further secret as only user and password. If checked, for the user is installed a static key in the config folder which is the same as on the server.

Under https://en.wikipedia.org/wiki/HMAC you will find more about this TLS Key known as Keyed-Hash Message Authentication Code.




This image has an empty alt attribute; its file name is OpenVPN054-1024x630.png
This image has an empty alt attribute; its file name is OpenVPN056-1024x798.png




At IPv4 Tunnel Network below you must specify a network range in which your dialin clients reside.

If you have enabled netmask ordering on your DNS servers and have more than one AD Site, be aware to use a range near your physical AD Site on which the clients dialin!

Otherwise your vpn clients maybe will get for DNS requests which resides on multiple AD Sites, the IP from a system at the remote site.




More about netmask ordering you can read my following post.




Also under IPv4 Local nework(s) or IPv6 if used, add your local subnets which should be accessible from the vpn clients.

Also keep in mind, that clients/systems in the local network which should be accessible for the remote clients, should know the route into the Tunnel Network!

This image has an empty alt attribute; its file name is OpenVPN040-1024x763.png




Under the tunnel settings you can also disable vpn split tunneling which is used by default.
By checking Redirect IPv4 Gateway or Redirect IPv6 Gateway you can force your vpn clients to route all traffic through the vpn tunnel and corporate network.

By default unchecked, traffic which is destined for the internet (route 0.0.0.0/0), will be routed via the remote user’s local interface (gateway) and internet connection.

This image has an empty alt attribute; its file name is openVPN_split_tunneling-1024x291.png







Under the Advanced Client Settings you can specify a default DNS domain and assign internal DNS servers to the clients.

Also you can check here Block Outside DNS to prevent the mentioned Windows 10 DNS Leak!

This image has an empty alt attribute; its file name is OpenVPN041-1024x724.png
This image has an empty alt attribute; its file name is OpenVPN042-1024x781.png
This image has an empty alt attribute; its file name is OpenVPN043-1024x286.png


Now we must create a Firewall Rule on the WAN Interface to allow connections from OpenVPN Clients to UDP Port 1194.

This image has an empty alt attribute; its file name is OpenVPN055-1024x751.png





OpenVPN Client

That we can export the OpenVPN Client, first we had to install the openvpn-client-export package.

Therefore go to SystemPackage ManagerAvailable Packages and search for OpenVPN

This image has an empty alt attribute; its file name is OpenVPN030-1024x427.png


After you installed this package you have under the menu OpenVPN a new tab with Client Export.

Don’t forget to check the Block Outside DNS checkbox to prevent the Windows 10 DNS LEAKS problems!

This image has an empty alt attribute; its file name is OpenVPN045-1024x640.png
This image has an empty alt attribute; its file name is OpenVPN046-1024x692.png


At the bottom of the Site you can download the several VPN Clients suited for your OS.

This image has an empty alt attribute; its file name is OpenVPN047-1024x742.png




Firewall Configuration

To allow Traffic from the OpenVPN Clients finally you must configure an allow Rule at the firewall under the OpenVPN tab.

In my case I allow all IPv4 traffic but for security reasons you should only allow required traffic.

This image has an empty alt attribute; its file name is OpenVPN048-1024x361.png


One last thing we must configure at the corporate network are the new route to the tunnel network which is used by OpenVPN and the Clients, otherwise the internal servers and routers don’t know how to route outbound traffic to your vpn client computers and you can’t connect to them!

Now if you installed the client for your OS you can dialin to your corporate Network.

This image has an empty alt attribute; its file name is OpenVPN053.png


For the username you can type in the new UPN format like user@domain.tld or just the username. The common old legacy pre-Windows 2000 login DOMAIN\user is not supported.

This image has an empty alt attribute; its file name is OpenVPN050.png


This image has an empty alt attribute; its file name is OpenVPN051.png


One thing I forget to mention is if you use OpenVPN in a perimeter network configuration with front- and backfirewall. Don’t forget to allow UDP Traffic for RADIUS Authentification on the backfirewall, otherwise you will get an Auth-Error at dialin.


(UDP 1812 & 1813)

This image has an empty alt attribute; its file name is pfsense_openvpn_fw_rule002.png




Configuration on the backfirewall

This image has an empty alt attribute; its file name is pfsense_openvpn_fw_rule001.png



That’s it!









Using Client Certificates for Authentication (Server Mode SSL/TLS + User Auth)

Below you see the few changes to make if you want to use the Server mode Remote Access (SSL/TLS + User Auth) instead of Remote Access (User Auth).

Go to VPNOpenVPNServers

Select at Server mode Remote Access (SSL/TLS + User Auth) .

Go to SystemCertificate ManagerCertificates

Click on Add and select Create an internal Certificate. This is the user certficate without the client could not login to OpenVPN. For each user you must create one. Under Descriptive name and Common Name put in the username from the Active Directory. Use her lowecase.

This image has an empty alt attribute; its file name is OpenVPN059-1024x752.png
This image has an empty alt attribute; its file name is OpenVPN060-1024x385.png


As we switched to Remote Access (SSL/TLS + User Auth) and created the user certificate we now can export the clients install package for this user. As mentioned for this server mode we must create for each user a separate user certficate and clients intall package.

Go to OpenVPNClient Export

This image has an empty alt attribute; its file name is OpenVPN061-1024x635.png


I checked here to use the Microsoft Certficate Storage and protect the certificates with a password. The user will need this when installing the package and importing the user certificate.

This image has an empty alt attribute; its file name is OpenVPN062-1024x569.png


Here you can download the user specific install package with contains the user certificate. If you have many users you can search for them. For each created user certficate you will find here the corresponding client intall package.

This image has an empty alt attribute; its file name is OpenVPN063-1024x512.png


At installing the client you will be automatically assisted to import the user certificate to the Microsoft Certificate Storage as selected previous in the Client Export settings.

This image has an empty alt attribute; its file name is OpenVPN064.png








OpenVPN Split Tunneling

As already metioned under the pfSense OpenVPN Configuration section, with OpenVPN by default vpn split tunneling is used.

Therefore traffic which is destined for the internet (route 0.0.0.0/0), will be routed via the remote user’s local interface (gateway/internet connection) instead through the vpn tunnel and pfSense.

Only traffic destined for the corporate network (networks listed below under IPv4/IPv6 Local networks) is routed through the tunnel.

The configuration is done in pfSense under VPN –> OpenVPN –> Tunnel Settings –> Redirect IPv4 Gateway and/or Redirect IPv4 Gateway.

By checking Redirect IPv4 Gateway or Redirect IPv6 Gateway you can force your vpn clients to route all traffic through the vpn tunnel and corporate network.

This image has an empty alt attribute; its file name is openVPN_split_tunneling1-1024x481.png




In case you check and force all traffic to be routed through the tunnel, the above IPv4 and IPv6 Local network(s) fields will disappear as you don’t need to define in that case what networks will be routed through the tunnel as now all traffic will be routed through.

This image has an empty alt attribute; its file name is openVPN_split_tunneling2-1024x475.png







Links

OpenVPN Remote Access Configuration Example
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html