Jump to content
Not connected, Your IP: 18.227.48.131
Sign in to follow this  
dshafirov

Setting up pfSense 2.2-BETA x64 as VPN client with Stunnel

Recommended Posts

I've managed to get a pfSense VM working with AirVPN's Serpentis server via Stunnel.

Given the importance of using the latest versions of Stunnel and OpenSSL, I used pfSense 2.2-BETA x64, which is based on FreeBSD 10.1-RELEASE x64. Working in a FreeBSD 10.1 x64 VM, I made the stunnel-5.07 package and its dependencies from ports. See <http://www.freshports.org/security/stunnel/>. Also see <https://forums.freebsd.org/threads/howto-setting-up-stunnel-in-freebsd.1717/>.

pfSense 2.2-BETA x64 VM:
   512 MB RAM
   7 MB video RAM
   2 GB dynamic VDI
   PAE/NX, VT-x/AMD-V, Nested Paging
   Adapter 1: Intel PRO/1000 MT Desktop (NAT)
   Adapter 2: Intel PRO/1000 MT Desktop (Internal Network, 'AV')
   audio and USB disabled
   otherwise defaults

FreeBSD 10.1 x64 VM
   1024 MB RAM
   7 MB video RAM
   10 GB dynamic VDI
   PAE/NX, VT-x/AMD-V, Nested Paging
   Adapter 1: Intel PRO/1000 MT Desktop (Internal Network, 'AV')
   audio and USB disabled
   otherwise defaults

Debian 7.6 x64 workspace VM
   1024 MB RAM
   128 MB video RAM
   20 GB dynamic VDI
   PAE/NX, VT-x/AMD-V, Nested Paging
   Adapter 1: Intel PRO/1000 MT Desktop (Internal Network, 'AV')
   audio and USB disabled
   otherwise defaults
   legacy Gnome desktop
   installed openssh-server

Working in FreeBSD VM:

# portsnap fetch extract
# mkdir /usr/ports/packages
# cd /usr/ports/security/stunnel
# make config
   [x] DOCS
   [x] EXAMPLES
   [ ] FIPS
   [ ] IPV6
   [ ] LIBWRAP
   [x] SSL_PORT
   [ ] FORK
   [x] PTHREAD
   [ ] UCONTEXT
# make package-recursive
   [use default openssl-1.0.1_16 settings]
   [use default perl5-5.18.4_10 settings]
# cd /usr/ports/packages/All
# ls
   openssl-1.0.1_16.txz     pkg-1.3.8_3.txz
   perl5-5.18.4_10.txz      stunnel-5.07.txz
# sftp user@192.168.10.11  [Debian VM]
# put *
# exit
# shutdown -p now 

Working in Debian VM:

login pfSense webGUI
browse "Diagnostics: Command Prompt"
upload openssl-1.0.1_16.txz and move to /root/
upload pkg-1.3.8_3.txz and move to /root/
upload perl5-5.18.4_10.txz and move to /root/
upload stunnel-5.07.txz and move to /root/

Working in pfSense VM console:

: pkg install *.txz
   The package management tool is not yet installed on your system.
   Do you want to fetch and install it now? [y/N]: y
   ...
   New packages to be INSTALLED:
           openssl-1.0.1_16
           perl5-5.18.4_10
           stunnel: 5.07

   The process will require 61 MB more space.

   Proceed with this action? [y/N]: y
   [1/3] Installing openssl-1.0.1_16: 100%
   [2/3] Installing perl5-5.18.4_10: 100%
   makewhatis: not found
   makewhatis: not found
   pkg: POST-INSTALL script failed
   ===> Creating users and/or groups.
   Creating group 'stunnel' with gid '341'.
   Creating user 'stunnel' with uid '341'.
   [3/3] Installing stunnel-5.07: 100%
   Message for openssl-1.0.1_16:
    Copy /usr/local/openssl/openssl.cnf.sample to /usr/local/openssl/openssl.cnf
    and edit it to fit your needs. [DON'T DO THAT. USE EXISTING openssl.cnf]
   Message for stunnel-5.07:
   ***************************************************************************
   To create and install a new certificate, type "make cert"

   And don't forget to check out the FAQ at http://www.stunnel.org/
   ***************************************************************************
: mkdir /usr/local/etc/stunnel/run
: chown stunnel:stunnel /usr/local/etc/stunnel/run
: chmod 0622 /usr/local/etc/stunnel/run 

Working in Debian VM:

login pfSense webGUI
browse "Diagnostics: Edit File"
browse "/usr/local/etc/stunnel/stunnel.conf-sample" and open to edit
save as "/usr/local/etc/stunnel/stunnel.conf"
replace content with this and save:
...................................
; create local jail
chroot = /usr/local/etc/stunnel/run

; set own UID and GID
setuid = stunnel
setgid = stunnel

client = yes
foreground = no
options = NO_SSLv2

[openvpn]
accept = 1413
connect = 178.248.30.133:443
TIMEOUTclose = 0
...................................
browse "/etc/defaults/rc.conf" and open to edit
add this at end and save:
.........................................................
stunnel_enable="YES"
stunnel_pid_file="/usr/local/etc/stunnel/run/stunnel.pid"
.........................................................

browse "Diagnostics: Command Prompt"
run "mv /usr/local/etc/rc.d/stunnel /usr/local/etc/rc.d/stunnel.sh"

Working in pfSense VM console:

hit "5" and "y" to reboot

Working in Debian VM:

login pfSense webGUI
browse "Status: System logs: General"
should see:
...................................................................................................
...
... php-fpm[243]: /rc.start_packages: Restarting/Starting all packages.
... kernel: done.
... stunnel: LOG5[34393318400]: stunnel 5.07 on amd64-portbld-freebsd10.1 platform
... stunnel: LOG5[34393318400]: Compiled/running with OpenSSL 1.0.1j 15 Oct 2014
... stunnel: LOG5[34393318400]: Threading:PTHREAD Sockets:POLL,IPv4 SSL:ENGINE,OCSP
... stunnel: LOG5[34393318400]: Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
... stunnel: LOG5[34393318400]: UTF-8 byte order mark not detected
... stunnel: LOG5[34393318400]: Configuration successful
...
...................................................................................................

browse "System: General Setup"
   specify desired third-party DNS servers on WAN_DHCP
   [x] Do not use the DNS Forwarder as a DNS server for the firewall
browse "Services: DNS Forwarder"
   [ ] Enable DNS forwarder
browse "System: Advanced: Networking"
   [ ] Allow IPv6
   [x] Prefer to use IPv4 even if IPv6 is available
browse "System: Advanced: Miscellaneous"
   [x] Skip rules when gateway is down
   [x] Enable gateway monitoring debug logging     
browse "System: Certificate Authority Manager"
   add ca.crt
browse "System: Certificate Manager"
   add client.crt|client.key
browse "VPN: OpenVPN: Client"
   Protocol: TCP
   Interface: Localhost
   Server host or address: 127.0.0.1
   Server port: 1413
   Server host name resolution: don't "Infinitely resolve server"
   Encryption algorithm: AES-256-CBC
   Compression: Disabled - No Compression
   Disable IPv6: Don't forward IPv6 traffic
   Advanced: persist-key;persist-tun;remote-cert-tls server;
      route 178.248.30.133 255.255.255.255 net_gateway
Verbosity level: 5

browse "Status: System logs: General"
should see:
...................................................................................................
...
... openvpn[86987]: [server] Peer Connection Initiated with [AF_INET]127.0.0.1:1413
... openvpn[86987]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
... openvpn[86987]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,
    dhcp-option DNS 10.50.0.1,comp-lzo no,route 10.50.0.1,topology net30,ping 10,
    ping-restart 60,ifconfig 10.50.2.74 10.50.2.73'
...
... openvpn[86987]: /sbin/ifconfig ovpnc1 10.50.2.74 10.50.2.73 mtu 1500 netmask
    255.255.255.255 up
... openvpn[86987]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 10.50.2.74 10.50.2.73 init
... openvpn[86987]: /sbin/route add -net 127.0.0.1 10.0.2.2 255.255.255.255
... openvpn[86987]: /sbin/route add -net 0.0.0.0 10.50.2.73 128.0.0.0
... openvpn[86987]: /sbin/route add -net 128.0.0.0 10.50.2.73 128.0.0.0
... openvpn[86987]: /sbin/route add -net 178.248.30.133 10.0.2.2 255.255.255.255
... openvpn[86987]: /sbin/route add -net 10.50.0.1 10.50.2.73 255.255.255.255
... openvpn[86987]: Initialization Sequence Completed
...................................................................................................

browse "Services: DHCP Server"
   set 10.50.0.1 as DNS server
browse "Interfaces: Assign Network Ports"
   add OPT1
browse "Interfaces: OPT1"
   enable and rename "AIRVPN"
browse "Firewall: NAT: Outbound"
   select "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)"
   save and apply changes
   leave localhost rules alone
      "Auto created rule for ISAKMP - localhost to WAN"
      "Auto created rule - localhost to WAN"
   change interface for LAN rules from WAN to AIRVPN
      "Rule for ISAKMP - LAN to AIRVPN"
      "Rule - LAN to AIRVPN"
   apply changes
browse "Firewall: Rules: LAN"
   delete IPv6 rule
   edit IPv4 rule
      specify AIRVPN_VPNV4 as Gateway\
      rename as "Allow LAN to any rule via AIRVPN_VPNV4"
   apply changes

Working in pfSense VM console:

hit "5" and "y" to reboot

Working in Debian VM:

login pfSense webGUI
browse "Status: OpenVPN"
should see that Client TCP is up

Done

 

Edit: I've added rules on WAN, and required aliases.

 

Aliases are needed for three types of outbound traffic: 1) the DNS server IPs specified in “System: General Setup”; 2) the pfSense NTP server hostname specified in “System: General Setup”; and 3) the connect server IP specified in the Stunnel configuration. In Firewall: Aliases: IP, create three aliases, using the + button to add the values:

Name    Values                         Description
dnssvr  208.67.220.220 208.67.222.222  DNS server IP addresses
ntpsvr  0.pfsense.pool.ntp.org         default pfSense NTP server
sslsvr  178.248.30.133                 Stunnel server 

Using these aliases, you then add rules for the WAN interface to pass necessary outbound traffic, and then a final rule to block everything else. In "Firewall: Rules: WAN", create these rules, specifying “Single host or address” for the pass rules:

Action  TCP/IP Proto  Source      Port  Dest   Port  Gateway  Queue  Description
pass    IPv4 TCP/UDP  WAN address *     dnssvr *     *        none   Allow to DNS servers
pass    IPv4 UDP      WAN address *     ntpsvr *     *        none   Allow to NTP server
pass    IPv4 TCP/UDP  WAN address *     sslsvr *     *        none   Allow to SSL server
block   IPv4 *        WAN address *     *      *     *        none   Block all other IPv4
block   IPv6 *        WAN address *     *      *     *        none   Block all IPv6 

Then reboot from the console window, by entering 5 and then y to confirm.
 

Share this post


Link to post

Your guide is good but there are a few things you might want to mark as completely optional, since they are not required to complete those steps,

such as your other FreeBSD VM and the Debian VM.

I think some users will be confused why they need all those VMs for such a simple task.

 

On pfSense 2.2 x64 (Snapshot from 01-Dec) you can install the stunnel package from the official package manager in the GUI :

 

dkQa2Az.png

 

Then, all you have to do is downloading the config files from the config generator, upload it to pfSense and add a new startup script with the following:

 

stunnel /root/airvpn.ssl  <- that is what you download from the config generator.

 

Then you have to make sure it is working, just in case:

 

[2.2-BETA][admin@pfSense.priv]/usr/pbi/bin: nc -vvv 127.0.0.1 1413
Connection to 127.0.0.1 1413 port [tcp/innosys-acl] succeeded!
 
 
That's it, all you have to do now is to change the OpenVPN config (which has a great guide in another thread) to TCP 127.0.0.1 1413.
 
 
Regards

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

In my experience, there's something broken with the stunnel package in the pfSense repo, even in pfSense 2.2-BETA. It can be installed and configured, but doesn't start after rebooting. Also, it's better to make the stunnel-5.07 package with the SSL_PORT flag enabled, in order to get the latest OpenSSL version.

Share this post


Link to post

Уважаемая Администрация не могли вы бы мне помочь настроить pfsense  c  stunnel ?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...