pfSense: OpenVPN overview

There's a really good tutorial available on the pfSense wiki that I followed to get OpenVPN working properly. It walks you though configuration, creating the certificates, installing the client, etc. That said, if you don't have any prior experience with OpenVPN, or your only VPN experience is PPTP, then there are some things to keep in mind using with pfSense and OpenVPN.

As of pfSense 1.2-RELEASE, connection management to OpenVPN is based on certificates (or a pre-shared key) generated by OpenVPN tools that you install on your local workstation. Unfortunately there is no key-management built-into this release of pfSense, making the concept of “user or connection management” a bit of a challenge.

You download the OpenVPN source, and create certificates from your workstation, and then add the certificates into pfSense. You can then revoke certificates using the certificate revocation list (CRL) from the pfSense management console (VPN>OpenVPN>CRL). And this works just fine. The problem with it is that it doesn't scale very well. For instance, most of my clients are running XP Pro, or Vista. All have Active Directory in place, and existing user accounts. For me to deploy OpenVPN throughout my organization, or throughout our client's organizations, it would be a substantial task. We'd have create certificates for all users, deploy OpenVPN GUI clients via a script to our XP Pro systems, and then use scripts or GPO's to push out certificates on a per-user basis. So right now, the lack of key management within the interface is a limiting factor – well that, and the infrastucture we have to deploy to make OpenVPN just work, in the same way the our existing solution just works. For now, we'll plan to use OpenVPN selectively for employees that need to connect from sites where outbound PPTP ports are being blocked.

That said, I understand that OpenVPN is a priority for the pfSense team and that it's likely we'll see some improvements around key-management in the near future.

pfSense: Configure captive portal

The captive portal in pfSense lets you provide restricted internet access to guests via a web-portal that prompts them to type a username and password. It looks and feels very similar to what you find in Wi-Fi hotspots, hotels, business centers, and coffee shops around the world.

In short, here’s how it works… you configure the captive portal in pfSense, hang some open access points off of it, and have pfSense hand out IP’s to anyone who connects. Guests (contractors, stakeholders, etc.) arrive at your office, see the open AP’s and associate with them. They get an IP, and as soon as they try to browse the internet, DNS resolves their request to a portal for authentication. They authenticate, and now they can access the internet… segmented off of your business LAN.

Now, this isn’t quite the same thing as NAP, but beyond pfSense there’s no infrastructure investment, a limited configuration effort, and it makes life better for everyone.

Configuration in pfSense is pretty straightforward. There’s a video tutorial on the wiki, and my short how-to below.

In pfSense do the following:

1. Interfaces>Add new interface
2. Interfaces>OPT1 (new interface)
3. Optional Interface Configuration>Enable
4. IP Configuration>Assign an IP address on a new subnet (e.g. 192.168.177.1/24)
5. No gateway – allow it to use the next hop, then save.
6. Services>Captive Portal
7. Enable Captive Portal, On.
8. Put in the appropriate interface (e.g. OPT1)
9. Assign a hard timeout that’s appropriate
10. Use Local User Manager (or RADIUS if you’d prefer), save. Click Users, add a guest account.
11. Services>DHCP server, and switch to the correct interface tab. Have it hand out IP’s in a range that makes sense… 192.168.177-192.168.177.250. Click Save.

You’re good to go… just hook up a test system to the captive portal segment, and verify connectivity.

pfSense: media and mediaopt settings are not taking effect

I did run into a small problem my first time through with the 10MB Full-duplex change on my WAN interface. At the time I was using some generic NIC (non-Intel), and found that the XML setting change wasn’t taking effect, even through a reboot. I ended-up needing to SSH into the box, open a shell, and execute the following command:

ifconfig dc0 media 10baseT/UTP mediaopt full-duplex

Where dc0 was my WAN interface (click Status, Interfaces to verify you’re setting the right interface address). If you find yourself in this situation though – go back and check to see what type of NIC you have. I would suggest replacing it with an Intel NIC, or at the very least something else on the FreeBSD list of supported ethernet devices.

pfSense: Editing /conf/config.xml file

The ISP's internet conenction runs on port expecting a 10MB Full-duplex device to be plugged into it. The WAN interface on our PFSense box is a 10/100 NIC, which when uplinked without making any configuration changes, I found that I was only getting about 25% of the capacity I was expecting. The only way to force the WAN interface to 10MB/Full-duplex is via the /conf/config.xml file. There are two way to edit this… one is using vi from SSH.

To enable SSH do this from the PFSense web-interface:
Click System>Advanced>Secure Shell, Enable Secure Shell

Even if you prefer to use the PFSense web-interface to edit your config.xml file (make a backup copy first), the shell came in handy a few times throughout my configuration process. The other option to edit the config file is using the editor in the PFSense web-interface.

The editor is available here:
Diagnostics>Edit File. The Load/Save path is “/conf/config.xml”.

Scroll down until you find the tag. Then remove the lines that start with <media/> and <mediaopt/> and replace them with ones that say this:

<media>10baseT/UTP</media>
<mediaopt>full-duplex</mediaopt>


Then click Save. You can check to see if this took effect by clicking Status, Interfaces. The WAN interface should now read “10baseT/UTP ”. This change should take effect immediately – if not, give the box a reboot (Diagnostics>Reboot System).

Firewall: pfSense exceeds my expectations

We recently upgraded our internet connection; going from a strained half-duplex DSL connection for our rapidly growing business, to a 10Mb full-duplex, SONET-based fiber optic connection. So the question naturally becomes – will the existing firewall support the new internet connection (unfortunately it won't), and what type of firewall should we get.

Like most of you, I’ve had the chance to work with a wide range of firewall products… everything from the typical SMB-fare… like Sonicwall and Snapgear, to products such as the Cisco PIX/ASA, Checkpoint appliances, and others (Microsoft ISA of course). What do I like? Well, it really depends on the situation. In general, I’m a fan of Cyberguard’s Snapgear line for the SMB-segment. In my current situation though, the need was for something that we could get up and running in short order, was very configurable, supported connection failover, had some good built-in graphing and logging… and that wasn’t very expensive. That last requirement is important – no need to burn through budget on overhead when we could be investing in something else that would drive revenue.

So, after looking at the usual suspects we added products from Fortigate, Astaro, and pfSense to the list. Having just been through the evaluation exercise, I really think Astaro has a slick product – but fully configured it’s expensive. pfSense on the other hand is an open-source project (based on FreeBSD) that more closely meets our needs. Specifically, it does everything our existing firewall does – except it does most of it better. It’s free. It has RRD-based graphing, which I’m a fan of (replacing the tapped NTOP-based monitoring solution I had in-place). It also has some nice features that we're already taking advantage of, including the captive portal, traffic shaping, and one-touch add-ons (like IDS - though we're not doing this on the firewall yet).

The initial deployment went off without incident, and I’m in the process of putting together a warm spare - which may end up being a backup for Active-Passive failover. I plan to post more of the learning’s that came out of working with pfSense in my test environment in the near future.

SBS - Archive old log files, remove old snapshots, and free up space

Not cleaning up log files? New client out of space on their SBS server, awaiting the swing migration budget approval? Check these posts out…

http://blogs.technet.com/sbs/archive/2008/02/28/reclaiming-disk-space-lost-to-iis-logs-on-sbs-2003.aspx

http://www.tutorials-win.com/SBS/Safe-disk/

Also - if you've already disabled volume shadow copy, check on it and make sure it's not holding on to old snapshots unnecessarily. Open My Computer, right-click on the drive in question, go to shadow copies, and look at the "Used" column. If it reads some significant amount, and is disabled, click Settings, and change it to the minimum limit to clear out what's being stored and free up some capacity.

Deki Wiki: Uploads larger than 2MB failing

Under 1.8.3c - after making the recommended changes to /etc/init.d/php.ini, and restarting apache2 and dekihost, and then attempting to upload a file greater than the php.ini default of 2M, the "Uploading" dialog box displayed the contents of the http://deki-hayes site - instead of the upload windows, or generating an error message. After refreshing the browser at http://deki-hayes, LDAP (AD) logins started failing.

I proceeded to modify memory_limit in the php.ini per this forum post. I actually specified 256M to see what would happen - then again restarted apache2 and dekihost - and now all is functioning normally. AD logins work, and I'm able to upload larger files.

Log events to the local application log

This script uses the LogEvent method to write an event to the local application log. In the below, the value of strResults would have been previously set.

Set WshShell = WScript.CreateObject("WScript.Shell")
if strResults = "0" then
WshShell.LogEvent 0, "Condition 0 happened."
else
WshShell.LogEvent 1, "Condition 1 happened."
end if


Getting email links to Work with Deki Wiki and Exchange

As I've mentioned, we're running Deki Wiki 1.8.3c on Ubuntu 7.10 and we have an SBS/Exchange 2003 box serving as our SMTP server. In DekiWiki, whenever someone uses the “email link” functionality, we want the email that get’s generated to be delivered to their Exchange mailbox. So, after getting LDAP integration configured properly, we looked at the email piece. In addition to the FAQ, there are some resources in the Deki Wiki forums.

If you’ve got a similar site configuration, you can do everything to get this working through either DekiWiki's Control Panel web interface, or though the LocalSettings.php file. Or, you could install a local MTA on Ubuntu like Exim4 - but it's not really necessary. Since we have an SMTP server in production, we're using PHPMailer which is part of the DekiWiki pre-req install list... it passes messages though to the SMTP server. From Deki Wiki, go here:

• Go to Tools>Control Panel>Configuration
• admin/smtp-server: Exchange server IP address
• mail/smtp-servers: Exchange server IP address (or mail.mydomain.com)

Note, you may need to add the "mail/smtp-servers" option in the control panel.

Automating Restores for Deki Wiki

If you've got your backup script running for Deki Wiki, and stakeholders are busy adding knowledge - it might be time to build a test environment if you haven't already. After the backup of the production server runs, we're restoring the attachments, and .sql file to our test box. There are some obvious benefits of having a test environment, including...

1. We have a tested and automated restore procedure that we know works because it happens every day
   
2. A box we can test stuff without having to worry about breaking a production box
   

All you need to do is build out your test box following the same procedures as your production box, then modify your backup script to become a restore script like so... and then schedule the script to run as a cron job.


#!/bin/bash
today="$(date +%a)"

#mount Windows Share
sudo -u root -p password smbmount //server/share /mnt/subdir -o username=user,password=password,rw

#copy down Today's database and attachments
cp /mnt/share/$today.wikidb-backup.sql /home/user/tmprestore
cp /mnt/share/$today.attachments-backup.tar.gz /home/user/tmprestore

#restore Today's database and attachments
cd /home/user/tmprestore
sudo mysql -uroot -ppassword wikidb < $today.wikidb-backup.sql cd /var/www/deki-hayes sudo tar xvzpf /home/user/tmprestore/$today.attachments-backup.tar.gz