Thursday, May 15, 2008

pfSense: OpenVPN overview

There's a really good tutorial available on the pfSense wiki that I followed to get OpenVPN working properly. It walks you though configuration, creating the certificates, installing the client, etc. That said, if you don't have any prior experience with OpenVPN, or your only VPN experience is PPTP, then there are some things to keep in mind using with pfSense and OpenVPN.

As of pfSense 1.2-RELEASE, connection management to OpenVPN is based on certificates (or a pre-shared key) generated by OpenVPN tools that you install on your local workstation. Unfortunately there is no key-management built-into this release of pfSense, making the concept of “user or connection management” a bit of a challenge.

You download the OpenVPN source, and create certificates from your workstation, and then add the certificates into pfSense. You can then revoke certificates using the certificate revocation list (CRL) from the pfSense management console (VPN>OpenVPN>CRL). And this works just fine. The problem with it is that it doesn't scale very well. For instance, most of my clients are running XP Pro, or Vista. All have Active Directory in place, and existing user accounts. For me to deploy OpenVPN throughout my organization, or throughout our client's organizations, it would be a substantial task. We'd have create certificates for all users, deploy OpenVPN GUI clients via a script to our XP Pro systems, and then use scripts or GPO's to push out certificates on a per-user basis. So right now, the lack of key management within the interface is a limiting factor – well that, and the infrastucture we have to deploy to make OpenVPN just work, in the same way the our existing solution just works. For now, we'll plan to use OpenVPN selectively for employees that need to connect from sites where outbound PPTP ports are being blocked.

That said, I understand that OpenVPN is a priority for the pfSense team and that it's likely we'll see some improvements around key-management in the near future.


saqi said...

Really looking forward to a pfsense openvpn web based key management section

RoBeRt JohN said... you know how to generate the sertificate..i want to deploy openvpn in 2 diffrent site..thans..