- Netgate Blog: DNS over TLS with pfSense
- http://dnssec.donnerhacke.de/
- https://www.kuketz-blog.de/empfehlungsecke/#dns
- https://www.heise.de/newsticker/meldung/Quad9-Datenschutzfreundliche-Alternative-zum-Google-DNS-3890741.html
Tag: pfSense
Build a list of IP Adresses to use it for a pfSense URL Table Alias
Since AnyDesk is not willing or able to provide a list with the IP adresses of their relay hosts and I wanted to test how URL table aliases in pfSense are working I have built this nobrainoneliner which I call via cron every ten minutes.
#!/bin/bash
# Variables
ANYDESKRELAYHOSTSFILE="filename.txt";
WEBDIR="/path/to/the/directory/where/the/file/is/stored";
# Here the magic happens
dig +noall +answer relays.net.anydesk.com | awk '{print $5}' > $WEBDIR/$ANYDESKRELAYHOSTSFILE;
exit 0;
simple site to site VPN with pfSense and OpenVPN
I just had to set up a simple site to site VPN between a site with a fixed IP (SITE-B) and a site with a dynamic IP (SITE-A). Both routers are running the ‘Community Edition’ of pfSense and are installed on PC Engines APU.1C4. I have followed the documentation at pfSense.org about how to configure a Site To Site VPN with OpenVPN to get the VPN up and running. Because some things aren’t documented there I will put up my own HowTo here. Please do yourself a favour and read the documentation at pfsense.org first because it explains things in more detail than I will do here.
This HowTo will guide you trough the setup of:
- An IPv4 ‘Site To Site VPN’ with OpenVPN on the pfSense platform (2.3.4 at time of writing) as seen in the schema above with the specific settings for the PC Engines APU hardware platform.
- The client will autoconnect to the server and (in the event of disconnection) reconnect automatically.
- The authentication between the client and the server will happen automatically via pre-shared key.
Sources:
Configure the OpenVPN server on SITE-B router
- Navigate to ‘VPN – OpenVPN‘
- On the ‘Servers‘-Tab click on the ‘+ Add‘-button to add a new server
- In the ‘General Information‘-section:
- Disable this server: ☐
- Server mode: Peer to Peer (Shared Key)
- Protocol: UDP
- Device Mode: tun
- Interface: set it to whatever external interface you want to have your OpenVPN server listening on. In my case this is ‘WAN‘.
- Local port: set it to the port you want the local OpenVPN server to listen on. Default is ‘1194‘.
- Description: Set an appropriate description e.g. ‘Site_To_Site-SITE-A_SITE_B‘
- In the ‘Cryptographic Settings‘-section:
- Automatically generate a shared key: ????
- Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
- Auth digest algorithm: RSA-SHA512 (512-bit)
- Hardware Crypto: No Hardware Crypto Acceleration (this is PC Engines APU specific, if your hardware has crypto support – enable it)
- In the ‘Tunnel Settings‘-Section:
- IPv4 Tunnel Network: 10.4.10.0/30 (this a very small subnet with 2 useable IP adresses since there is only one server and one client)
- IPv6 Tunnel Network: leave empty
- IPv4 Remote network(s): 10.3.2.0/24 (this is a comma separated list for all the networks you want to connect to on the client side (SITE A))
- IPv6 Remote network(s): leave empty
- Concurrent connections: 1
- Compression: Enabled with Adaptive Compression
- Type-of-Service: ☐ Set the TOS IP header value of tunnel packets to match the encapsulated packet value
- Duplicate Connection: ☐ Allow multiple concurrent connections from clients using the same Common Name
- Disable IPv6: ???? Don’t forward IPv6 traffic
- In the ‘Advanced Configuration‘-section:
- Custom options: leave empty
- Verbosity Level: default
- Click on ‘Save‘-button
You should now be forwarded to the list with your configured OpenVPN servers under ‘VPN – OpenVPN‘ on the ‘Servers‘-tab
- Click on the ‘Edit‘-button (the pencil) and leave this window open because we will need to copy the ‘Shared Key‘ from this form later.
Configure the OpenVPN client on SITE-A router
- Navigate to ‘VPN – OpenVPN‘
- Click the ‘Clients‘-tab
- On the ‘Clients‘-tab click the ‘+ Add‘-button to add a new OpenVPN client
- In the ‘General Information’-section:
- Disable this client: ☐
- Server mode: Peer to Peer (Shared Key)
- Protocol: UDP
- Device mode: tun
- Interface: Set to whatever external interface you want your OpenVPN client connect to the OpenVPN server at SITE-B. In my case this is ‘WAN‘.
- Local port: leave empty
- Server host or address: Set to the FQDN or IP address of the external SITE-B Interface. In this example it is ‘site-b.site-b.de‘.
- Server port: Set to the same port you have set in the server setup at SITE-B. Default is ‘1194‘.
- : leave empty
- : leave empty
- : none
- Infinitely resolve server: ????
- Description: Set an appropriate description e.g. ‘Site_To_Site-SITE-A_SITE_B‘
- In the ‘Cryptographic Settings‘-section:
- Peer Certificate Authority: nothing to do here
- Peer Certificate Revocation list: nothing to do here
- Automatically generate a shared key: ☐ – This will display a form field in which you can paste the key from the SITE-B server configuration.
Go back to SITE-B router. If you haven’t left the window open, navigate to ‘VPN – OpenVPN‘ and select the ‘Servers‘-tab, click on the ‘Edit‘-button (the pencil) next to the server you have created earlier
- In the ‘Cryptographic Settings‘-section:
- Copy everything from the ‘Shared key‘-field into your clipboard
Return to SITE-A OpenVPN client configuration
- In the ‘Cryptographic Settings‘-section:
- Paste the contents of your clipboard into the ‘Key‘-field
- Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
- Auth digest algorithm: RSA-SHA512 (512-bit)
- Hardware Crypto: No Hardware Crypto Acceleration (this is PC Engines APU specific, if you have hardware crypto – enable it)
- In the ‘Tunnel Settings‘-section:
- IPv4 Tunnel Network: 10.4.10.0/30
- IPv6 Tunnel Network: leave empty
- IPv4 Remote network(s): 10.4.2.0/24 (this is a comma separated list for all the networks you want to connect to on the server side (SITE B))
- IPv6 Remote network(s): leave empty
- Limit outgoing bandwidth: Set to whatever will fit your situation
- Compression: Enabled with Adaptive Compression
- Type-of-Service: ☐ Set the TOS IP header value of tunnel packets to match the encapsulated packet value
- Disable IPv6: ???? Don’t forward IPv6 traffic
- Don’t pull routes: ☐ Bars the server from adding routes to the client’s routing table
- Don’t add/remove routes: ☐ Don’t add or remove routes automatically
- In the ‘Advanced Configuration‘-section:
- Custom options: leave empty
- Verbosity Level: default
- Click on ‘Save‘-button
Assign an interface to the OpenVPN server on SITE-B
- Navigate to ‘Interfaces – (assign)‘
You will get a list of Interfaces which has a dropdown at the bottom end which is labeled ‘Available network ports‘
- Set ‘Available network ports‘ to ‘ovpns1 (your chosen description of your VPN)‘
- Click the ‘+ Add‘-button on the right
This will add a new Interface named ‘OPT<number>‘ to the list
- Click on ‘Save’-button
- Click on the name of the newly generated interface on the left (ususally the one with the highest trailing number)
This will open up the configuration for the interface which you have assigned to the OpenVPN server on SITE-B.
- In the ‘General Configuration‘-section
- enable interface: ????
- Description: STS_OPENVPN_S
- IPv4 Configuration Type: leave empty
- IPv6 Configuration Type: leave empty
- MAC Address: leave empty
- MTU: leave empty
- MSS: leave empty
- In the ‘Reserved Networks‘-section:
- Block private networks and loopback addresses: ☐
- Block bogon networks: ☐
- Click on ‘Save‘-button
- Click on ‘Apply Changes‘
Assign an interface to the OpenVPN client on SITE-A
- Navigate to ‘Interfaces – (assign)‘
You will get a list of Interfaces which has a dropdown at the bottom end which is labeled ‘Available network ports‘
- Set ‘Available network ports‘ to ‘ovpnc1 (your chosen description of your VPN)‘
- Click the ‘+ Add‘-button on the right
This will add a new Interface named ‘OPT<number>‘ to the list
- Click on ‘Save’-button
- Click on the name of the newly generated interface on the left (ususally the one with the highest trailing number)
This will open up the configuration for the interface which you have assigned to the OpenVPN server on SITE-B.
- In the ‘General Configuration‘-section
- enable interface: ????
- Description: STS_OPENVPN_C
- IPv4 Configuration Type: leave empty
- IPv6 Configuration Type: leave empty
- MAC Address: leave empty
- MTU: leave empty
- MSS: leave empty
- In the ‘Reserverd Networks‘-section:
- Block private networks and loopback addresses: ☐
- Block bogon networks: ☐
- Click on ‘Save‘-button
- Click on ‘Apply Changes‘
Firewall rules on SITE-B router
Before proceeding, please have a look at this comment. Usually it makes more sense to put the firewall rules on the individual VPN-Interface.
Now, to allow traffic to the OpenVPN server, a rule has to be added to the firewall on SITE-B router .
- Navigate to ‘Firewall – Rules‘
- Select the ‘WAN‘-tab
- Click the left ‘Add‘-button to add a rule to the top of the list
- In the ‘Edit Firewall Rule‘-section:
- Action: Pass
- Disable this rule: ☐
- Interface: WAN
- Address Family: IPv4
- Protocol: UDP
- In the ‘Source‘-section:
- Invert match:
- Dropdown: any
- In the ‘Destination‘-section:
- Invert match: ☐
- Dropdown: WAN address
- Destination Port Range: select OpenVPN (1194) in the left dropdown (that will also set the other dropdown to the same option
- In the ‘Extra Options‘-section:
- Log packets that are handled by this rule: ☐
- Description: Set an appropriate description like ‘ALLOW ANY to WAN ADDRESS:1194 (OpenVPN – SITE-A/SITE-B)‘
- Click the ‘Save‘-button
- Click ‘Apply Changes‘
Then add a firewall rule to allow traffic to pass through the tunnel.
- Stay at ‘Firewall – Rules‘
- Select the ‘OpenVPN‘-tab
- Click the left ‘Add‘-button to add a rule to the top of the list
- In the ‘Edit Firewall Rule‘-section:
- Action: Pass
- Disable this rule: ☐
- Interface: OpenVPN
- Address Family: IPv4
- Protocol: Any
- In the ‘Source‘-section:
- Invert match: ☐
- Dropdown: any
- In the ‘Destination‘-section:
- Invert match: ☐
- Dropdown: any
- In the ‘Extra Options‘-section:
- Log: ☐ Log packets that are handled by this rule
- Description: Set an appropriate description like ‘ALLOW ANY TO ANY on OPENVPN‘
- Click the ‘Save‘-button
- Click ‘Apply Changes‘
Firewall rule on SITE-A router
Before proceeding, please have a look at this comment. Usually it makes more sense to put the firewall rules on the individual VPN-Interface.
On SITE-A router a firewall rule to allow traffic to pass through the tunnel has to be added.
- Navigate to ‘Firewall – Rules‘
- Select the ‘OpenVPN‘-tab
- Click the left ‘Add‘-button to add a rule to the top of the list
- In the ‘Edit Firewall Rule‘-section:
- Action: Pass
- Disable this rule: ☐
- Interface: OpenVPN
- Address Family: IPv4
- Protocol: Any
- In the ‘Source‘-section:
- Invert match: ☐
- Dropdown: any
- In the ‘Destination‘-section:
- Invert match: ☐
- Dropdown: any
- In the ‘Extra Options‘-section:
- Log: ☐ Log packets that are handled by this rule
- Description: Set an appropriate description for the rule like ‘ALLOW ANY TO ANY on OPENVPN‘
- Click the ‘Save‘-button
- Click ‘Apply Changes‘
Restart OpenVPN service at SITE-B
- Navigate to ‘Status – OpenVPN‘
- In the ‘Peer to Peer Server Instance Statistics‘-section:
- Find the entry named ‘Site_To_Site-SITE-A_SITE_B UDP:1194‘ and click the ‘Restart openvpn Service‘-icon in the ‘Service‘-column
Restart OpenVPN service at SITE-A
- Navigate to ‘Status – OpenVPN‘
- In the ‘Client Instance Statistics‘-section:
- Find the entry named ‘Site_To_Site-SITE-A_SITE_B UDP‘ and click the ‘Restart openvpn Service‘-icon in the ‘Service‘-column
remote logging with rsyslogd
- http://www.rsyslog.com/doc/rsconf1_allowedsender.html
- http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/
- https://doc.pfsense.org/index.php/Copying_Logs_to_a_Remote_Host_with_Syslog
- https://devops.profitbricks.com/tutorials/configure-remote-logging-with-rsyslog/
pfSense: Install pfSense on PC Engines APU.1C4
This information is outdated. I have done a fresh install on a new device with 2.2.3 and now you have to use the installer. Boot from a USB-stick, press “I” during bootup to invoke the installer and just walk through the installation process.
How to fail and recover:
I have had some troubles to install pfSense on the new PC Engines APU.1C4. I have tried to dd the image directly to the mSATA-disk and somehow managed to wreck the BSD-disklabel by doing this.
The pfSense installer was then throwing messages like the following, stopped and threw me back to a shell.
Jul 19 10:29:17 pfsense kernel: GEOM: da1: geometry does not match label (16h,63s != 255h,63s).
I’ve been able to fix that by low level formatting the mSATA disk with the HDD LLF Low Level Formatting Tool (needs Windows) which I have found here. It did not help to just delete the partitions with gparted or fdisk or to partition and format the mSATA-disk with Windows.
How to do it right:
Prerequisites:
- USB-Stick
- USB to serial converter
- Null Modem Cable
- mSATA Disk plugged into the mSATA-port of the PC Engines APU.1C4-board
- pfSense-memstick-serial-2.1.4-RELEASE-amd64.img
Installation:
First you have to unpack the image-file.
gunzip ./pfSense-memstick-serial-2.1.4-RELEASE-amd64.img.gz
Then dd the image to the USB-stick
dd if=/path/to/pfSense-memstick-serial-2.1.4-RELEASE-amd64.img of=/dev/sdb bs=16k
Plug the USB-stick into one of the USB-ports of the APU.1C4 and connect the null modem cable to the RS232-port. Then connect to the serial console with 115200 baud.
screen /dev/ttyUSB0 115200
You will see the BIOS of the APU and at some point it will ask you to hit F12 to select a boot-device. Hit F12 in the appropriate moment and choose your USB-stick as boot-media.
Disconnect from the serial console and reconnect with 9600 baud because pfSense will use 9600 baud instead of 115200 baud.
Do not interrupt the boot-process, wait until pfSense has started up, do not invoke the installer during boot up.
After pfSense has booted invoke the installer and go with the quick install option. This will give you the opportunity to choose between serial- and VGA-console (you have to choose serial here of course). If you choose the advanced install routine you will not get the chance to choose serial-console – so don’t do it.
pfSense: “Unable to check for updates”
What to do if pfSense says that it is unable to check for updates.
The situation was:
- pfSense was throwing the error message “Unable to check for updates” at the dashboard and at the “Auto Update”-tab.
- traffic to and from the internet was passing through my pfSense-box
- DNS-resolution was working for hosts at the LAN-interface
The first thing which wasn’t correctly configured was the “Updater Settings” under “firmware” – “Updater Settings”-tab. I needed to select the “Firmware Branch” with the drop-down labeled “Default Auto Update URLs”. In my case it’s “pfSense amd64 stable updates (current architecture)” which automatically populates the “Base URL” in the “Firmware Auto Update URL”-section and also ticks “Use an unofficial server for firmware upgrades” (btw. why unofficial?).
After that, the situation was the same as above, only that I now had the Base URL “http://updates.pfsense.org/_updaters/amd64” in the Update URL text box. In the pfSense-diagnostics my pfSense-box was able to ping and traceroute “updates.pfsense.org”. I’ve been able to resolve and browse that URL from a PC behind the LAN-interface but pfSense was still complaining that it is “Unable to check for updates” at the dashboard and at the “Auto Update”-tab.
Then I have corrected another issue at the WAN-interface configuration. Since my pfSense-box is sitting between a FritzBox and my local networks, I have unticked “Block private networks” since my gateway is in a private IP-address-range (10.0.0.X/24). I still wonder why my setup was working initially because as I understand this option, it should have blocked traffic from all private IP-ranges. I also have unticked “Block bogon networks” because (in my case) the source will allways be my FritzBox in 10.0.0.X/24.
The root of the problem was hiding in the settings for the DNS-forwarder under “Services” – “DNS-Forwarder”. Since the option “Strict Interface Binding” was selected, I had to select “localhost” under “Interfaces” for that my pfSense-box was able to resolve “updates.pfsense.org”. After that change everything was working fine and I’ve been able to run the “Auto Updater” successfully.
