整理题记
这篇文章写的非常好,是技术人写文章的典范。好在操作步骤非常详细,而且通俗易懂。本人据此文成功配置OpenVPN服务器和客户端。
本有意翻译出来与大家共享,无奈内容很多,时间紧张,先整理至此。如果有人需要,翻译出来帮助更多国内的同学。
本文版权归原作者及原网站所有。
Setup & Configuration Of OpenVPN On Pfsense 2.0 RC3
Outline
With the recent release of Pfsense 2.0 there has been a significant number of improvements to the OpenVPN component.  In previous versions of Pfsense, the client, CA and server certificates had to be created on a client machine and then copied across to the relevant configuration panes in OpenVPN.The client configuration was not bundled as a package for download directly from the Pfsense web GUI, and instead resided on the workstation where the certificates were originally created.  For subsequent OpenVPN clients to be created the process would have to be re-run each time on the same client machi
ne. This process is now covered by the Pfsense 2.0 web GUI. The full list of OpenVPN changes are as follows:-
∙OpenVPN wizard guides through making a CA/Cert and OpenVPN server, sets up firewall rules, and so on. Greatly simplifies the process of creating a remote access OpenVPN server.
∙OpenVPN filtering –an OpenVPN rules tab is available, so OpenVPN interfaces don’t have to be assigned to perform filtering.
∙OpenVPN client export package – provides a bundled Windows installer with certificates, Viscosity export, and export of a zip file containing the user’s certificate and configuration files.
∙OpenVPN status page with connected client list — can also kill client connections
∙User authentication and certificate management
∙RADIUS and LDAP authentication support
In this guide I will outline creating a new OpenVPN server with local user authentication under Pfsense 2.0 RC3.  If you have upgraded from Pfsense 1.2.3 (as is the case for myself) and already have Open
VPN configured, I would suggest removing the existing server and starting from scratch to avoid configuration issues.  I will also cover the installation of the OpenVPN client on Windows 7, Snow Leopard 10.6.8 and Ubuntu 11.04
Download & Install The OpenVPN Client Export Package
The first step is to obtain the client export package, so that we can quickly export all of the required configuration files for our OpenVPN clients.
Login to your Pfsense 2.0 GUI and navigate to System > Packages.  Scroll down and select ‘OpenVPN Client Export Utility’ and run through the installation.
Remove Legacy OpenVPN Server And Certificates
I would highly recommend removing your existing OpenVPN configuration prior to running through the setup of in this guide.
Firstly navigate to System > Cert Manager. On the ‘CAs’ pane remove any existing certificates.Once completed navigate to the’Certificates’ pane and remove any existing certificates. (Do not remove the
‘Webconfigurator default’ certificate)
Finally navigate to VPN > OpenVPN and remove your existing server configuration.
Create New OpenVPN Certificates
We’re now ready to create the required certificates for OpenVPN to function with local user authentication.  Navigate to System > Cert Manager.  On the ‘CAs’ pane choose to create a new certificate and ensure you choose ‘Create an internal Certificate Authority’ in the drop-down box, like so.
Fill out all the required fields with your organization specific information, choosing a custom ‘internal-ca’ name.  Once completed, click ‘Save’ to create the CA.
On ce completed, click the first down arrow icon to the right of your newly created CA and choose ‘Export CA Cert’ to download to your client machine.
Once completed navigate to the ‘Certificates’ pane and create a new certificate.Once again choose
‘Create an Internal Certificate Authority’ in the drop-down box. You’ll notice some of the fields will have been auto-populated.  Ensure you fill in any remaining details and ensure you specify the same common name as inputted earlier. Once completed click ‘Save’ to create the certificate.
paneCreate A New OpenVPN User And Client Certificate
We’ll now create our first OpenVPN client. Firstly navigate to System > User Manager.  Create a new user and fill out the required fields as per below:-
Once completed, click ‘Save’ to finish.Now click on the edit button to the right of the newly created user and scroll down to the ‘User Certificates’ section and click the add button.
Run through the client certificate fields, entering all the required information.  Ensure you specify a different common name to what was entered for your CA earlier.  This should be specific to the client.  Once completed click ‘Save’ to finish.
On the edit user pane, click the two down arrow icons and choose ‘export private key’ and ‘export client cert’ to download both files.
Create New OpenVPN Server & Configure
We’re now ready to create our OpenVPN server.Firstly navigate to VPN > OpenVPN.  The navigate to the ‘Wizard’ pane to launch the configuration process.Under ‘Type of Server’, choose ‘Local user acce
ss’ and click ‘Next’.
Under ‘Choose A Certificate Authority’ you should see your previously created CA as the only choice. Simply click ‘Next’ to continue.On the following page the server certificate we created earlier should be listed.  Click Next to continue.
On the following page fill out your details as per the following screens. Ensure the OpenVPN server is set to listen on the WAN interface.  You will need to specify a tunnel network address range. You will need to specify an alternative address range to your local network address range, otherwise OpenVPN will not function correctly.  Choose any network address range that is in the non-routable class. (10.0.0.0 –
10.255.255.255 or 172.16.0.0 – 172.31.255.255 or 192.168.0.0 – 192.168.255.255) Ensure the host ID size is specified in compliance with CIDR notation.
Once completed ensure the automatic firewall and NAT rules are created (both boxes are ticked by default) before clicking ‘Finish’
Export Client Configuration
We’re now ready to export our OpenVPN client configuration. Navigate to VPN > OpenVPN. Click on the ‘Client Export’ tab and scroll down.You should see the user we created earlier. (If you don’t, this is
usually down to a certificate mismatch somewhere along the line)
Choose the ‘Configuration archive’ option next to the user to download an archive with all required files for our client, as per below.