/* * openvpn_wizard.xml * * part of pfSense (https://www.pfsense.org) * Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate) * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ 12 1 This wizard will provide guidance through an OpenVPN Remote Access Server Setup .<br/><br/> The wizard may be stopped at any time by clicking the logo image at the top of the screen. true listtopic Select an Authentication Backend Type select Type of Server authtype <br/><b>NOTE:</b> If unsure, leave this set to "Local User Access." ovpnserver->step1->type Local User Access local LDAP ldap RADIUS radius Next submit step1_stepsubmitbeforesave(); step1_submitphpaction(); /usr/local/www/wizards/openvpn_wizard.inc 2 OpenVPN Remote Access Server Setup Wizard true listtopic LDAP Authentication Server List authserv LDAP servers select ovpnserver->step2->authserv dummy dummy submit Add new LDAP server submit Next step2_stepbeforeformdisplay(); step2_submitphpaction(); enablechange(); /usr/local/www/wizards/openvpn_wizard.inc 3 OpenVPN Remote Access Server Setup Wizard true listtopic LDAP Authentication Server Parameters name Name input ovpnserver->step2->authtype 30 Descriptive server name, for administrative reference. ip Hostname or IP address input ovpnserver->step2->ip Address of the LDAP server. port Port input 8 ovpnserver->step2->port LDAP Server port, leave blank for the default (389 for TCP, 636 for SSL). transport Transport select ovpnserver->step2->transport TCP - Standard tcp SSL - Encrypted ssl <br/>The protocol used by the LDAP server. It can either be standard TCP or SSL encrypted. scope Search Scope Level select One Level one Entire Subtree subtree ovpnserver->step2->scope basedn Search Scope Base DN input 40 ovpnserver->step2->basedn authscope Authentication Containers input 40 ovpnserver->step2->authscope Semi-Colon separated. This will be prepended to the search base dn above or full container path can be specified.<br/>EXAMPLE: CN=Users;DC=example<br/>EXAMPLE: CN=Users,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com userdn LDAP Bind User DN input 20 If left blank, an anonymous bind will be done. ovpnserver->step2->userdn passdn LDAP Bind Password password 20 ovpnserver->step2->passdn If a user DN was supplied above, this password will also be used when performing a bind operation. nameattr User Naming Attribute input ovpnserver->step2->nameattr Typically "cn" (OpenLDAP, Novell eDirectory), "samAccountName" (Microsoft AD) groupattr Group Naming Attribute input ovpnserver->step2->groupattr Typically "cn" (OpenLDAP, Microsoft AD, and Novell eDirectory) memberattr Member Naming Attribute input ovpnserver->step2->memberattr Typically "member" (OpenLDAP), "memberOf" (Microsoft AD), "uniqueMember" (Novell eDirectory) submit Add new Server step3_submitphpaction(); enablechange(); /usr/local/www/wizards/openvpn_wizard.inc 4 OpenVPN Remote Access Server Setup Wizard true listtopic RADIUS Authentication Server List authserv RADIUS servers select ovpnserver->step2->authserv dummy dummy submit Add new RADIUS server submit Next step4_stepbeforeformdisplay(); step4_submitphpaction(); enablechange(); /usr/local/www/wizards/openvpn_wizard.inc 5 OpenVPN Remote Access Server Setup Wizard true listtopic RADIUS Authentication Server Parameters name Name input ovpnserver->step2->authtype 20 Descriptive name for the RADIUS server, for administrative reference. ip Hostname or IP address input ovpnserver->step2->ip Address of the RADIUS server. port Authentication Port input 8 ovpnserver->step2->port Port used by the RADIUS server for accepting Authentication requests, typically 1812. secret Shared Secret password 20 ovpnserver->step2->password Add new Server submit step5_submitphpaction(); /usr/local/www/wizards/openvpn_wizard.inc 6 OpenVPN Remote Access Server Setup Wizard true Choose a Certificate Authority (CA) listtopic certca_selection certca Certificate Authority ovpnserver->step6->authcertca submit Add new CA Next submit step6_stepbeforeformdisplay(); step6_submitphpaction(); /usr/local/www/wizards/openvpn_wizard.inc 7 OpenVPN Remote Access Server Setup Wizard true Create a New Certificate Authority (CA) Certificate listtopic descr Descriptive name A name for administrative reference, to identify this certificate. This is the same as common-name field for other Certificates. input 20 ovpnserver->step6->certca keylength Key length <br/>Size of the key which will be generated. The larger the key, the more security it offers, but larger keys take considerably more time to generate, and take slightly longer to validate leading to a slight slowdown in setting up new sessions (not always noticeable). As of 2016, 2048 bit is the minimum and most common selection and 4096 is the maximum in common use. For more information see <a href="https://keylength.com">keylength.com</a> select 2048 ovpnserver->step6->keylength 512 bit 512 1024 bit 1024 2048 bit 2048 3072 bit 3072 4096 bit 4096 7680 bit 7680 8192 bit 8192 15360 bit 15360 16384 bit 16384 lifetime Lifetime input 10 3650 Lifetime in days. This is commonly set to 3650 (Approximately 10 years.) ovpnserver->step6->lifetime country Country Code Two-letter ISO country code (e.g. US, AU, CA) input 5 ovpnserver->step6->country state State or Province Full State or Province name, not abbreviated (e.g. Kentucky, Indiana, Ontario). input 30 ovpnserver->step6->state city City City or other Locality name (e.g. Louisville, Indianapolis, Toronto). input 30 ovpnserver->step6->city organization Organization Organization name, often the Company or Group name. input 30 ovpnserver->step6->organization email E-mail E-mail address for the Certificate contact. Often the e-mail of the person generating the certificate. input 30 ovpnserver->step6->email Add new CA submit step7_submitphpaction(); /usr/local/www/wizards/openvpn_wizard.inc enablechange(); 8 OpenVPN Remote Access Server Setup Wizard true Choose a Server Certificate listtopic cert_selection certname Certificate ovpnserver->step9->authcertname submit Add new Certificate Next submit step8_stepbeforeformdisplay(); step8_submitphpaction(); /usr/local/www/wizards/openvpn_wizard.inc 9 OpenVPN Remote Access Server Setup Wizard true Create a New Server Certificate listtopic descr Descriptive name A name for administrative reference, to identify this certificate. This is also known as the certificate's "Common Name." input 20 ovpnserver->step9->certname keylength Key length <br/>Size of the key which will be generated. The larger the key, the more security it offers, but larger keys take considerably more time to generate, and take slightly longer to validate leading to a slight slowdown in setting up new sessions (not always noticeable). As of 2016, 2048 bit is the minimum and most common selection and 4096 is the maximum in common use. For more information see <a href="https://keylength.com">keylength.com</a> select 2048 ovpnserver->step9->keylength 512 bit 512 1024 bit 1024 2048 bit 2048 3072 bit 3072 4096 bit 4096 7680 bit 7680 8192 bit 8192 15360 bit 15360 16384 bit 16384 lifetime Lifetime Lifetime in days. This is commonly set to 3650 (Approximately 10 years.) input 10 3650 ovpnserver->step9->lifetime country Country Code Two-letter ISO country code (e.g. US, AU, CA) input 5 ovpnserver->step9->country state State or Province Full State of Province name, not abbreviated (e.g. Kentucky, Indiana, Ontario). input 30 ovpnserver->step9->state city City City or other Locality name (e.g. Louisville, Indianapolis, Toronto). input 30 ovpnserver->step9->city organization Organization Organization name, often the Company or Group name. input 30 ovpnserver->step9->organization email E-mail E-mail address for the Certificate contact. Often the e-mail of the person generating the certificate. input 30 ovpnserver->step9->email Create new Certificate submit step9_stepbeforeformdisplay(); step9_submitphpaction(); /usr/local/www/wizards/openvpn_wizard.inc 10 OpenVPN Remote Access Server Setup Wizard true listtopic General OpenVPN Server Information interface interfaces_selection The interface where OpenVPN will listen for incoming connections (typically WAN.) Interface ovpnserver->step10->interface Protocol select ovpnserver->step10->protocol UDP UDP TCP TCP <br/>Protocol to use for OpenVPN connections. If unsure, leave this set to UDP. localport Local Port Local port upon which OpenVPN will listen for connections. The default port is 1194. This can be left at its default unless a different port needs to be used. input 10 ovpnserver->step10->localport description Description A name for this OpenVPN instance, for administrative reference. It can be set however desired, but is often used to distinguish the purpose of the service (e.g. "Remote Technical Staff"). It is also used by OpenVPN Client Export to identify this VPN on clients. input 30 ovpnserver->step10->descr listtopic Cryptographic Settings TLS Authentication checkbox on Enable authentication of TLS packets. ovpnserver->step10->tlsauth Generate TLS Key generatetlskey tlssharedkey on checkbox Automatically generate a shared TLS authentication key. ovpnserver->step10->gentlskey TLS Shared Key tlssharedkey Paste in a shared TLS key if one has already been generated. textarea 30 5 ovpnserver->step10->tlskey DH Parameters Length dhparameters select 2048 ovpnserver->step10->dhkey 1024 bit 1024 2048 bit 2048 3072 bit 3072 4096 bit 4096 7680 bit 7680 8192 bit 8192 15360 bit 15360 16384 bit 16384 <br/>Length of Diffie-Hellman (DH) key exchange parameters, used for establishing a secure communications channel. The DH parameters are different from key sizes, but as with other such settings, the larger the key, the more security it offers, but larger keys take considerably more time to generate. As of 2016, 2048 bit is a common and typical selection. crypto select Encryption Algorithm ovpnserver->step10->crypto AES-256-CBC dummy dummy <br/>The algorithm used to encrypt traffic between endpoints. This setting must match on the client and server side, but is otherwise set however desired. Certain algorithms will perform better on different hardware, depending on the availability of supported VPN accelerator chips. digest select Auth Digest Algorithm ovpnserver->step10->digest dummy dummy SHA1 <br/>The method used to authenticate traffic between endpoints. This setting must match on the client and server side, but is otherwise set however desired. engine select Hardware Crypto ovpnserver->step10->engine dummy dummy <br/>The hardware cryptographic accelerator to use for this VPN connection, if any. listtopic Tunnel Settings Tunnel Network tunnelnet input 20 ovpnserver->step10->tunnelnet This is the virtual network used for private communications between this server and client hosts expressed using CIDR notation (eg. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses will be assigned to connecting clients. Redirect Gateway redirectgw checkbox Force all client generated traffic through the tunnel. ovpnserver->step10->rdrgw Local Network localnet input 20 ovpnserver->step10->localnet This is the network that will be accessible from the remote endpoint, expressed as a CIDR range. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network. Concurrent Connections concurrentcon Specify the maximum number of clients allowed to concurrently connect to this server. input 10 ovpnserver->step10->concurrentcon Compression compression <br/>Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently. ovpnserver->step10->compression select dummy dummy Type-of-Service tos checkbox Set the TOS IP header value of tunnel packets to match the encapsulated packet's TOS value. ovpnserver->step10->tos Inter-Client Communication interclient checkbox Allow communication between clients connected to this server. ovpnserver->step10->interclient Duplicate Connections duplicate_cn checkbox Allow multiple concurrent connections from clients using the same Common Name.<br/>NOTE: This is not generally recommended, but may be needed for some scenarios. ovpnserver->step10->duplicate_cn listtopic Client Settings Dynamic IP dynip checkbox on Allow connected clients to retain their connections if their IP address changes. ovpnserver->step10->dynip Topology topology select subnet ovpnserver->step10->topology Subnet -- One IP address per client in a common subnet subnet net30 -- Isolated /30 network per client net30 Specifies the method used to supply a virtual adapter IP address to clients when using tun mode on IPv4.<br />Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android).<br />Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30". DNS Default Domain defaultdomain input Provide a default domain name to clients. ovpnserver->step10->defaultdomain DNS Server 1 dnsserver1 input ovpnserver->step10->dns1 DNS server IP to provide to connecting clients. DNS Server 2 dnserver2 input ovpnserver->step10->dns2 DNS server IP to provide to connecting clients. DNS Server 3 dnserver3 input ovpnserver->step10->dns3 DNS server IP to provide to connecting clients. DNS Server 4 dnserver4 input ovpnserver->step10->dns4 DNS server IP to provide to connecting clients. NTP Server ntpserver1 input ovpnserver->step10->ntp1 Network Time Protocol server to provide to connecting clients. NTP Server 2 ntpserver2 input ovpnserver->step10->ntp2 Network Time Protocol server to provide to connecting clients. nbtenable checkbox NetBIOS Options ovpnserver->step10->nbtenable Enable NetBIOS over TCP/IP. <br/>If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled. NetBIOS Node Type nbttype select ovpnserver->step10->nbttype dummy dummy <br/>Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast). NetBIOS Scope ID nbtscope input ovpnserver->step10->nbtscope A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. WINS Server 1 winsserver1 input ovpnserver->step10->wins1 A Windows Internet Name Service (WINS) server IP to provide to connecting clients. Not desirable in most all modern networks. WINS Server 2 winsserver2 input ovpnserver->step10->wins2 A Windows Internet Name Service (WINS) server IP to provide to connecting clients. Not desirable in most all modern networks. Advanced textarea 30 5 Enter any additional options to add to the OpenVPN server configuration here, separated by a semicolon. EXAMPLE: push "route 10.0.0.0 255.255.255.0" ovpnserver->step10->advanced Next submit step10_stepbeforeformdisplay(); step10_submitphpaction(); /usr/local/www/wizards/openvpn_wizard.inc 11 OpenVPN Remote Access Server Setup Wizard true listtopic Firewall Rule Configuration text Firewall rules control what network traffic is permitted. Rules must be added to allow traffic to the OpenVPN server's IP and port, as well as allowing traffic from connected clients through the tunnel. These rules can be automatically added here, or configured manually after completing the wizard. listtopic Traffic from clients to server ovpnrule Firewall Rule Add a rule to permit connections to this OpenVPN server process from clients anywhere on the Internet. checkbox ovpnserver->step11->ovpnrule listtopic Traffic from clients through VPN ovpnallow OpenVPN rule Add a rule to allow all traffic from connected clients to pass inside the VPN tunnel. checkbox ovpnserver->step11->ovpnallow Next submit 12 OpenVPN Remote Access Server Setup Wizard true listtopic Configuration Complete! text The configuration is now complete. text To be able to export client configurations, browse to System->Packages and install the OpenVPN Client Export package. submit Finish step12_submitphpaction(); /usr/local/www/wizards/openvpn_wizard.inc