MFA Client VPN for GCP using pfSense

In the previous post aws client vpn with multifactor authentication , I introduced how to deploy client vpn in aws using aws managed service. This time I introduce how to do “nearly” the same thing in GCP. However, GCP doesn’t have its own managed client vpn service, and the deployment steps are quite different.

What you can achieve after reading this post

  • Basic setup of pfSense in GCP to act as an openvpn server

What is the expected result

  • easy user management on pfSense
  • Multi-factor authentication client VPN to connect to GCP
  • All tunnel (once client is connected to vpn, all traffic passed through GCP, even the internet access)

Walkthrough chart

  1. Launch pfSense in GCP.
  2. pfSense basic setup.
  3. FreeRADIUS installation and setup on pfSense
  4. Authentication server setup on pfSense
  5. OpenVPN setup on pfSense
  6. OpenVPN client exporter install
  7. Firewall rule to allow OpenVPN
  8. Add remote user(s)
  9. Setup client vpn software and test

1. Launch pfSense in GCP

There is no pfSense image available in GCP marketplace. Hence you need to download the image from official site, and create an image in GCP.

Once you created an image, use it to launch an instance. When you create an instance, most of the parameter can be left as default, but be sure to make your network settings as in below image:

In Command line, it would look like this:

$ gcloud compute --project <project_name> disks create "pfsense" --size "20" --zone "us-central1-a" --source-snapshot "pfsense-245p1" --type "pd-standard"

$ gcloud beta compute --project=<project_name> instances create pfsense --zone=us-central1-a --machine-type=n1-standard-1 --subnet=default --address=<allocated_global_ip> --can-ip-forward --tags=openvpn-server --disk=name=pfsense,device-name=pfsense,mode=rw,boot=yes,auto-delete=yes

Next, we need to connect to serial interface of this instance to finish pre-configuration settings. Select the pfsense instance, and click “Edit”, then check “Enable connecting to serial ports”. Once checked and saved, you should be able to connect to serial port 1.

You will be asked several questions, select as in below image.

Soon after you will be greeted with pfSense menu. Select 8) Shell, and type ifconfig vtnet0 mtu 1460, otherwise you will not be able to access web interface, and the connection would be quite unstable.

As a last step, we configure GCP Firewall to allow WEB GUI interface acccess. Go to Firewall and allow tcp/443(https), and udp/1194(openvpn) for the target tags you allocated to pfSense. In command line, it would look like below:

gcloud compute --project=<project_name> firewall-rules create allow-openvpn-server --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:22,udp:119 --source-ranges= --target-tags=openvpn-server

2. pfSense Basic Setup

Navigate to the pfsense URL at https://<your_external_ip>/, and you should be greeted with pfSense setup wizard.

Once you finished the wizard, now you are in pfsense console!

3. FreeRADIUS installation and setup on pfSense

Go to Paackage Manager, and search “freeradius”. Click “Install” and it will install freeradius along with all dependencies.

Navigate to “Services” > “FreeRADIUS” to open freeradius configuration page.

We have two parts to configure here:

  • Interfaces … this is to specify which interface this radius server serves the request. we will create one interface for authentication and another for accounting.
  • NAS/Clients … this is to specify how the server receives the authentication request.

First, go to interfaces, and create two interfaces as shown below:

Next, create a cclient as shown in below image, do remember client shared secret, this will be used later.

4. Authentication server setup on pfSense

Next we need to create an authentication settings so that pfSense sends request to radius server upon client connection.

Navigate to “System” > “User management” > “Authentication Server”. Fill in the field as shown below. This shared secret is the one you used to setup radius server:

5. OpenVPN setup on pfSense

Authentication system is ready and we are going to configure VPN server. Navigate to “VPN” > “Open VPN” > “Servers”, and click “+Add”.

Fill in the field as shown in below image:

Most of the parameter can be kept as default, and some parameters you need to change are as below:

  • Server mode: Remote Access (User Auth)
  • Backend for authentication: <authentication server you created in previous step>
  • IPv4 Tunnel Network: ANY network you are not using in your production network
  • Redirect IPv4 Gateway … All traffic including internet browsing will be passed through this pfsense once client is connected. This can be useful if client needs to use one static global ip for any other access. If you don’t need this, you can uncheck this, and you can specify which subnet to be injected into the client.

6. OpenVPN client exporter install

Configuring client one by one is tedious task. In pfSense, there is a package called OpenVPN Client exporter, and it can be installed through package manager.

Once installation succeeded, you will see a new tab “client export” in OpenVPN. In “Hostname Resolution” select other, and fill in your global ip address in “Host Name”, then click “Save as default”. Once you saved, click “inline cconfiguration” and it will download the ovpn configuration file.

7. Add Firewall rule to allow OpenVPN

We need to create rules as listed below:

  • Firewall rule to allow openvpn connectiion to the firewall from the internet
  • Firewall rule to allow openvpn client to connecct to somewhere else

For the first rule, ccrete the firewall as below:

For the second rule, it depends on the usage. I made a extremely egnerous rules here to allow any communication. This means any communication even the one to the internet will also be allowed.

8. Add remote user(s)

Now it’s time to add users. Navigate to “Services” > “FreeRADIUS”, and add users.

  • Username … user name of your choice
  • Password … <blank>
  • One-Time Password … checked
  • OTP Auth Method … Google-Authenticator
  • Init-Secret … Click “Generate OTP Secret”
  • PIN … PIN of your choice
  • QR Code … Click Generate QR Code, and ask user to scan this code to register this OTP on their phone.

8. Setup client vpn software and test

One you setup the client with the file you downloaded from the last step, you can use the credentiaal to connecct to VPN. Please note the password is PIN number followed by OTP.

If everything hasa been setup correctly, you should be able to communicte with the internal resources as well as you can connect to the internet through GCP.

How to run AWS Client VPN with Multi Factor Authentication

In the previous post, I introduced AWS Client VPN with Simple AD. On May 2020, AWS introduced a SAML federation. In this post, I will walkthrough the simplest deployment of AWS client VPN with SAML federation.

What you can achieve after reading this post

  • Basic setup of Okta to integrate with AWS Client VPN
  • Basic setup of AWS Client VPN using SAML federation

What is the expected result

  • easy user management on Okta and not in AWS nor separate AD
  • Multi-factor authentication on AWS Client VPN
  • Managed client VPN access to your VPC environment

Walkthrough chart

  1. Generate certs and keys using easy-rsa, and register them on ACM
  2. Deploy AWS resources as in here
  3. Setup Okta to integrate with AWS Client VPN
  4. Deploy AWS Client VPN Endpoint
  5. Install AWS-provided client onto PC and test
  6. Delete all test resources.

1. Generate Certificate and Keys

You need to generate certificate and keys for servers to process client vpn. You can follow the official steps here.

 git clone
 cd easy-rsa/easyrsa3
 ./easyrsa init-pki
 ./easyrsa build-ca nopass
 ./easyrsa build-server-full lab_server nopass
 mkdir ~/temp_folder
 cp pki/ca.crt ~/temp_folder/
 cp pki/issued/lab_server.crt ~/temp_folder/
 cp pki/private/lab_server.key ~/temp_folder/
 cd ~/temp_folder/

Once they are generated, register them into the AWS Certificate Manager(ACM). Please note you need to register these to the region you are going to have your VPN connection.

aws acm import-certificate --certificate file://lab_server.crt --private-key file://lab_server.key --certificate-chain file://ca.crt --region us-east-1

If it returns arn, you are successfully registered certificate/key on ACM.

2. Deploy test AWS resources

I have prepared terraform files here for you to setup the lab resources. Once you apply the configuration, it will apply below files to your environment:

  • 1x VPC
  • 1x t2.micro EC2 instance with preloaded web server on ubuntu18.04

Please change necessary parameters, especially those in file to adjust to your needs.

3. Setup Okta to integrate with AWS Client VPN

If you don’t have Okta, you can start free trial here.

First, create an AWS ClientVPN integration. Click “Application”, then select “Create New App”.

And change the settings of AWS Client VPN app as in below image:

This step is optional, but if you like to have MFA, add the rule.

Next, I create a user in Okta. You need to assign AWS Client VPN app to this user either individually or via group.

In AWS, go to IAM and configure Okta as an identity provider.

4. Deploy AWS Client VPN Endpoint

In Create Client VPN Endpoint wizard, you need to specify IPv4 CIDR which should be different from your existing VPC.

  • Server certificate ARN … Select arn, which you received in step 1.
  • Authentication Options … Select “Use usesr-based authentication” > “Federated authentication”
  • SAML provider ARN … Select the identity provider ARN(Okta) you created in the previous step.
  • Enable split-tunnel … Enable.

Once Endpoint is created, it needs to be associated to the subnet. Select the VPN endpoint and click “Associate”. Note that you will be charged once you associate endpoint with subnet.

  • VPC … VPC you want to use this VPN Endpoint in
  • Subnet … Subnet you want to use this VPN Endpoint in

Now it’s associated with the subnet. And this is the last step to authrize the access to the network resources from VPN client. You can fine grain users access to specific resources based on user groups in Okta, but I simply “Allow access to all users” for now.

5. Install AWS-provided client onto PC and test

You can download configuration file from AWS console.

Install AWS-provided VPN Client from here and install it on your PC. Previously I used tunnelblick, but it seems not working with federation as of June 2020.

After you installed AWS-Provided VPN Client, follow the manual to import the downloded VPN config.

Once you click “Connect”, it will automatically pops up default web browser and display okta authentication page.

If you didn’t use MFA, you will be connected to AWS now. If you do have MFA enabled in Okta, it will promt you to either:

  1. Setup MFA on the spot if this is user’s first time to connect
  2. Enter MFA token

If everything goes fine, you will be prompted “Authentication details received, processing details. You may close this window at any time”, and you should be able to access the internal web server directly from your PC.

Secure and Easy Remote Work with Sophos UTM

I’m going to walkthrough how to setup remote access vpn in sophos UTM. This post is intended for the minimum deployment and might not be as scalable, but baseline is as below:

  • Clientless – no need to install client software on PC
  • Secure – Multifactor authentication
  • Affordable – no need for extra service nor device

As the requirement of remote access increase, IT needs to setup environment quickly, and still in cost effectively.
Sophos UTM is one of the least expensive UTM in the market, which is ready for enterprise use.

In summary, the settings follow below:

  1. configure users
  2. configure OTP
  3. (optional)configure user portal
  4. configure HTML5 VPN

First, you need to create users. This username is used for remote users to login to the portal.

We use tOTP based token this time to use Multi Factor Authentication(MFA). You just need to enable it.

We need to create HTML5 VPN Portal for every users in this case. First add “network definition” for users PC at office, I’m using IP address here, but alternatively you can use DNS name. Second add remote user, which you created at step 1, into “Allowed users” so that only the user can access each PC. And that’s all for Sophos UTM setup.

Ask users to access the URL “https://”, and they should login with the reomte user name and password which you created at step 1.

Once users logged into the portal, it should prompt users to register OTP. Users can use any tOTP based applicaiton. In my case I used Google Authenticator, which is available via playstore/applestore for free. Scan the QR code, and it should now prompt the PIN.

Once done, users need to login again. But this time the password is “password you created at step 1” + “PIN on tOTP app”(eg. secretpassword123456). users should be able to see the user portal now.

Click “HTML5 VPN Portal”, and then click the PC name to connect to.

It pops up another window showing your PC desktop. Ask users not to shutdown the PC, and ask them simply logoff or close the window.

Some UTMs require separate subscription to use clientless VPN (eg. PaloAlto), while Sophos UTM comes with most of the function built-in the box.

Please drop me a message if you encounter any problem. THanks for reading!