MFA Client VPN for GCP using pfSense

In the previous post aws client vpn with multifactor authentication , I introduced how to deploy client vpn in aws using aws managed service. This time I introduce how to do “nearly” the same thing in GCP. However, GCP doesn’t have its own managed client vpn service, and the deployment steps are quite different.

What you can achieve after reading this post

  • Basic setup of pfSense in GCP to act as an openvpn server

What is the expected result

  • easy user management on pfSense
  • Multi-factor authentication client VPN to connect to GCP
  • All tunnel (once client is connected to vpn, all traffic passed through GCP, even the internet access)

Walkthrough chart

  1. Launch pfSense in GCP.
  2. pfSense basic setup.
  3. FreeRADIUS installation and setup on pfSense
  4. Authentication server setup on pfSense
  5. OpenVPN setup on pfSense
  6. OpenVPN client exporter install
  7. Firewall rule to allow OpenVPN
  8. Add remote user(s)
  9. Setup client vpn software and test

1. Launch pfSense in GCP

There is no pfSense image available in GCP marketplace. Hence you need to download the image from official site, and create an image in GCP.

Once you created an image, use it to launch an instance. When you create an instance, most of the parameter can be left as default, but be sure to make your network settings as in below image:

In Command line, it would look like this:

$ gcloud compute --project <project_name> disks create "pfsense" --size "20" --zone "us-central1-a" --source-snapshot "pfsense-245p1" --type "pd-standard"

$ gcloud beta compute --project=<project_name> instances create pfsense --zone=us-central1-a --machine-type=n1-standard-1 --subnet=default --address=<allocated_global_ip> --can-ip-forward --tags=openvpn-server --disk=name=pfsense,device-name=pfsense,mode=rw,boot=yes,auto-delete=yes

Next, we need to connect to serial interface of this instance to finish pre-configuration settings. Select the pfsense instance, and click “Edit”, then check “Enable connecting to serial ports”. Once checked and saved, you should be able to connect to serial port 1.

You will be asked several questions, select as in below image.

Soon after you will be greeted with pfSense menu. Select 8) Shell, and type ifconfig vtnet0 mtu 1460, otherwise you will not be able to access web interface, and the connection would be quite unstable.

As a last step, we configure GCP Firewall to allow WEB GUI interface acccess. Go to Firewall and allow tcp/443(https), and udp/1194(openvpn) for the target tags you allocated to pfSense. In command line, it would look like below:

gcloud compute --project=<project_name> firewall-rules create allow-openvpn-server --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:22,udp:119 --source-ranges=0.0.0.0/0 --target-tags=openvpn-server

2. pfSense Basic Setup

Navigate to the pfsense URL at https://<your_external_ip>/, and you should be greeted with pfSense setup wizard.

Once you finished the wizard, now you are in pfsense console!


3. FreeRADIUS installation and setup on pfSense

Go to Paackage Manager, and search “freeradius”. Click “Install” and it will install freeradius along with all dependencies.

Navigate to “Services” > “FreeRADIUS” to open freeradius configuration page.

We have two parts to configure here:

  • Interfaces … this is to specify which interface this radius server serves the request. we will create one interface for authentication and another for accounting.
  • NAS/Clients … this is to specify how the server receives the authentication request.

First, go to interfaces, and create two interfaces as shown below:

Next, create a cclient as shown in below image, do remember client shared secret, this will be used later.


4. Authentication server setup on pfSense

Next we need to create an authentication settings so that pfSense sends request to radius server upon client connection.

Navigate to “System” > “User management” > “Authentication Server”. Fill in the field as shown below. This shared secret is the one you used to setup radius server:


5. OpenVPN setup on pfSense

Authentication system is ready and we are going to configure VPN server. Navigate to “VPN” > “Open VPN” > “Servers”, and click “+Add”.

Fill in the field as shown in below image:

Most of the parameter can be kept as default, and some parameters you need to change are as below:

  • Server mode: Remote Access (User Auth)
  • Backend for authentication: <authentication server you created in previous step>
  • IPv4 Tunnel Network: ANY network you are not using in your production network
  • Redirect IPv4 Gateway … All traffic including internet browsing will be passed through this pfsense once client is connected. This can be useful if client needs to use one static global ip for any other access. If you don’t need this, you can uncheck this, and you can specify which subnet to be injected into the client.

6. OpenVPN client exporter install

Configuring client one by one is tedious task. In pfSense, there is a package called OpenVPN Client exporter, and it can be installed through package manager.

Once installation succeeded, you will see a new tab “client export” in OpenVPN. In “Hostname Resolution” select other, and fill in your global ip address in “Host Name”, then click “Save as default”. Once you saved, click “inline cconfiguration” and it will download the ovpn configuration file.

7. Add Firewall rule to allow OpenVPN

We need to create rules as listed below:

  • Firewall rule to allow openvpn connectiion to the firewall from the internet
  • Firewall rule to allow openvpn client to connecct to somewhere else

For the first rule, ccrete the firewall as below:

For the second rule, it depends on the usage. I made a extremely egnerous rules here to allow any communication. This means any communication even the one to the internet will also be allowed.

8. Add remote user(s)

Now it’s time to add users. Navigate to “Services” > “FreeRADIUS”, and add users.

  • Username … user name of your choice
  • Password … <blank>
  • One-Time Password … checked
  • OTP Auth Method … Google-Authenticator
  • Init-Secret … Click “Generate OTP Secret”
  • PIN … PIN of your choice
  • QR Code … Click Generate QR Code, and ask user to scan this code to register this OTP on their phone.

8. Setup client vpn software and test

One you setup the client with the file you downloaded from the last step, you can use the credentiaal to connecct to VPN. Please note the password is PIN number followed by OTP.

If everything hasa been setup correctly, you should be able to communicte with the internal resources as well as you can connect to the internet through GCP.

AWS Client VPN with SimpleAD

In this post, I’m going to guide how to set up AWS client VPN from scratch including Simple AD deployment.

AWS Client VPN can be used to connect to private segment directly from your client. It is well documented here in official document “AWS Client VPN Administrator Guide“.

In VPN settings, there are two main part you need to consider first:

  • Authentication … AWS Client VPN supports two types:
    • Active Directory Authentication
    • Mutual (Certificate) Authentication
  • Authorization
    • Security Groups
    • Network-based Authorization (work with Active Directory Authentication)

In my opinion, Active Directory Authentication is more flexible and intuitive compared to Mutual Authentication. It doesn’t support MFA yet, but it provides user/password authentication as well as it allows specific groups of users in AD to be able to connect to SSLVPN, which is a requirement of most clients.

Setup procedure is below:

  1. Generate certs and keys using easy-rsa, and register them on ACM
  2. Procure Simple AD
  3. Create users and groups on Simple AD
  4. Procure Client VPN Endpoint
  5. (Option) Configure a web server for connection test
  6. Configure OpenVPN client

By the end of this guide, the test environment looks like below:


1. Generate Certificate and Keys

You need to generate certificate and keys for servers to process client vpn first. You can follow the official steps here. It is not required to generate client certificate/key because we use Active Directory Authentication.

{
 git clone https://github.com/OpenVPN/easy-rsa.git
 cd easy-rsa/easyrsa3
 ./easyrsa init-pki
 ./easyrsa build-ca nopass
 ./easyrsa build-server-full lab_server nopass
 mkdir /temp_folder
 cp pki/ca.crt /temp_folder/
 cp pki/issued/lab_server.crt /temp_folder/
 cp pki/private/lab_server.key /temp_folder/
 cd /temp_folder/
 }

Once they are generated, register them into the AWS Certificate Manager(ACM). Please note you need to register these to the region you are going to have your VPN connection.

aws acm import-certificate --certificate file://lab_server.crt --private-key file://lab_server.key --certificate-chain file://ca.crt --region eu-west-1

If it returns arn, you are successfully registered certificate/key on ACM.


2. Procure Simple AD

Simple AD is not available yet in all regions. You can check the availability here.

First, select “Simple AD”, and select your VPC and subnet you want this service.

Once created, wait for a ew minutes till Directory service is ready. Note the DNS address listed in Directory detail, this information is required later to have management server join this domain.


3. Create Users and Groups for VPN access

In order to manage this AD, I procure another Windows server(management server) in public subnet.

For DNS configuration, you can either change DHCP option of your subnet or set DNS server statically in the servers.

After restart, reconnect to the server, this time with domain administrator account – password is the one you set during Simple AD setup. Install RSAT.

Launch “Active Directory Users and Computers”. If you logged in with domain administrator account, you should be able to see your domain is listed. I created two users “shogo.kobayashi” and “john.smith”, and only “shogo.kobayashi” is a member of “SSLVPN_USERS” group.


4. Procure Client VPN Endpoint

In Create Client VPN Endpoint wizard, you need to specify IPv4 CIDR which should be different from your existing VPC.

  • Server certificate ARN … Select arn, which you received in step 1.
  • Authentication Options … Select “Use Active Directory authentication”
  • Directory ID … select Directory ID you created on step 2.
  • DNS Server 1/2 IP Address … Use DNS IP address of your Simple AD

Associate this endpoint with your subnet in order to use it. Note that you will be charged once you associate endpoint with subnet. I used private subnet for this.

  • VPC … VPC you want to use this VPN Endpoint in
  • Subnet … Subnet you want to use this VPN Endpoint in

This is to authorize which network is reachable for each group of users. In this lab, I created only one rule that allows VPN connection to communicate anyone in the network as long as the authenticated user is in “SSLVPN_USERS” AD security group.

  • Destination network to enable … Which network this group of users can access
  • Grant access to … Allow access to users in a specific Active Directory group
  • Active Directory Group ID … SID of the SSLVPN_USERS group in AD

5. (Optional) Setup web server for connection test

We are going to setup web server for connection test. We use VPC endpoint to retrieve httpd packages because we want this server to be in private subnet, and hence there is no direct internet connectivity.

And minimum setup to bootstrap web server.


6. Configure OpenVPN Client

You can download configuration file from AWS console.

Launch OpenVPN client of your choice, and use the configuration file you just downloaded. Note you need to have a root CA certificate, which you generate in step 1, in the same folder you have your configuration file.

Now you should …

  • Be able to access web server if you login with user who is a member of “SSLVPN_USERS”, and
  • Not be able to access web server if you login with user who is NOT a member of “SSLVPN_USERS”.