Add a standalone OpenVPN server using a pfSense virtual machine in Performance Cloud VMware (NSX-T)

 


TABLE OF CONTENTS

Description

An OpenVPN server can be deployed in your virtual data center to allow remote clients, including mobile devices, to connect to your Performance Cloud VMware (NSX-T) environment using a virtual private network (VPN).

In this article, we will deploy a pfSense virtual machine to add the point-to-site (P2S) VPN functionality in an existing network.

Notes

- Some steps assume that you have a foundation about creating virtual machines.
Please refer to main articles in the Getting Started Guide if needed.

 - Please note that Sherweb's support for a NVA (Network Virtual Appliance) is very limited.

Procedures


Create the virtual machine

Add a new virtual machine in an existing vApp by choosing the template named PFSense-OPENVPN.
Note that the Force Recustomization option will not work for the pfSense virtual machine.
Configure the NIC with the desired LAN IP address on your network.
In this example, we will use 10.123.123.20.

A white screen with text

Description automatically generated

 

 

If needed, please see this article for guidance on creating a virtual machine using a prebuilt template and a vApp with Performance Cloud VMware (NSX-T).

 


 

Configure the network interface

 

Once the virtual machine is created, the network interface must be configured inside the virtual machine using the option 2 from the console. In this example, we will use 10.123.123.20/24 and 10.123.123.1 for the gateway.

A screenshot of a computer

Description automatically generated


A screenshot of a computer

Description automatically generated



Enter the desired LAN IP address for this virtual machine (In this example, the virtual machine is only having 1 interface connected to the LAN but named WAN in the pfSense virtual machine).

A screenshot of a computer

Description automatically generated

 

 

Enter the subnet mask bit count.

 

A screenshot of a computer screen

Description automatically generated

 

 

Enter the default gateway for the chosen network.

A screenshot of a computer

Description automatically generated


A screenshot of a computer

Description automatically generated


A screenshot of a computer

Description automatically generated


A screenshot of a computer

Description automatically generated

 

A screenshot of a computer

Description automatically generated


 

In some cases, the WAN must be reassigned to the vmx0 interface using the option 1 in the main menu.

A screenshot of a computer

Description automatically generated



Firewall & DNAT rules


Create firewall & DNAT rules for OpenVPN (port UDP/1194).
See this article for guidance on configuring firewall & NAT rules in the Edge Gateway. 

The firewall rule should look like this:

A screenshot of a computer

Description automatically generated


 

Optionally - Create firewall & DNAT rules for the web interface of the pfSense virtual machine (the default TCP/80 port can be customized later).

The DNAT rule should look like this:



Once the HTTP port opened, you should be able to access the pfSense web interfance using http://WANIPADDRESS
If it is not working, a reboot of the new pfSense virtual machine should fix the issue.

A screenshot of a login screen

Description automatically generated


 

Default credentials of the virtual machine:
Defaut username = admin

Default password = pfsense


Please update the password after the first login.
 

 

Notes

 

In a production environment, we do not recommend configuring "Any" as the Source for the web interface access from the WAN IP address for security reasons.

 

That rule permitting the access of the web interface from the WAN IP address can be enabled on demand or completely disabled in the firewall rules section.

 

If the web interface from the WAN IP address is blocked, you will need to access the web interface using the LAN IP address.



 

User management


Create users in the pfSense virtual machine.
See this article for guidance on user creation: https://docs.netgate.com/pfsense/en/latest/usermanager/users.html


Notes: LDAP or RADIUS (Network Policy Server) can be leveraged for user management and authentication instead of managing local users in the pfSense virtual machine. See this article for details.

  


OpenVPN client


Go to VPN and OpenVPN, Client Export

Change the Host Name Resolution to Other and under Host Name enter the WAN public IP address (from the Edge Gateway). This ensures the public IP address is used to connect the OpenVPN client and not the private IP address assigned to the pfSense WAN interface.

Then, click on Save as default.


Go to the bottom of the page under the OpenVPN Clients section.


Click on the installation package to download for your computer

A screenshot of a computer

Description automatically generated

 

 

Once installed, you should be able to connect using VPN credentials.

 

A screenshot of a computer

Description automatically generated

References

https://docs.netgate.com/pfsense/en/latest/general/index.html

https://docs.netgate.com/pfsense/en/latest/usermanager/authentication-servers.html