Add a standalone OpenVPN server using a pfSense virtual machine in Performance Cloud VMware (NSX-T)
TABLE OF CONTENTS
Description
An OpenVPN server can be deployed in your virtual data center to allow remote clients, including mobile devices, to connect to your Performance Cloud VMware (NSX-T) environment using a virtual private network (VPN).
In this article, we will deploy a pfSense virtual machine to add the point-to-site (P2S) VPN functionality in an existing network.
Notes
- Some steps assume that you have a foundation about creating virtual machines.
Please refer to main articles in the Getting Started Guide if needed.
- Please note that Sherweb's support for a NVA (Network Virtual Appliance) is very limited.
Procedures
Create the virtual machine
Add a new virtual machine in an existing vApp by choosing the template named PFSense-OPENVPN.
Note that the Force Recustomization option will not work for the pfSense virtual machine.
Configure the NIC with the desired LAN IP address on your network.
In this example, we will use 10.123.123.20.
If needed, please see this article for guidance on creating a virtual machine using a prebuilt template and a vApp with Performance Cloud VMware (NSX-T).
Configure the network interface
Once the virtual machine is created, the network interface must be configured inside the virtual machine using the option 2 from the console. In this example, we will use 10.123.123.20/24 and 10.123.123.1 for the gateway.
Enter the desired LAN IP address for this virtual machine (In this example, the virtual machine is only having 1 interface connected to the LAN but named WAN in the pfSense virtual machine).
Enter the subnet mask bit count.
Enter the default gateway for the chosen network.
In some cases, the WAN must be reassigned to the vmx0 interface using the option 1 in the main menu.
Firewall & DNAT rules
Create firewall & DNAT rules for OpenVPN (port UDP/1194).
See this article for guidance on configuring firewall & NAT rules in the Edge Gateway.
The firewall rule should look like this:
Optionally - Create firewall & DNAT rules for the web interface of the pfSense virtual machine (the default TCP/80 port can be customized later).
The DNAT rule should look like this:
Once the HTTP port opened, you should be able to access the pfSense web interfance using http://WANIPADDRESS
If it is not working, a reboot of the new pfSense virtual machine should fix the issue.
Default credentials of the virtual machine:
Defaut username = admin
Default password = pfsense
Please update the password after the first login.
Notes
In a production environment, we do not recommend configuring "Any" as the Source for the web interface access from the WAN IP address for security reasons.
That rule permitting the access of the web interface from the WAN IP address can be enabled on demand or completely disabled in the firewall rules section.
If the web interface from the WAN IP address is blocked, you will need to access the web interface using the LAN IP address.
User management
Create users in the pfSense virtual machine.
See this article for guidance on user creation: https://docs.netgate.com/pfsense/en/latest/usermanager/users.html
Notes: LDAP or RADIUS (Network Policy Server) can be leveraged for user management and authentication instead of managing local users in the pfSense virtual machine. See this article for details.
OpenVPN client
Go to VPN and OpenVPN, Client Export
Change the Host Name Resolution to Other and under Host Name enter the WAN public IP address (from the Edge Gateway). This ensures the public IP address is used to connect the OpenVPN client and not the private IP address assigned to the pfSense WAN interface.
Then, click on Save as default.
Go to the bottom of the page under the OpenVPN Clients section.
Click on the installation package to download for your computer
Once installed, you should be able to connect using VPN credentials.
References
https://docs.netgate.com/pfsense/en/latest/general/index.html
https://docs.netgate.com/pfsense/en/latest/usermanager/authentication-servers.html