I spent the weekend testing out OpenVPN-AS and ran into one problem. After an hour or two the connection would die and not restart until I completely exited the software and got back in. Once and awhile I noticed that it would lock out my account. After some mulling around, I figured out that it had something to do with the SecurID authentication. I moved from PAM to RADUIS authentication on Friday in hopes that our users could use their keyfobs and not have to remember a separate username/password combo. Although I got it all working, it seems that there is some kind of reauthentication happening during the session on a frequent basis. I'm guessing there is some kind of a timing issue because everyone once and awhile the attempt fails and the session dies. Moving back to PAM (that's basically Linux authentication against the local databasse) seems to have resolved the issue. Time to get WireShark out and see what's happening. Stay tuned...
Tuesday, October 20, 2009
Today I set up our first OpenVPN-AS server and man is it cool. A lot of the things I didn’t like about regular OpenVPN (managing certificates, difficult authentication mechanisms, command line management, etc.) are addressed in OpenVPN-AS. You couldn’t ask for better licensing either….$5 per concurrent connection. That’s a software model I can buy into!
First I set up a CentOS server. It’s ver 5.3 with minimal stuff loaded. The I downloaded and ran the rpm right from OpenVPN.net. After a few small configs in pfSense to port forward https over the box I was up and running. I even got RADIUS authentication working of my SecurID box. For testing I just registered for the free 2 user license but I plan on purchasing more after our pilot is complete. If you want VPN for your business the cost is way worth the effort on this package. The difference between configuring OpenVPN and OpenVPN-AS is huge. OpenVPN-AS is way easier to set up and deal with both as an administrator and a user. Now…if they could only include OpenVPN-AS as a package in pfSense…..
Wednesday, October 14, 2009
Every once and awhile you hit a cool tool that you’ve seen before but forgotten completely. I ran into Super today while researching video conversion tools and forgot about how useful this tool is. Super is a video conversion program that will let you re-encode video files from one format to another. I even like it better then…choke…sniff…VLC…for some conversions even though it’s not Open Source. :) I ran into this tool a few years ago and it got me out of a tight spot and it’s even better now. What I really like is it’s simplicity. VLC tends to force you to learn all about audio and video codecs if you want to get power out of the tool. Super allows you to pick an “output container” like mpg, wmv, etc. and if does all the hard work picking out the settings for you. It’s great for the video-challenged peeps like me. Enjoy!
Friday, October 09, 2009
I ran into a small DNS issue when I first rolled out our pfsense firewall. I had 4 active interfaces: inside, outside, dmz and wireless. On the PIX I had the wireless segment go directly to the Internet for name resolution. Requests for “inside” services (on the inside or dmz interfaces) were NAT’ed so that the outside public addresses worked correctly. Not wanting to mess with all that NATing again, I was stuck because the rules I wrote were based on private ip addresses which wouldn’t be resolved correctly by a public DNS server. So after messing around a little I found that when set up as a DNS forwarder, the pfsense box will allow you override specific DNS entries or even an entire domain. Very very cool. I simply added the names I wanted to resolve to the override list with their internal ip addresses and bang! The only requirement was DNS forwarding had to be enabled and the pfsense box was acting as the DHCP server on the wireless interface. Simply leave the DNS values empty and pfsense will advertise itself as the DNS server to DHCP clients.
pfsense rocks the house!
Monday, October 05, 2009
This morning, I rolled out pfsense at our biggest site. It was actually the third try, but that’s not pfsense’s fault. A combination of a bad hub and an extremely long arp timeout period on the ISP’s switch scrubbed the first two attempts. (It was really scary to hear the ISP tech say “Sure I can clear the arp cache for you…can you tell me what to type?” Egads!) All in all it went well. One thing I forgot about was access to remote subnets on our WAN. I purposely left them out of the routing table on the firewall thinking I’d use IPSEC tunnels as a failover mechanism to our WAN. Unfortunately, I completely forgot that they get to the DMZ from the inside to see our website. A few quick static routes fixed that in short order.
My biggest surprise was the fact that I disabled bogon login detection on a previous attempt at getting things running so I had to turn that back on. Turns out that doing that will reset the state table and break everyone’s existing connections! Luckily I found that early during the scheduled downtime so no one was the wiser.
Right now I’m backing up the config as I make changes so I need to automate the backup on a scheduled basis like I did with the PIX. I’m sure I can work something out with Cattools for this.
All in all a successful venture. Two more sites to go and all our firewalls will be pfsense!