So it's a normal day at work just burning through support tickets as usual. When suddenly my boss gives me this red box that a friend gave him. "See if you can get this to work" he says.
So I have a look at it, try to set it up and look at some articles about it online. It wasn't easy and took some self learning about networking and speaking with the lovely staff at Microsoft Azure. But I managed to setup an OpenVPN server on it and create a tunnel to our Azure Virtual Network. I can now connect into the Pfsense box via OpenVPN and access our Azure Virtual Network. Lets get started.
Establishing a connection to Azure
I am going to assume you have managed to setup OpenVPN on the pfsense, added your own users to it and have a decent understanding of networking. If you notice something wrong with this post feel free to tweet me.
Feel free to check out this article from netgate that will have more detailed information regarding setting up your tunnel. As I will be taking most of the suggestions from it anyway.
For starters you will need to set/get the IPv4 Tunnel Network on the Pfsense, this is the address space for the LAN of your OpenVPN users. It should be within the range of one of these address spaces.
I have masked out mine in this screenshot.
You also need the address space for your Azure VNET.
In your Pfsense head to VPN and then IPsec in the top navigation, then click add P1 (Phase 1). I assume you already have you Azure VNET setup already so in Azure you want to look for "virtual network gateway" and pick the gateway that your services are using (You can find this in the Connected Devices list when looking in your Virtual Network). You should then see the public IP address for your gateway.
Add the public IP address of your gateway into the Remote gateway textbox.
Next you need to setup your Phase 1 Proposal Authentication. In this example we will use mutual PSK, for this create a random password place that random password into Pre-Shared Key textbox. Set my identifier to My IP Address and Peer Identifier to Peer IP Address.
Before reading this section about Algorithms I encourage you to do some further digging yourself regarding the best algorithms to use as exploits are bound to be discovered in the near future. I am not responsible if this information below becomes outdated (just conduct additional research after reading the below paragraphs!)
For Algorithms use the strongest supported: Supported cryptographic algorithms & key strengths Azure. As of writing, the article linked from Microsoft states that AES256 is supported for IKEv2 Encryption.
For Hash algorithm again its best to use the strongest supported as of writing this article SHA384 appears to be the strongest supported by Azure.
For the DH Group using ECP384 appears to be the best, the article mentions DHGroup24 but from reading around its suggested that you avoid using DH groups 1, 2, 22, 23, and 24.
When it comes to lifetime 28800 appears to be a good balance for frequent rekeying without being too aggressive. You can reduce the liftime if you want but it may lower the performance on the network as the tunnel will be rekeying itself more often.
Regarding the Advanced Options make sure Dead Peer Detection is enabled everything else shouldn't be used, unless you know what you are doing.
Now Phase 2 (P2)
Now we need to setup our phase two rules. In my scenario I have two P2's setup. One for the LAN of the OpenVPN Network (Subnet) and the other for the LAN (Subnet) of the devices connected to the router directly.
Lets start with the LAN P2 first:
We want to make sure our LAN devices can access our Azure network.
Make sure Local Network is set to LAN subnet.
You then need to specify the Remote Network (Azure) and the subnet of address that can be accessed. This is a good tool to figure it out.
Next is the Phase 2 Proposal, its recommended to use ESP as the Protocol. Next is the Encryption and Hash Algorithms make sure it matches what you set in Phase 1. You can read more about it on netgates doc here. Feel free to set the PFS Key Group by default its set to off, setting the lifetime to 3600 (One Hour) should be more than enough.
For your OpenVPN users you will need to add another Phase 2 but have the local network set to network and specify the address and subnet of your VPN and everything else should be the same as above.
That should be it, if I have missed anything feel free to message me on Twitter.
Published on: Wednesday, November 14, 2018
Last updated: Wednesday, July 1, 2020