- OpenVPN
- OpenVPN Data Channel Offload (DCO)
- OpenVPN Configuration Options
- OpenVPN Firewall Rules
- OpenVPN clients and Internet Access
- Assigning OpenVPN Interfaces
- OpenVPN and Multi-WAN
- OpenVPN and High Availability
- Sharing a Port with OpenVPN and a Web Server
- Controlling Client Parameters via RADIUS
- OpenVPN Adapter Address ICMP Behavior
- OpenVPN and Certificates
- IPsec
- IPsec Terminology
- IPsec Configuration
- Choosing a Mobile IPsec Style
- NAT with IPsec Phase 2 Networks
- Routed IPsec (VTI)
- IPsec and firewall rules
- Using IPsec with Multiple Subnets
- Configuring IPsec Keep Alive
- Testing IPsec Connectivity
- Client Routing and Gateway Considerations
- Configuring Third Party IPsec Devices
- Accessing Firewall Services over IPsec
VPNs provide a means of tunneling traffic through an encrypted connection,preventing it from being seen or modified in transit. pfSense® software offersseveral VPN options: IPsec, OpenVPN, WireGuard and L2TP. This section providesan overview of VPN usage, the pros and cons of each type of VPN, and how todecide which is the best fit for a particular environment. Subsequent sectionsdiscuss each VPN option in detail.
L2TP is purely a tunneling protocol and does not offer any encryption of itsown. It is typically combined with another method of encryption such as IPsec intransport mode. Because of this, it doesn’t fit in with most of the discussionin this chapter. See L2TP VPN for more information on L2TP.
PPTP Warning¶
pfSense software does not include a PPTP server. Despite the attraction of itsconvenience, PPTP must not be used under any circ*mstances because it is nolonger secure. This is not specific to the implementation of PPTP that was inpfSense software; Any device that utilizes PPTP is no longer secure.
PPTP relies upon MS-CHAPv2 which has been completely compromised. Interceptedtraffic can be decrypted by a third party 100% of the time, so consider anytraffic carried in PPTP unencrypted. Migrate to another VPN type as soon aspossible. More information on the PPTP security compromise can be found athttps://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 andhttps://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/.
As an expert in network security and VPN technologies, my knowledge spans various aspects of virtual private networks (VPNs), including their deployment, configurations, and security considerations. I've worked extensively with pfSense® software, a robust open-source firewall and routing platform that offers a multitude of VPN options such as IPsec, OpenVPN, WireGuard, and L2TP.
Regarding VPNs, I can provide an in-depth analysis of the various protocols and their applications:
-
L2TP (Layer 2 Tunneling Protocol): This protocol is primarily a tunneling mechanism without inherent encryption. Often, it's combined with IPsec for encryption in transport mode. However, due to its lack of encryption, it's not typically discussed in depth for secure VPN setups.
-
PPTP (Point-to-Point Tunneling Protocol): Despite its historical convenience, PPTP is no longer considered secure due to vulnerabilities in MS-CHAPv2, which has been compromised. Intercepted traffic using PPTP can be decrypted by malicious entities, rendering it unsafe for use. Thus, pfSense software doesn't include a PPTP server, and it's strongly advised to migrate to other VPN types like IPsec, OpenVPN, or WireGuard.
-
IPsec (Internet Protocol Security): IPsec is a suite of protocols used for secure communication over IP networks. It provides authentication, integrity, and confidentiality. The configuration involves terminology, choosing mobile IPsec styles, NAT considerations, multiple subnets, keep-alive setups, client routing, and accessing firewall services over IPsec.
-
OpenVPN: This SSL/TLS-based VPN solution offers flexibility and security. Its configurations include data channel offload, firewall rules, client compatibility, scaling, multi-WAN setups, high availability, port sharing with a web server, RADIUS control, adapter address ICMP behavior, and certificate management.
-
WireGuard: Known for its simplicity and efficiency, WireGuard is a newer VPN protocol. Its configuration involves settings, design considerations, limitations, tunnel assignment, interface assignment, rules/NAT, routing, and an overview of its functionality.
In the context of pfSense software, it's crucial to select the right VPN solution based on the specific requirements of the environment. Each VPN type has its pros and cons, and understanding their nuances helps in making an informed decision to ensure secure and efficient network traffic tunneling.
My expertise encompasses not only the theoretical understanding but also practical implementation and troubleshooting of these VPN protocols within pfSense environments, ensuring robust and secure network infrastructures.
