Summary:
In this part, we are going to download and install pfSense vRouter. We are going to create the first VM of the environment, then install and configure pfSense router. Also, we will add openVPN to the router, configure the server and the client. Skip this section if you don’t need a router or already have one.
This is part 2 out of 12 of the VDI LAB series. Check out the introduction first.
The ultimate VDI deployment guide (from scratch) with VMware vSphere 6.5 and Horizon View 7.3 - 2018. 😉
1. Prerequisites
- Download pfSense open source firewall and router: https://www.pfsense.org/download/
- Copy the ISO to an accessible datastore.
NOTE: Create a folder to store all software ISOs to be used during the whole VDI deployment
NOTE: Skip this section if you don’t need a router or already have one. The use of this virtual router is for lab purposes. An enterprise router or software should be used for a production environment.
2. The first VM
@ESXI host
- Go to Create / Register VM.
- Select: Create New Virtual Machine.
- Name your VM and choose the operating system (as image below will do).
- Select datastore:
- From Customize Settings: Modify CPU, RAM and Hard disk (Consider at least 1GB of RAM). Add a second Network Adapter and select the WAN network created before and VM Network
- Select Datastore ISO File from CD/DVD Drive
- Select the pfSense ISO file.
- ISO will be mounted in the Drive as shown in the image below.
- Review your configuration and click Finish.
3. PfSense Installation
- Power on the VM.
- For pfSense version 2.4.2, follow the images below, it is a straightforward installation, just left everything by default, just hit lots Enter and then reboot.
- After reboot pfSense welcome page will be displayed. From this page, let’s set the LAN interface, that will be used for Web Configuration later.
- Hit number 2 to access Set interface(s) IP address option.
- Select option 2 for LAN and follow the steps,
- Input IP address for the router and mask. Mine will be 10.0.0.1/20.
- I won’t use DHCP into the router, I will configure the DHCP services into the Active Directory server.
4. PfSense Configuration
- Access your router via web from the LAN IP address, 10.0.0.1. Pfsense default User/Password is: admin/pfSense
- First, go to Interfaces / WAN and disable the last two options, Block private networks and loopback address and Block bogon networks.
Don’t make any other change and don’t click in Apply changes yet.
- Go to Firewall / Rules. Let's add two rules, first click on the Add button.
- For the first rule, change only Source and Destination sections as the image below and leave the rest as default, click Save.
- Add a second rule for ICMP, configure as the image below and click Save.
- Reboot the system from Diagnostics / Reboot and click Reboot. Wait for the system and access to the web GUI again.
- Now, Let’s configure the Interfaces, Go back to Interfaces / WAN. Make sure that the interface is enabled, I am going to use DHCP for my WAN interface and disable IPv6 Configuration Type, the rest is left by default. If static IP is needed, change IPv4 Configuration Type to Static and add the IPv4 Address and Upstream gateway. Click Save.
LAN interface was previously configured from the CLI, so I won’t change it but can be modified if needed, just like the WAN.
5. PfSense OpenVPN
This section can be skipped. For the sake of easily accessing the whole VDI-LAB remotely, openVPN will be installed into this router. I consider this important to manage and monitor all the components form my Client PC.
First, we need to create certificates that will be needed for the connection, then install openVPN Server into the virtual router and the openVPN client in the Client PC.
NOTE: Port 1194 must be open in the router providing internet on this virtual router.
5.1 PfSense certificates
- Go to System / Cert. Manager / CAs and click the Add button.
- Name the certificate authority (VMlab-CA) and change Method to Create an internal Certificate Authority. The form will change, fill it out as the image below and click Save.
- Go to System / Cert. Manager / Certificates and click Add/Sign button
- Name the certificate (firewall.demo.vmlab.com) and change Method to Create an internal Certificate. Select the certificate authority created before and fill it out as the image below
- Select Server Certificate and click Save
5.2 PfSense OpenVPN - Server Configuration
- Install OpenVPN. Go to System / Package Manager / Available Package
- Search for “openvpn”, click Install and then Confirm.
- The installation will be successfully completed.
- Go to VPN / OpenVPN / Wizards
- In the type of server select Local User Access.
- Choose a Certificate Authority previously created and click Next.
- Choose a Certificate previously created and click Next.
- In Server Setup, In General OpenVPN Server Information, left as the image below.
- Left Cryptographic Settings by default.
- In Tunnel Settings, input Tunnel Network, as preferred, this is the range of IP addresses that the Client PC will get. Also, input Local Network (same as LAN interface), left the rest by default.
- In Client Settings input the DNS Server 1, in my case is the IP address that I will use for my Active Directory.
- Click Next.
- Click Both traffic rules, as the image below. This is important, without these traffic rules there will be issues pairing the connection from the Client PC.
- Click Finish.
- Edit new server created.
- In Server Mode select Remote Access (user Auth). Or as preferred. Click Save.
5.3 PfSense OpenVPN - Client Configuration
@pfsense router
- Create a new user for remote access. Go to System / User Manager and click Add.
- Add username and password, click Certificate and add certificate created before. left the rest by default, click Save.
- Go to VPN / OpenVPN / Client Export and Search for OpenVPN Clients, select the client to export according to your OS, in my case Windows Vista and Later. Note: Run it on the computer you want to use as a client for the remote access.
@Client PC
- Run OpenVPN client. Follow the installation wizard and leave Components to install by default and click Finish
- Run OpenVPN GUI, it should appear now in the Taskbar.
- Right Click on the OpenVPN GUI and click settings.
- From the setting check Launch on Windows startup, click OK.
- Double Click OpenVPN GUI to launch the connection. Input username and password created in previous steps. Click OK.
The connection will be established and we will be ready to connect remotely to our lab.