Category: Uncategorized

Wireguard configuration on pfSense 2.4.5

ab5gLeave a comment

After installing wireguard on your Pfsense, follow the below procedure to establish remote connectivity. Please see my other post on how to install Wireguard on pfSense 2.4.5

There are 2 main use cases for Wireguard VPN

  1. Remote Access – for users outside the network to gain access to the resources inside the network.
  2. Site to site VPN – for you to establish a VPN with a VPN provider and route traffic through it.

The steps for both are very similar.

  1. Goto VPN > Wireguard > Interface
  2. Here define the following
    • Address – Choose an unused network. This is used as the tunnel endpoint IP on your pfsense. I choose 10.100.100.1/24
    • Listen Port – 51830
    • DNS Server – 1.1.1.1
    • Hit Generate to Generate a Server_Public_Key and Server_Private_Key.
    • Hit Advanced – Set MTU to 1412 ( You can try with default but I had issues with my Mobile devices on 4G connecting to the server)
    • PostUp Script (Do this only if you use case is Site to Site VPN and want to selectively route traffic through the remote server. You do not need this for Remote Access use case. This allows you to selectively route traffic to the remote VPN server. By default when you add a remote VPN server with the intention to route your internet traffic through it, wireguard will point the default route to the remote server thereby routing all LAN traffic through the remote server )
      • route delete 0.0.0.0/1
      • route delete 128.0.0.0/1
  3. Next head over to VPN > Wireguard > Peers and lets create a Remote Access peer
    1. Genererate Peer Config
    2. Remote Peer
      • Name : e.g. Iphone
      • Address: This is the tunnel address of the iPhone – I changed it to 10.100.100.2/32 (Important this is a /32)
      • DNS – I kept 1.1.1.1
      • Private Key : This is the private Key of the iPhone client > Make a note
      • Public Key : This is the public key of the iPhone client > make a note
      • Presharedkey: Blank
      • Public Key: Public Key of iPhone’s Wireguard
    3. pfSense Information
      • Leave as is
    4. Advanced Features
      • Leave as is
    5. Install Wireguard on iPhone and scan the QR code generated above.
    6. Hit save on pfsense and Navigate to peers. Select the iPhone peer. Important that Allowed IP’s should show 10.100.100.2/32 (if not save change it and save again)
    7. Go back to VPN > Wireguard and you can restart the Wireguard package from the top right. If it doesn’t restart then you have a config error. Look through instructions again.
    8. Now goto Firewall >rules > WAN and set a Allow rule for port 51830 on UDP traffic.
    9. Then goto Interface > Assignments and assign the a new Interface with tunwg0 – name it WGRD.
    10. Goto Firewall > Rules > WGRD > Allow source WGRD net to dest any (This will allow any traffic coming in to hit the internal LAN). You can also go granular here and allow access to certain IP’s. Use source as 10.100.100.2 (or whatever is the remote device’s IP address.
    11. Optional : If you want to allow the remote user to ‘break’ out to the internet from your pfSense then add a firewall rule on the WGRD interface and setting the Gateway to the WAN_DHCP. You will also have to setup the appropriate outbound NAT rule.

  1. For a Site to site VPN – the only changes are
    1. Post Up script
      • route delete 0.0.0.0/1
      • route delete 128.0.0.0/1
    2. Allowed IP’s on the pfsense should be 0.0.0.0/0
    3. Optional: If you want certain LAN devices to use this site to site VPN, then goto System > Routing > Gateways and create a new Wireguard Gateway.
This is how things should look on your pfsense firewall

interface: tunwg0
  public key: AbTu/MPAZ232340jw5TlMEuwyiOM954K7RoPHo0eLRM=  (Public Key of pfSense wg)
  private key: (hidden)
  listening port: 51830

peer: asdasdasdasdassdA6sPYNqw1cccxFwDs1Z9oRaP97Do=  (Public Key of remote vpn server)
  endpoint: xx.xx.xx.xx:44436 (IP of remote vpn server >> Populated automatically)
  allowed ips: 0.0.0.0/0 
  latest handshake: 37 seconds ago
  transfer: 200.31 MiB received, 4.89 MiB sent
  persistent keepalive: every 25 seconds

peer: +fWuE2nLkDHcrz9whuBDh7T7UBvqlGU30cm+UjR9nAA= (Public Key of iPhone client)
  allowed ips: 10.100.100.2/32

Upgrade ntop-ng to v4.2 on pfSense 2.4.5

ab5gLeave a comment

CAUTION: Sildeloading applications like this into productions firewalls is a strict no no. You have been warned

  • Install ntop-ng from the package manager on Pfsense (if not installed). Do not start the package.
  • If ntop-ng was already installed – make sure to stop it by going to Diagnostics > ntopng settings.
  • SSH into the firewall and execute the following commands. This command will overwrite the existing pfSense package, upgrading them.
  • pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/zstd-1.4.5_1.txz
  • pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/json-c-0.15.txz
  • pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ntopng-4.2.d20201102,1.txz
  • pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ndpi-3.4.d20201101,1.txz
  • For all other CPU architectures(non 64 bit) or for errors stating package not found you will need to find the correct version of the package. For it please visit the URL https://www.freshports.org/net/ntopng, https://www.freshports.org/net/ndpi etc and select the correct version of the package. Do it for all 4 packages.
  • After successful install, you can go to Diagnostics > ntopng settings and start the package from there. For good measure, you may want a reboot (although not needed). Give it a couple of minutes on the first start to come up.
    • To remove the packages use ‘pkg remove -f <package_version>’ e.g . ‘pkg remove -f ntopng-4.2.d20201102,1.txz’
    • To get the details about the version of installed package use ‘pkg info <ntop-ng>’.

DNS over HTTPS on Ubiquity USG

ab5gLeave a comment

If you wish to run your DNS queries on  over HTTPS to Cloudflare’s 1.1.1.1 using Ubiquity USG,  then read on.

The first step is to compile and install cloudflared. I used a mac and and docker to compile the binary from github.

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=mips golang bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared; GOOS=linux GOARCH=mips go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared"

After compiling – you’ll end up with a file called cloudflared on your local machine. Copy this over to the USG in the /confi/scripts/ folder. You could use SCP, or a GUI based client for Mac like Transmit.

Login to the USG via shell, then change sudo to su . Change permission to make the file executable.

sudo su
chmod +x /config/scripts/cloudflared

Create an auto startup script and place in config/scripts/post-config.d

vi /config/scripts/post-config.d/cloudflare-dns.sh

 

#!/bin/bash

# start DNS proxy to Cloud Flare

/usr/bin/pkill cloudflared

nohup /config/scripts/cloudflared --no-autoupdate --proxy-dns --proxy-dns-port 5053 &>/var/log/cloudflared.log &

Change permission to make the file executable.

chmod +x /config/scripts/post-config.d/cloudflare-dns.sh

Create a new file using a text editor such as TextEdit or Atom on your mac and create the following json file. The structure of a json file is just as important as the words themselves. Incorrect placement of brackets, indentations, line breaks or any other structural element will make the json file invalid. Save it by naming it config.gateway.json

{

        "service": {
                "dns": {
                        "forwarding": {
                                "options": [
                                        "no-resolv",
                                        "strict-order",
                                        "server=127.0.0.1#5053",
                                        "server=1.1.1.1",
                                        "server=1.0.0.1",
                                        "domain=my.domain.com,192.168.1.0/24,local"
                                ]
                        }
                }
        }
}

Now copy this file to your Controller under the following folder (You could use SCP, or a GUI based client for Mac like Transmit. )  – On Cloud Key install the path for the .json file is: /srv/unifi/data/sites/[site name/default]/

Read here for more information on the config.gateway.json file -https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration

Once done, head over to your controller dashboard , select devices, select USG, select config, select manage device, select force provision.

Once the provisioning completes, validate that the DNS on your machine is pointing to the USG IP. Test your DNS by visiting the following IP on your mac.

https://www.cloudflare.com/ssl/encrypted-sni/

 

Screenshot 2018-10-22 at 9.11.24 PM

If doesn’t work delete the 2 lines in red in config.gateway.json and force reprovision. 

EDIT:

So apparently, after a reboot of the USG, I started seeing errors in the logs stating that a secure connection to 1.1.1.1 cannot be made. I first thought the ISP is bloking the connection but later realized that my WAN IP perisited after a reboot.  I tried mutiple combinations, but the following worked

<Kill the process>
ps -ef| grep cloudflared
kill -9 <Process ID of cloudflared from command above>

<remove startup script>
rm -rf /config/scripts/post-config.d/cloudflare-dns.sh

<reboot USG>
<start cloudflared>
nohup /config/scripts/cloudflared --no-autoupdate --proxy-dns --proxy-dns-port 5053 &>/var/log/cloudflared.log &
<validate no errors in /var/log/cloudflared>

<Reset contents of config.gateway.json to the one above - which means if you deleted the text in RED put it back>
<Force provision USG again>
<Test - https://www.cloudflare.com/ssl/encrypted-sni/>
<If it still doenst work, delete 2 RED lines in config.gateway.json>

 

Source

https://community.ubnt.com/t5/UniFi-Routing-Switching/Countering-plaintext-DNS-with-1-1-1-1/td-p/2300769

https://bendews.com/posts/implement-dns-over-https/