# NASA 3! VPN Workflow
### Add Certificate Authority & Server Certificate
1. System → Trust → Authorities → Add
```
Description: OPNsense-VPN-CA
Method: Create an internal Certificate Authority
Country / City / Organization: Taiwan / Taipei / NTU CSIE
```
2. System → Trust → Certificates → Add
```
Description: OpenVPN-Server-Cert
Type: Server Certificate
Issuer: OPNsense-VPN-CA
```
### Add VPN Server & Firewall Rules
1. VPN → OpenVPN → Instances → Edit
```
Role: Server
Description: NASA_OpenVPN
Protocol: UDP (IPv4)
Port Number: 1194
Server (IPv4): 10.8.0.0/24
Certificate: OpenVPN-Server-Cert
Authentiation: Local Database
Local Network: 172.16.0.0/24
Redirect gateway: Nothing selected
```
2. Firewall → Rules → WAN → Add
```
Action: Pass
Protocal: UDP
Source: any
Destination: WAN address
Destination port range: from OpenVPN to OpenVPN
```
3. Firewall → Rules → OpenVPN → Add
```
Action: Pass
Protocal: any
Source: OpenVPN net
Destination: LAN net
```
### Set TLS Static Key (After Test & Troubleshoot Step 14)
1. VPN → OpenVPN → Instances → Static Keys → Add
```
Description: NASA_OpenVPN_key
Mode: crypt
```
2. VPN → OpenVPN → Instances → Edit
```
(In advanced mode)
Keep alive interval: 10
Keep alive timeout: 120
TLS static key: NASA_OpenVPN_key[crypt]
Local Network: 172.16.127.0/24 -> 172.16.0.0/16
```
3. Firewall → Rules → OpenVPN → Edit
```
Source: any -> OpenVPN net
Destination: any -> LAN net
```
### Set VPN with Internal LDAP (iden1: 172.16.127.105)
1. System → Trust → Authorities → Add
```
Method: Import an existing Certificate Authority
Description: NASA-LDAP-CA
Certificate data: <content of ca.crt on 172.16.127.105>
```
2. System → Access → Servers → Add
```
Descriptive name: NASA_LDAP
Type: LDAP
Hostname or IP address: 172.16.127.105
Port value: 636
Transport: SSL - Encrypted
Protocol version: 3
Bind credentials:
User DN: cn=admin,dc=csie,dc=ntu,dc=edu,dc=tw
Password: <DN password>
Search scope: Entire Subtree
Base DN: dc=csie,dc=ntu,dc=edu,dc=tw
Authentication containers: ou=people,dc=csie,dc=ntu,dc=edu,dc=tw
User naming attribute: uid
```
3. VPN → OpenVPN → Instances → Edit
```
(In advanced mode)
Authentication: Local Database -> Local Database, NASA_LDAP
Username as CN: ✅
```
## Test & Troubleshoot
1. System → Trust → Certificates → Add
```
Method: Reissue and replace certificate (does not restart services)
Description: vpnuser-cert
Type: Client Certificate
Issuer: OPNsense-VPN-CA
Common Name: vpnuser
```
2. VPN → OpenVPN → Client Export
```
Remote Access Server: NASA_OpenVPN udp4:1194
Export Type: File Only
Hostname: 140.112.187.49
Port: 1194
```
3. Download the `.ovpn` file of `vpnuser-cert`.
4. Open OpenVPN Connect and upload the `.ovpn` file. Try to connect to `140.112.187.49` without connecting to CSIE VPN.
```
Account: vpnuser
Password: nasa3!VPN
```
5. It shows that the VPN is securely connected with the private IP `10.8.0.2`, but I cannot `ping 10.8.0.2` on my local terminal. Thus I modify the firewall rule of OpenVPN, and then I can `ping 10.8.0.2`.
```
Source: OpenVPN net -> any
Destination: LAN net -> any
```
6. Now I still cannot `ping 172.16.127.254`. I use `traceroute 172.16.127.254` to find that the problem may be IP subnet overlap.
```
1 192.168.0.1 (192.168.0.1) 5.472 ms 4.756 ms 3.734 ms
2 10.110.192.1 (10.110.192.1) 14.298 ms 16.346 ms 14.853 ms
......
```
7. I spot that there is a mistake in OpenVPN instance. After fixing it, I can `ping 172.16.127.254` and open OPNsense GUI without connecting to CSIE VPN.
```
Local Network: 172.16.0.0/24 -> 172.16.254.0/24
```
8. Now, there is another issue. We can `ping 172.16.127.254` when connecting to NASA 3! VPN, but `ping 172.16.127.X` fails (`X` is other then 254). The `traceroute` result of two IPs are as follows.
```
% traceroute 172.16.127.254
1 * * *
......
% traceroute 172.16.127.105
1 10.8.0.1 (10.8.0.1) 15.446 ms 12.715 ms 13.643 ms
2 * * *
......
```
9. The server `172.16.127.X` do receive the packet from `10.8.0.X`, but when it tries to reply, its default gateway is not set to the OPNsense, it forwards the reply to another router on the network. The other router does not recognize `10.8.0.X` and discarded the packet, resulting in not receiving a reply. Thus we require the setting of LAN outbound NAT.
10. Go to Firewall → NAT → Outbound and select `Hybrid outbound NAT rule generation`. Then add a manual rule.
```
Interface: LAN
Source address: OpenVPN net
Translation / target: Interface address
```
11. Now we can `ping 172.16.127.X`, `ssh iden1@172.16.127.105`, log in the web GUI of `https://172.16.127.16:8006` with NASA 3! VPN successfully.
12. In 04/09 meeting, we find that we cannot connect the 3! VPN with command in terminal. The output is as follows.
```
TCP/UDP: Preserving recently used remote address: [AF_INET]140.112.187.49:1194
UDPv4 link local: (not bound)
UDPv4 link remote: [AF_INET]140.112.187.49:1194
VERIFY ERROR: could not extract CN from X509 subject string \
('C=TW, L=Taipei, O=NTU CSIE') \
-- note that the field length is limited to 64 characters
OpenSSL: error:0A000086:SSL routines::certificate verify failed:
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
```
13. Go to System → Trust → Certificates and edit `OpenVPN-Server-Cert`.
```
Common Name: 140.112.187.49
```
14. Go to Lobby → Dashboard → Services and restart OpenVPN. We can now connect to 3! VPN with `sudo openvpn NASA_OpenVPN_vpnuser.ovpn` command.
15. In midterm demo, the professor suggested us to use routing rather than LAN outbound NAT to solve the asymmetric routing problem. First we disable the "reply-to" option. Go to Firewall → Rules → OpenVPN and edit the OpenVPN net → LAN net rule in advanced features.
```
reply-to: default -> disable
```
16. Now, we encounter two issues. First, we cannot `ping 10.8.0.X` when connecting VPN. Second, when `traceroute 172.16.127.254` and `traceroute 10.8.0.1`, it returns `1 * * *`.
17. Go to Firewall → Rules → OpenVPN and add new rules.
```
Action: Pass
Interface: OpenVPN
Protocol: any
Source: OpenVPN network
Destination: This Firewall
```
```
Action: Pass
Protocal: ICMP
Source: OpenVPN network
Destination: any
```
18. Now we can `ping 10.8.0.X` when connecting. Also, the outputs of `traceroute -I` are as follows.
```
% traceroute -I 172.16.127.254
1 172.16.127.254 (172.16.127.254) 10.497 ms 4.487 ms 4.297 ms
% traceroute -I 10.8.0.1
1 10.8.0.1 (10.8.0.1) 13.813 ms 7.538 ms 5.942 ms
% traceroute -I 172.16.127.105
1 10.8.0.1 (10.8.0.1) 13.061 ms 7.321 ms 6.820 ms
2 172.16.127.105 (172.16.127.105) 6.150 ms 5.859 ms 6.806 m
```
<!-- ## TODO
1. SSO with generic profile
2. Integrate with LDAP -->
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
Connect another wallet