Quick & Easy Let’s Encrypt Setup on pfSense using ACME

There is a wonderful new capability in pfSense to use Let’s Encrypt to automatically and securely generate fully recognized TLS certificates.

This is a great thing because security is important. Using self-signed certs is annoying at best. You still completely control your private key when using ACME via services such as Let’s Encrypt, so there is no security downfall to using it.

How-to use Let’s Encrypt on pfSense

Under System / Package Manager / Available Packages you should find a package called acme. Click the install button and allow it to complete.

Once installed you should find Acme Certificates under the Services menu.

The first step is to create your account keys. Enter a name, select the production server if you want this to be live.
Click “Create new account key” to generate a key and insert it into the Account key box.
Finally click the Register button and Save.

The next step is to create your certificate. Under Certificates click the Add button.
Enter the details such as the name.

In the Table you will see I selected “standalone HTTP server” and in the options set the listen port to 8082. This is important because the ACME server needs to be able to access this standalone HTTP server on port 80. We will accomplish this with a port forward rule in the next step.

Under Firewall / NAT / Port Forward create a new rule that forwards port 80 HTTP to your pfSense IP address which is 192.168.1.1 by default.
This allows the ACME server to communicate with your device to verify ownership.

Of course you can use other methods, I just found this to be the simplest option assuming that you have something already running on port 80 like I do.

Now let’s go back to Acme Certificates, and click the Issue/Renew button. If the domain name you used has correctly configured DNS, you should have a freshly minted certificate available for use under System / Cert. Manager.

To use this new certificate from the pfSense webConfigurator like I am, go to System / Advanced / Admin Access and select your new certificate under the SSL Certificate drop down menu.

Onward to TLS everywhere!

We’ve started an Online Disc Store

img_7617_bf0cb84e-4b86-4f89-9904-b60252675d96_1000xMy wife Melodie had the idea of having a family based business that we’d be able to do, and since we all enjoy disc sports and e-commerce is relatively easy to get into we said, hey let’s try setting up an online disc store and run the inventory from our garage!
So starting today you can now find our new family business at mydisc.ca.

We carry the awesome rubber based discs from Vibram Disc Golf, and the Canadian made discs from Daredevil Discs here in Ontario. Official Ultimate discs and the really nice flex golf discs that are great for playing in the cold.

Check it out, and if you’d like to try out some new discs we’d love to have your business!

 

How-to use Media Vault with Nginx

The Media Vault plugin for WordPress is the only WordPress plugin that I’m aware of that allows you to protect uploaded files from public access. Protecting your WordPress web site is relatively easy and there a bunch of great plugins that help make your site private for internal use.

But there is a bit of a catch, the Media Vault plugin only supports Apache web servers. So if you’re running your WordPress installation on Nginx, there’s a small hack you need in order to make it work.

Step 1 – Install and modify the plugin

First of all install the Media Vault plugin like you normally would, and it will give you a message that you need to activate the Apache rewrite rules. Of course it won’t work, so in order to activate the plugin we’ll do this.

  1. Under WordPress Admin go to Plugins / Editor to edit the Media Vault plugin.
  2. From the “Select plugin to edit:” menu select “Media Vault” and click Select
  3. On the right-hand side click on the media-vault/_mediavault.php plugin file.
  4. Look for a line that reads: “function mgjp_mv_check_rewrite_rules( $deactivation = false ) {
  5. Modify the return statement in that function so it reads: return true;

That simply makes the activation successful even though we don’t actually have it working yet. The reason we have to do this is because the nginx rewrite rules that we’re going to add work, but don’t pass the test in this function because they don’t return the same http codes that apache does.

Step 2 – Configure Nginx

Here’s what my relevant nginx configuration looks like, you can copy parts as needed:

location / {
    rewrite ^/wp-content/uploads(/_mediavault/.*\.\w+)$ /index.php?mgjp_mv_file=$1 last;
    if ($args ~* "^(?:.*&)?mgjp_mv_download=safeforce(?:&.*)?$") {
        rewrite ^/wp-content/uploads(/.*\.\w+)$ /index.php/?mgjp_mv_file=$1 last;
    }
 
    try_files $uri $uri/ @rewrites;
}

location @rewrites {
    rewrite ^ /index.php last;
}

location /wp-content/uploads {
    rewrite /wp-content/uploads/([1-9]+.+) /wp-content/uploads/_mediavault/$1 redirect;
}

This configure takes care of WordPress pretty-urls, Media Vault rules, and also redirects any old upload URLs from your media library to the new media vault protected URL. This was helpful in our case were we already had a lot of existing media in use in the WordPress site and it would have taken a lot of effort to update all the URLs on the pages.

Hope this helps someone out there, enjoy!

How-to configure Wi-fi in pfSense

Netgate offers the 802.11a/b/g/n wireless kit for APU but configuring pfSense to use it is not immediately apparent and I was not able to find a recent how-to or tutorial on how to do the setup. This tutorial is using pfSense 2.2 but should work with 2.1 as well.

This tutorial will help you configure a bridged LAN Wi-fi network. We won’t be dealing with creating a guest wifi network but if requested I’m willing to do that later.

It’s all about the bridge

The most tricky part of this is configuring the LAN bridge to the Wi-fi interface. I’m going to assume that you already have a LAN interface configured and your pfSense is working great. Now all you want to do is configure the wireless.

If you go to Interfaces->(assign) you probably see something like this.
Screen Shot 2015-02-20 at 21.17.13

Now in order to create the bridge without getting disconnected we need to do a bit of trickery.

Assign a new interface to something that is not in-use. For example a network port that you’re not using or even create a PPP interface temporarily just so you have something to assign it to. Once created it will probably be called OPT1 or OPT2. Go ahead and click on it, enable it, and rename it to LAN_PORT. It should then look something like this.
Screen Shot 2015-02-20 at 21.23.31

You should also have an interface assigned for you wifi card such as the wireless kit from Netgate. It might look like this.

Screen Shot 2015-02-20 at 21.26.44

And if you open the interface it should be enabled.

Screen Shot 2015-02-20 at 21.26.55

IPv4 and IPv6 configuration should be set to None for both the Wifi and LAN_PORT interface.

Now it’s time to actually configure the bridge. Under Interfaces->(assign) click on the Bridges tab. Click the + icon to add a new bridge.

Under Member interfaces select both the Wifi and LAN_PORT interfaces that you setup.
Click Save and apply these changes and you should see something like this.
Screen Shot 2015-02-20 at 21.33.18

Now go back to Interface assignments, and we want to adjust the assignments a little.

Assign the BRIDGE0 port to your LAN interface. And assign the port that was originally assigned to your LAN interface to the LAN_PORT interface. It should then look something like this.
Screen Shot 2015-02-20 at 21.34.46 Screen Shot 2015-02-20 at 21.34.54

In my case re2 was originally assigned to LAN and is now assigned to LAN_PORT.
Save these settings and apply, and you’re finished with the bridge!

More Wi-fi Settings

Now it’s time for the wireless settings. There are some gotchas that we’ll mention, but first here are screenshots of my configuration that is working great.

(To get to this configuration click on the Wifi interface from the Interfaces assignment tab.)

Screen Shot 2015-02-20 at 21.40.32 Screen Shot 2015-02-20 at 21.40.45 Screen Shot 2015-02-20 at 21.41.28

WPA Pairwise has to be set to Both, if you set it to AES the wifi will stop working. In my testing I found it was best to set WPA Mode to WPA2 and leave the Pairwise set to Both.

Otherwise you should be fine copying all the wireless settings from my screenshots, of course you’ll choose a different pre-shared key and SSID 🙂

Remember that your LAN IP address and other network settings must now be configured on the interface that you assigned to the bridge, and also DHCP should be enabled on that same interface.