Differences

This shows you the differences between two versions of the page.

--- pfsense:vpn:openvpn:configure_an_openvpn_server:using_a_wizard [2021/02/17 11:27] – [Create the Server Certificate] peter
+++ pfsense:vpn:openvpn:configure_an_openvpn_server:using_a_wizard [2021/02/17 13:41] (current) – [Install the Client Certificate] peter
@@ Line 40: / Line 40: @@
   * Descriptive Name:  **<some name to make it easy to identify**.
   * Key length: **2048 bit**.
-  * Lifetime:  **3650**.  (10 years).
+  * Lifetime:  **365**.  (1 year).
 <WRAP info>
-**NOTE:**  All other default parameters can be left as default.
+**NOTE:**  The Lifetime can only be set for a short timeframe.  See the comment against that fields.
+All other default parameters can be left as default.
 </WRAP>
@@ Line 54: / Line 56: @@
 ===== Configure the VPN Server =====
-Now Create the actual VPN server configuration.
+In **General OpenVPN Server Information**:
-General OpenVPN Server Information:
   * Interface:  **WAN**.  Or select the interface on which we want our service to listen.  If we have more than one WAN interface choose the one you want to dedicate to the service.  Later we can select multiple interfaces for greater redundancy.
@@ Line 67: / Line 67: @@
 ----
-Cryptographic Settings:
+In **Cryptographic Settings**:
   * TLS Authentication:  **Checked**.
@@ Line 80: / Line 80: @@
 ----
-Tunnel Settings:
+In **Tunnel Settings**:
   * Tunnel Network:  **10.20.30.0/24**.
@@ Line 90: / Line 90: @@
   * Inter-Client-Communication:  **Not Checked**.
   * Duplicate Connections:  **Not Checked**.
+<WRAP info>
+**NOTE:**  The Tunnel Network acts as an intermediary.
+Any local address, could be used here.  i.e. RFC1918 Compliant.
+  * **RFC1918 Compliant**:  (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
+Take care not to choose 10.10.10.1 as this could conflict with pfBlockerNG
+</WRAP>
 {{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_wizard_-_server_setup_-_tunnel_settings.png?800|}}
@@ Line 95: / Line 106: @@
 ----
-Client Settings:
+In **Client Settings**:
   * Dynamic IP:  **Checked**.
@@ Line 121: / Line 132: @@
 ===== Success =====
+==== OpenVPN Server ====
+Navigate to **VPN -> OpenVPN -> Servers**.
 {{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_servers.png?800|}}
+----
+==== Firewall Rules - WAN ====
+Navigate to **Firewall -> Rules -> WAN**.
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_firewall_-_rules_-_wan_-_openvpn.png?800|}}
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_firewall_-_rules_-_wan_-_openvpn_-_edit.png?800|}}
+----
+==== Firewall Rules - OpenVPN ====
+Navigate to **Firewall -> Rules -> OpenVPN**.
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_firewall_-_rules_-_openvpn.png?800|}}
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_firewall_-_rules_-_openvpn_-_edit.png?800|}}
+----
+==== Cert Manager - CAs ====
+Navigate to **System - Cert Manager - CAs**.
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_cert_manager_-_cas.png?600|}}
+----
+==== Cert Manager - Certificates ====
+Navigate to **System - Cert Manager - Certificates**.
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_cert_manager_-_certificates.png?800|}}
 ----
@@ Line 140: / Line 192: @@
   * Lifetime:  **3650**.
-In this way we will have created both the user and the associated certificate in a single operation
+<WRAP info>
+**NOTE:**  This creates both the user and the associated certificate in a single operation
+</WRAP>
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_user_manager_-_users_-_peter_roux.png?800|}}
+----
 <WRAP info>
@@ Line 156: / Line 213: @@
 Search for **openvpn-client-export**.
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_package_manager_-_available_packages_-_openvpn_client_export.png?800|}}
 Install the Package.
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_package_manager_-_available_packages_-_openvpn_client_export_-_installed.png?800|}}
 <WRAP info>
@@ Line 163: / Line 224: @@
 </WRAP>
+----
-Under **Remote Access Server** we select our created VPN server.
+===== Configure the Client Certificate =====
-In the **Client Connection Behavior** section we will enter the parameters with which the .ovpn configuration file will be generated for the user, in particular we recommend configuring as follows:
+Navigate to **VPN -> OpenVPN -> Client Export**
+In **OpenVPN Server**:
+  * Remote Access Server:  **Select the VPN server created earlier**.
+In **Client Connection Behavior**:
   * Host Name Resolution:  **Other**.
   * Host Name:  **Enter the Public IP address of the network**.
-  * Verify Server CN:  **Automatic - Use verify-x509-name (OpenVPN 2.3+) where possible**.  If there are problems set it to **Do not verify the CN server**.
+  * Verify Server CN:  **Automatic - Use verify-x509-name where possible**.  If there are problems set it to **Do not verify the CN server**.
+<WRAP info>
+**NOTE:**  These parameters will be written to the .ovpn configuration file which will be generated for the user.
+There is no need to click on the **Save as default** button, but if you do it is easy to update and save as a new default.
+</WRAP>
-Once the parameters are configured, we can export our users configuration file to be installed on the clients.
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_client_export_-_configuration.png?800|}}
-To do this we have various choices, the most recommended below:
+----
+===== Export the Client Certificate =====
+Export the user configuration file which is to be installed on the clients.
+There are many choices.To do this we have various choices, the most recommended below:
   * **Most Clients**: Generates an .ovpn file containing both the configuration and the certificates and the easily imported keys, compatible with clients: OpenVPN for Windows, Tunnelblick for OS X.
   * **OpenVPN Connect**:  Generates an .ovpn file compatible with OpenVPN Connect Apps for Android and iOS.
-  * **Archive**:  Compatible with Windows, generates an archive containing, in 3 separate files, the configuration (.ovpn), certificates (.p12) and the key (.key).
+  * **Archive**:  Compatible with Windows, generates an archive containing, 3 separate files, the configuration (.ovpn), certificates (.p12) and the key (.key).
-  * Under the **Current Windows Installer** section we can generate self-installing and pre-configured files for Windows clients.
+  * **Current Windows Installer**:  Generate self-installing and pre-configured files for Windows clients.
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_client_export_-_export_options.png?800|}}
+----
+===== Install the Client Certificate on an actual Client =====
+Copy the Client Certificate (the .ovpn file) to the specific client.
+Connect to the OpenVPN Server using this Client Certificate.
+For example on an Android phone, the OpenVPN app is used and shows successful connection.
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:openvpn_-_android_-_connected.jpg?400|}}
+----
+===== Show OpenVPN Widget on the pfSense Dashboard =====
+Navigate to the pfSense Dashboard.
+Click on the **+** at the top of the dashboard and select **OpenVPN**.
+When a client connects via the VPN this will show:
+{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_openvpn_-_connected_client.png?800|}}
 ----