====== PFSense - VPN - OpenVPN - Configure an OpenVPN Server:Manually ======
TODO: UPDATE - AS INTRUCTIONS ARE A LITTLE OLD.
===== Install the OpenVPN Client Export Utility Package =====
Navigate to **System -> Packages**.
* Select the **Available Packages Tab**.
* Locate the **OpenVPN Client Export Utility Package** and install it by pressing the **“+”** on the right.
----
===== Setup your Certs =====
Navigate to **System -> Cert Manager**.
* Create a CA.
* Select the **CA** tab and create a CA by pressing the **“+”** button.
* Populate the fields with the appropriate information, making sure to change method to **Create Internal Certificate Authority**.
* Alternatively you can also import your own. (outside the scope of this guide)
* Create the server certificate by clicking the **Certificates** tab and pressing the **“+”** button.
* Method: **Create an internal Certificate**
* Certificate Type: **Server Certificate**.
* Fill in the appropriate information and make sure to change the Certificate Authority to that of the CA created earlier.
* Create User Certificates in the same way but instead of choosing **Server Certificate** for Certificate type, make sure to choose **User Certificate**.
* It is recommended that each individual PC that connects to the VPN have their own certificates created.
* Create a revocation list.
* It is also not necessary, but recommend.
* Click the **Client Revocation** tab, then the **“+”** to add one.
* Choose the CA created earlier.
----
===== Setup the OpenVPN Server =====
Navigate to **VPN -> OpenVPN -> Server**.
Press the **+Add** button to create an OpenVPN server.
In **General Information**:
* Disabled: **Not Checked**.
* Server Mode: **Remote Access (SSL/TLS)**.
* Protocol: **UDP**.
* Device Mode: **tap**.
* Interface: **WAN**.
* Port: **1194**.
* Description: **A suitable description of your server**.
In **Cryptographic Settings**:
* TLS Configuration:
* Use a TLS Key: **Checked**.
* Automatically generate a TLS Key: **Checked**.
* TLS keydir direction: **Use default direction**. Default.
* Peer Certificate Authority: **Select the CA created earlier**.
* Peer Certificate Revocation List: **Optional. If you created a Revocation Certificate earlier, then select it.**
* Server Certificate: **Choose the server certificate created earlier**.
* DH Parameters: **2048**.
* ECDH Curve: **Use Default**.
* Encryption algorithm: **AES-128-CBC (128-bit)**.
* Enable NCP: **Checked**.
* NCP Algorithms: **AES-128-GCM**. Default.
* Auth digest algorithm: **SHA256 (256-bit)**. Default.
* Hardware Crypto: **Choose a hardware crypto engine if you have one**.
* Certificate Depth: **One (Client+Server)**.
In **Tunnel Settings**:
* IPv4 Tunnel Network: ****. Leave blank as not used in tap/bridge mode.
* IPv6 Tunnel Network: ****. Leave blank, not used in tap/bridge mode.
* Bridge DHCP: **Checked**.
* Bridge Interface: **LAN**.
* Server Bridge DHCP Start: **Start of your IP address range for remote clients**.
* Server Bridge DHCP End: **End of your IP address range for remote clients**.
*
**NOTE:** DHCP address range should be a range of IP addresses that are within the IP address range of your LAN network.
* Redirect Gateway: **Not Checked**.
* IPv4 Local Network: **192.168.1.1/24**. This is the address of the LAN network expressed as a CIDR range.
* IPv6 Local Network: ****.
* Concurrent connections: **2**.
* Compression: **Checked**. Reduces bandwidth usage.
* Type-of-Service: **Not Checked**.
* Inter-client communication: **Checked**. Check this box if you want remote clients to be able to access each other.
* Duplicate Connections: **Checked**. Allows multiple connections from the same client, not recommended but may possibly be needed.
* Dynamic IP: **Not Checked**. If your router’s WAN IP changes you should check this.
* Address Pool: **Checked**.
* DNS Default Domain: **Fill this in if you have one**.
* DNS Servers: **Set to your local DNS server**.
* Click **save**
The OpenVPN server should be created.
----
===== Create the Interface and Bridge =====
Navigate to **Interfaces -> Assignments**.
* Add an interface by pressing the **“+”** button.
* Against the new interface (possibly OPT1), use the drop down box to choose the OpenVPN Server that was created.
* Navigate to **Interfaces -> OPT1**.
* Enable the interface and give it a Description
* Navigate to **Interfaces -> Assignments**.
* Select the **Bridges** tab and then click the **“+”** button to add a bridge.
* Hold the **CTRL** button and highlight both the LAN interface and the renamed OPT1 interface just created.
----
===== Set Firewall Rules =====
Create a firewall rule allowing traffic on your OpenVPN port for the WAN interface.
Navigate to **Firewall -> Rules**.
* Select the **WAN**.
* Press the **“+”** to add a rule and enter the following information:
* Action: **Pass**.
* Disabled: **Not Checked**.
* Interface: **WAN**.
* TCP/IP Vesion: **IPv4**.
* Protocol: **UDP**. The protocol chosen when creating the OpenVPN server settings, most likely UDP.
* Source:
* **Not Checked**.
* type: **any**.
* Address: ****.
* Destination:
* **Not Checked**.
* type: WAN address
* Address: ****.
* Destination port range: **1194**. Port the OpenVPN server runs on, most likely 1194.
* Log: **Not Checked**.
* Description: **Provide a description**.
Done!
----
===== Export the client configs =====
Navigate to **VPN -> OpenVPN**.
* Select the **Client Export** tab.
* You should see an option to export a config for each certificate created earlier.
* Its recommended that for Windows you choose the Windows Installer. This will download and install OpenVPN and the config files.
You’re done.
----
===== Test =====
Ping the LAN interface from the VPN Client.