Table of Contents
PFSense - VPN - OpenVPN - Configure an OpenVPN Server - Using a Wizard
Navigate to VPN → OpenVPN → Servers.
Click on Wizard.
NOTE: This Wizard will easily create the CA (Certification Authority), the Server Certificate and the configuration of the VPN Server;
These components can also be created manually if required.
- Select Local User Access.
- Click Next.
Create the CA
- Descriptive Name: <some name to make it easy to identify.
- Key length: 2048 bit.
- Lifetime: 3650. (10 years).
NOTE: All the other parameters can be left by default.
- Click Add New CA.
Create the Server Certificate
- Descriptive Name: <some name to make it easy to identify.
- Key length: 2048 bit.
- Lifetime: 365. (1 year).
NOTE: The Lifetime can only be set for a short timeframe. See the comment against that fields.
All other default parameters can be left as default.
- Click Next.
Configure the VPN Server
In General OpenVPN Server Information:
- Interface: WAN. Or select the interface on which we want our service to listen. If we have more than one WAN interface choose the one you want to dedicate to the service. Later we can select multiple interfaces for greater redundancy.
- Protocol: UDP on IPv4 only.
- Local Port: 1194. Remember the port that is used for the VPN must be open on the listening interface. Therefore it will be necessary to configure the Firewall to open this port.
- Description: Choose the name to identify the server.
In Cryptographic Settings:
- TLS Authentication: Checked.
- Generate TLS Key: Checked,
- DH Parameters Length: 2048.
- Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block).
- Auth Digest Algorithm: SHA256 (256-bit).
- Hardware Crypto: Intel RDRAND engine - RAND.
In Tunnel Settings:
- Tunnel Network: 10.20.30.0/24.
- Redirect Gateway: Not Checked.
- Local Network: 192.168.1.0/24. If there are multiple LAN networks to which we want to give access, you can enter them by separating them with a comma.
- Concurrent Connections: <blank>. Can set this to the maximum number of client to allow access in.
- Compression: Omit Preferences (Use OpenVPN Default).
- Type-of-Service: Not Checked.
- Inter-Client-Communication: Not Checked.
- Duplicate Connections: Not Checked.
NOTE: The Tunnel Network acts as an intermediary.
Any local address, could be used here. i.e. RFC1918 Compliant.
- RFC1918 Compliant: (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Take care not to choose 10.10.10.1 as this could conflict with pfBlockerNG
In Client Settings:
- Dynamic IP: Checked.
- Topology: Subnet - One IP address per client in a common subnet.
- Netbios Node Type: None.
- Click Next.
Firewall Rules
Wizard Firewall Rule Setup
- Firewall Rule: Checked.
- OpenVPN Rule: Checked.
- Click Next.
Success
OpenVPN Server
Navigate to VPN → OpenVPN → Servers.
Firewall Rules - WAN
Navigate to Firewall → Rules → WAN.
Firewall Rules - OpenVPN
Navigate to Firewall → Rules → OpenVPN.
Cert Manager - CAs
Navigate to System - Cert Manager - CAs.
Cert Manager - Certificates
Navigate to System - Cert Manager - Certificates.
Create the OpenVPN Users
Create the users we want to connect in to the VPN.
Navigate to System → User Manager → Users.
- Username: Peter.
- Password: Password.
- Certificate: Checked. Click to create a user certificate.
- Descriptive name: Peter-cert.
- Certificate authority: Internal_CA.
- Key length: 2048 bits.
- Lifetime: 3650.
NOTE: This creates both the user and the associated certificate in a single operation
NOTE: At this point we can export the configuration files and certificates for individual users who will use the VPN clients to connect.
In the System → Certificate Manager section we will see the certificate associated with the VPN server and all those associated with the users created.
Install the package openvpn-client-export
Navigate to System → Package Manager → Available Packages.
Search for openvpn-client-export.
Install the Package.
NOTE: Once installed we will see the option added under VPN → OpenVPN → Client Export.
Configure the Client Certificate
Navigate to VPN → OpenVPN → Client Export
In OpenVPN Server:
- Remote Access Server: Select the VPN server created earlier.
In Client Connection Behavior:
- Host Name Resolution: Other.
- Host Name: Enter the Public IP address of the network.
- Verify Server CN: Automatic - Use verify-x509-name where possible. If there are problems set it to Do not verify the CN server.
NOTE: These parameters will be written to the .ovpn configuration file which will be generated for the user.
There is no need to click on the Save as default button, but if you do it is easy to update and save as a new default.
Export the Client Certificate
Export the user configuration file which is to be installed on the clients.
There are many choices.To do this we have various choices, the most recommended below:
- Most Clients: Generates an .ovpn file containing both the configuration and the certificates and the easily imported keys, compatible with clients: OpenVPN for Windows, Tunnelblick for OS X.
- OpenVPN Connect: Generates an .ovpn file compatible with OpenVPN Connect Apps for Android and iOS.
- Archive: Compatible with Windows, generates an archive containing, 3 separate files, the configuration (.ovpn), certificates (.p12) and the key (.key).
- Current Windows Installer: Generate self-installing and pre-configured files for Windows clients.
Install the Client Certificate on an actual Client
Copy the Client Certificate (the .ovpn file) to the specific client.
Connect to the OpenVPN Server using this Client Certificate.
For example on an Android phone, the OpenVPN app is used and shows successful connection.
Show OpenVPN Widget on the pfSense Dashboard
Navigate to the pfSense Dashboard.
Click on the + at the top of the dashboard and select OpenVPN.
When a client connects via the VPN this will show:
