User Tools

Site Tools


pfsense:vpn:openvpn:configure_an_openvpn_server:manually

PFSense - VPN - OpenVPN - Configure an OpenVPN Server:Manually

TODO: UPDATE - AS INTRUCTIONS ARE A LITTLE OLD.

Install the OpenVPN Client Export Utility Package

Navigate to System → Packages.

  • Select the Available Packages Tab.
  • Locate the OpenVPN Client Export Utility Package and install it by pressing the “+” on the right.

Setup your Certs

Navigate to System → Cert Manager.

  • Create a CA.
  • Select the CA tab and create a CA by pressing the “+” button.
  • Populate the fields with the appropriate information, making sure to change method to Create Internal Certificate Authority.
    • Alternatively you can also import your own. (outside the scope of this guide)
  • Create the server certificate by clicking the Certificates tab and pressing the “+” button.
  • Method: Create an internal Certificate
  • Certificate Type: Server Certificate.
  • Fill in the appropriate information and make sure to change the Certificate Authority to that of the CA created earlier.
  • Create User Certificates in the same way but instead of choosing Server Certificate for Certificate type, make sure to choose User Certificate.
  • It is recommended that each individual PC that connects to the VPN have their own certificates created.
  • Create a revocation list.
  • It is also not necessary, but recommend.
  • Click the Client Revocation tab, then the “+” to add one.
  • Choose the CA created earlier.

Setup the OpenVPN Server

Navigate to VPN → OpenVPN → Server.

Press the +Add button to create an OpenVPN server.

In General Information:

  • Disabled: Not Checked.
  • Server Mode: Remote Access (SSL/TLS).
  • Protocol: UDP.
  • Device Mode: tap.
  • Interface: WAN.
  • Port: 1194.
  • Description: A suitable description of your server.

In Cryptographic Settings:

  • TLS Configuration:
    • Use a TLS Key: Checked.
    • Automatically generate a TLS Key: Checked.
  • TLS keydir direction: Use default direction. Default.
  • Peer Certificate Authority: Select the CA created earlier.
  • Peer Certificate Revocation List: Optional. If you created a Revocation Certificate earlier, then select it.
  • Server Certificate: Choose the server certificate created earlier.
  • DH Parameters: 2048.
  • ECDH Curve: Use Default.
  • Encryption algorithm: AES-128-CBC (128-bit).
  • Enable NCP: Checked.
  • NCP Algorithms: AES-128-GCM. Default.
  • Auth digest algorithm: SHA256 (256-bit). Default.
  • Hardware Crypto: Choose a hardware crypto engine if you have one.
  • Certificate Depth: One (Client+Server).

In Tunnel Settings:

  • IPv4 Tunnel Network: <BLANK>. Leave blank as not used in tap/bridge mode.
  • IPv6 Tunnel Network: <BLANK>. Leave blank, not used in tap/bridge mode.
  • Bridge DHCP: Checked.
  • Bridge Interface: LAN.
  • Server Bridge DHCP Start: Start of your IP address range for remote clients.
  • Server Bridge DHCP End: End of your IP address range for remote clients.
    • NOTE: DHCP address range should be a range of IP addresses that are within the IP address range of your LAN network.

  • Redirect Gateway: Not Checked.
  • IPv4 Local Network: 192.168.1.1/24. This is the address of the LAN network expressed as a CIDR range.
  • IPv6 Local Network: <BLANK>.
  • Concurrent connections: 2.
  • Compression: Checked. Reduces bandwidth usage.
  • Type-of-Service: Not Checked.
  • Inter-client communication: Checked. Check this box if you want remote clients to be able to access each other.
  • Duplicate Connections: Checked. Allows multiple connections from the same client, not recommended but may possibly be needed.
  • Dynamic IP: Not Checked. If your router’s WAN IP changes you should check this.
  • Address Pool: Checked.
  • DNS Default Domain: Fill this in if you have one.
  • DNS Servers: Set to your local DNS server.
  • Click save

The OpenVPN server should be created.


Create the Interface and Bridge

Navigate to Interfaces → Assignments.

  • Add an interface by pressing the “+” button.
  • Against the new interface (possibly OPT1), use the drop down box to choose the OpenVPN Server that was created.
  • Navigate to Interfaces → OPT1.
  • Enable the interface and give it a Description
  • Navigate to Interfaces → Assignments.
  • Select the Bridges tab and then click the “+” button to add a bridge.
  • Hold the CTRL button and highlight both the LAN interface and the renamed OPT1 interface just created.

Set Firewall Rules

Create a firewall rule allowing traffic on your OpenVPN port for the WAN interface.

Navigate to Firewall → Rules.

  • Select the WAN.
  • Press the “+” to add a rule and enter the following information:
    • Action: Pass.
    • Disabled: Not Checked.
    • Interface: WAN.
    • TCP/IP Vesion: IPv4.
    • Protocol: UDP. The protocol chosen when creating the OpenVPN server settings, most likely UDP.
    • Source:
      • Not Checked.
      • type: any.
      • Address: <BLANK>.
    • Destination:
      • Not Checked.
      • type: WAN address
      • Address: <BLANK>.
    • Destination port range: 1194. Port the OpenVPN server runs on, most likely 1194.
    • Log: Not Checked.
    • Description: Provide a description.

Done!


Export the client configs

Navigate to VPN → OpenVPN.

  • Select the Client Export tab.
  • You should see an option to export a config for each certificate created earlier.
  • Its recommended that for Windows you choose the Windows Installer. This will download and install OpenVPN and the config files.

You’re done.


Test

Ping the LAN interface from the VPN Client.

pfsense/vpn/openvpn/configure_an_openvpn_server/manually.txt · Last modified: 2022/09/20 18:00 by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki