Navigate to System → Packages.

• Select the Available Packages Tab.
• Locate the OpenVPN Client Export Utility Package and install it by pressing the “+” on the right.

Navigate to System → Cert Manager.

• Create a CA.
• Select the CA tab and create a CA by pressing the “+” button.
• Populate the fields with the appropriate information, making sure to change method to Create Internal Certificate Authority.
  • Alternatively you can also import your own. (outside the scope of this guide)

• Create the server certificate by clicking the Certificates tab and pressing the “+” button.
• Method: Create an internal Certificate
• Certificate Type: Server Certificate.
• Fill in the appropriate information and make sure to change the Certificate Authority to that of the CA created earlier.

• Create User Certificates in the same way but instead of choosing Server Certificate for Certificate type, make sure to choose User Certificate.
• It is recommended that each individual PC that connects to the VPN have their own certificates created.

• Create a revocation list.
• It is also not necessary, but recommend.
• Click the Client Revocation tab, then the “+” to add one.
• Choose the CA created earlier.

Navigate to VPN → OpenVPN → Server.

Press the +Add button to create an OpenVPN server.

In General Information:

• Disabled: Not Checked.
• Server Mode: Remote Access (SSL/TLS).
• Protocol: UDP.
• Device Mode: tap.
• Interface: WAN.
• Port: 1194.
• Description: A suitable description of your server.

In Cryptographic Settings:

• TLS Configuration:
  • Use a TLS Key: Checked.
  • Automatically generate a TLS Key: Checked.
• TLS keydir direction: Use default direction. Default.
• Peer Certificate Authority: Select the CA created earlier.
• Peer Certificate Revocation List: Optional. If you created a Revocation Certificate earlier, then select it.
• Server Certificate: Choose the server certificate created earlier.
• DH Parameters: 2048.
• ECDH Curve: Use Default.
• Encryption algorithm: AES-128-CBC (128-bit).
• Enable NCP: Checked.
• NCP Algorithms: AES-128-GCM. Default.
• Auth digest algorithm: SHA256 (256-bit). Default.
• Hardware Crypto: Choose a hardware crypto engine if you have one.
• Certificate Depth: One (Client+Server).

In Tunnel Settings:

• IPv4 Tunnel Network: <BLANK>. Leave blank as not used in tap/bridge mode.
• IPv6 Tunnel Network: <BLANK>. Leave blank, not used in tap/bridge mode.
• Bridge DHCP: Checked.
• Bridge Interface: LAN.
• Server Bridge DHCP Start: Start of your IP address range for remote clients.
• Server Bridge DHCP End: End of your IP address range for remote clients.

  • NOTE: DHCP address range should be a range of IP addresses that are within the IP address range of your LAN network.

• Redirect Gateway: Not Checked.
• IPv4 Local Network: 192.168.1.1/24. This is the address of the LAN network expressed as a CIDR range.
• IPv6 Local Network: <BLANK>.
• Concurrent connections: 2.
• Compression: Checked. Reduces bandwidth usage.
• Type-of-Service: Not Checked.
• Inter-client communication: Checked. Check this box if you want remote clients to be able to access each other.
• Duplicate Connections: Checked. Allows multiple connections from the same client, not recommended but may possibly be needed.
• Dynamic IP: Not Checked. If your router’s WAN IP changes you should check this.
• Address Pool: Checked.
• DNS Default Domain: Fill this in if you have one.
• DNS Servers: Set to your local DNS server.

• Click save

The OpenVPN server should be created.

Navigate to Interfaces → Assignments.

• Add an interface by pressing the “+” button.
• Against the new interface (possibly OPT1), use the drop down box to choose the OpenVPN Server that was created.
• Navigate to Interfaces → OPT1.
• Enable the interface and give it a Description
• Navigate to Interfaces → Assignments.
• Select the Bridges tab and then click the “+” button to add a bridge.
• Hold the CTRL button and highlight both the LAN interface and the renamed OPT1 interface just created.

Create a firewall rule allowing traffic on your OpenVPN port for the WAN interface.

Navigate to Firewall → Rules.

• Select the WAN.
• Press the “+” to add a rule and enter the following information:
  • Action: Pass.
  • Disabled: Not Checked.
  • Interface: WAN.
  • TCP/IP Vesion: IPv4.
  • Protocol: UDP. The protocol chosen when creating the OpenVPN server settings, most likely UDP.
  • Source:
    • Not Checked.
    • type: any.
    • Address: <BLANK>.
  • Destination:
    • Not Checked.
    • type: WAN address
    • Address: <BLANK>.
  • Destination port range: 1194. Port the OpenVPN server runs on, most likely 1194.
  • Log: Not Checked.
  • Description: Provide a description.

Done!

Navigate to VPN → OpenVPN.

• Select the Client Export tab.
• You should see an option to export a config for each certificate created earlier.
• Its recommended that for Windows you choose the Windows Installer. This will download and install OpenVPN and the config files.

You’re done.

Ping the LAN interface from the VPN Client.