pfSense and OpenVPN Setup
OpenVPN can be utilized for a number of different applications, it will allow you to connect and encrypt all the data and everything you do on the internet so that you can safely do standard operations remotely from anywhere. This guide will walk you through the steps of setting up OpenVPN on pfSense and the OpenVPN client on whatever machine you would need to including Windows, Mac, and Linux distributions.
Before we begin:
- Have an installed and fully updated version of pfSense
- pfSense has a LAN and WAN interface at least
- You have access to pfSense from the device you’re using to set it up
- You have a copy of OpenVPN -or another client- on your client device.
OpenVPN Wizard
- Click VPN > OpenVPN and click on the Wizards tab.
- When prompted to select an ‘Authentication Backend Type‘ click Next to accept the default of ‘Local User Access’.
- To create a New Certificate Authority (CA) Certificate. Set the descriptive name to something like ‘pfSense-CA’.
- Leave the key length and lifetime to the default of 2048 bit and 3650 days.
- The remaining settings are to identify who is controlling this certificate, set those to the appropriate parameters.
- Click Add new CA and we can move onto the server certificate
- Set the descriptive server name to server and keep the key length and lifetime as default.
- The person/institution information will be there from the previous page. Leave it.
- Click Create new Certificate
- On the following page, in the General OpenVPN Server Information section, set the description to ‘server’
- In the Cryptographic Settings section deselect the TLS Authentication
- Leve the Encryption Algorithm as it is ‘AES-256-CBC (256 bit key, 128 bit block)’.
- In the Tunnel Settings enter the Tunnel Network address as 10.8.0.0/24. Set the subnet different as it applies, the default is 24.
- To allow access to machines on the local network, enter your local IP range in the Local Network setting, It will be something like 10.0.0.0/24.
- Set the Compression to ‘Enabled without Adaptive Compression’.
- Check the Inter-Client Communication checkbox.
- In the Client Settings section, set the DNS Server 1 to point to the OpenVPN server (10.8.0.1)
- In the Advanced text box, add the line; push “route 10.0.0.0 255.255.255.0”;mute 10;comp-lzo; and adjust the subnet accordingly.
- We can leave the remaining settings the same and click Next.
- Now we can accept the default firewall rules by checking both the Firewall Rule and OpenVPN Rule boxes and clicking Next. These rules will allow your client to connect to the OpenVPN server and allow VPN traffic between the client and the server.
- Now you will see a completion screen. Click Finish.
You have now created the server certificate. Before we move on, we need to modify a few settings that were not covered in the wizard.
- Click the edit icon next to the server row to edit the config.
- In the General Information section, change the Server Mode to ‘Remote Access ( SSL/TLS )’.
- Press Save to save these changes.
Firewall
Firewall settings should have been automatically generated by the OpenVPN wizard, however, depending on your firewall setup and version, we may have to make some changes and check the settings that the wizard has created. First, go to Firewall > Rules and select WAN. You should see a firewall rule permitting IPv4 traffic incoming through the WAN via the OpenVPN port. This will allow clients to connect to the VPN via the external WAN interface.
If you are having issues routing traffic through the VPN, go to Firewall > NAT, select Outbound and ensure Mode is set to ‘Automatic outbound NAT rule generation. (IPsec passthrough included)’.
Client Certificate
To connect to our server, we have to generate a certificate for each of our devices that we want to connect with.
- Click System > User Manager and click the + Add button to add a new user.
- Fill in the username and password. For example, we will use client1.
- Make sure, as this is very important, to check the Certificate box to create a user certificate. This will cause the section to expand.
- Give the certificate a descriptive name (client1).
- Leave the certificate authority, key length, and lifetime to their defaults.
- Click Save to finish.
Now, pfSense is an OpenVPN server, from here we will connect a client. I will be using OpenVPN GUI for Windows, depending on what you would like to use will vary this process entirely.
- To install the export package click System > Package Manager and click on the Available Packages tab. This will show you what packages you can install.
- Scroll down to find the ‘openvpn-client-export’ and click the + Install button to install it.
- It will ask you to confirm, click Confirm to begin.
- When the installation completes, you can export a configuration by clicking VPN > OpenVPN and clicking on the Client Export tab.
- Select the server in the Remote Access Server section. Keep the default values for the other settings.
- Scroll down to the OpenVPN Clients section and find the row corresponding to the Certificate Name of the user you created (client1).
Which export method you use, again, will depend on what client you are using to connect to the server. In our case, I will use OpenVPN GUI for Windows so I would select ‘Others’ under the – Inline Configurations: section. ( Click Here for Linux Setup )
OpenVPN GUI Setup
- Once the program is installed and running you will see a computer with a lock on it in your pop-up task menu.
- Right-click the symbol and click Import File…
- Navigate to your downloads, or wherever the export was saved from pfSense, and click the file.
- Now, when you right-click the icon in your task menu again, you should see the selected file.
- Hover over it and it’s menu will pop-up and select Connect
If everything was done properly, you should now be connected to your VPN server from the client.
Refrences:
https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-pfsense-and-viscosity/