Select Page

Configure OpenVPN on Pfsense 2.3.1

I recently setup Pfsense and when having a look at the features I noticed that OpenVPN was a supported type of VPN. I had this setup on a VM so I thought I may as well set this up on my router so it could be combined in to one VM. I had multiple problems trying to set this up correctly (Networking isn’t my strong point!) But I have managed to successfully configure it now so I thought I would create a comprehensive guide on setting up this functionality.

You will initially need a Pfsense Router/Firewall configured, If you don’t know how to do this you can find my previous guide here. We will need to initially configure a Certificate Authority on the Pfsense box. This is relatively simple, you need to navigate to System –> Cert Manager.

Configure CA - Configure OpenVPN on Pfsense 2.3.1

Method – Create an Internal Certificate Authority

Key Length – 2048

Digest Algorithm – sha256

Lifetime – 3650

Country Code – GB (Change this to your relevant country code)

State or Province – Type in the relevant information.

City – Type in the relevant information.

Organization – Type in the relevant information.

Email Address – Type in the relevant information.

Common Name – This can be left as the default or changed If required. Default is Internal-CA.

You now need to create a Server Certificate that will be used for OpenVPN.

You need to make sure that the certificate type is changed to a server certificate. You also need to fill out the common name to be the external DNS name of your VPN server, for example openvpn.vmware.com – You can also add a IP address if required.

Key Length – 2048

Country Code – GB (Change this to your relevant country code)

State or Province – Type in the relevant information.

City – Type in the relevant information.

Organization – Type in the relevant information.

Email address – Type in the relevant information.

Configure Server Certificate - Configure OpenVPN on Pfsense 2.3.1

You will now need to create a user that will be connecting to the VPN. This can be completed in System –> User Manager.

Configure the Username and the Full Name for the user that will be connecting.

Click to Create a User Certificate

Key Length – 2048

Descriptive Name – You can set this to anything you require, this will not change the configuration.

Configure User - Configure OpenVPN on Pfsense 2.3.1

You will also need to create NAT Rules for the relevant Subnets that you will be creating as part of the VPN. For example I have used 10.0.0.0/24 for the network pool for the VPN so I needed to add the relevant rules for this network so that it would be able to communicate with the LAN and the WAN. You can configure these by clicking the buttons next to the existing rules that have been created and changing the network configuration. You will just need to create the rules below that are for the 10.0.0.0/24 network. This may be different in your scenario depending on what IP Address scheme you will be using.

External NAT Rules - Configure OpenVPN on Pfsense 2.3.1

You need to navigate to VPN –> OpenVPN –> Wizards

Select Local User Access and Continue.

Configure Authentication Backend Type - Configure OpenVPN on Pfsense 2.3.1

Select your CA Server and select Next.

Configure CA Certificate - Configure OpenVPN on Pfsense 2.3.1

Select the Server Certificate that was created earlier.

Server Certificate - Configure OpenVPN on Pfsense 2.3.1

Select the Interface as WAN, Protocol as UDP and Local Port as 1194 – You can change this port if you require, this is the default port. Often this port is blocked inside Organizations so you may need to use SSL (443).

OpenVPN Server Information - Configure OpenVPN on Pfsense 2.3.1

Select Enable authentication of TLS packets.

Select Automatically generate a shared TLS authentication key.

DH Parameters Length should be 2048 bit.

Cryptographic Settings - Configure OpenVPN on Pfsense 2.3.1

You will need to setup the Tunnel Settings, this will depend on your network but I setup the example below –

Select Force all client generated traffic through the tunnel.

Concurent Connections – Set this up to the maximum number of connections you want to allow at once. This will be dependent on the resources you assigned to the VM.

Enable Allow multiple concurrent connections from clients using the same Common Name.

Tunnel Settings - Configure OpenVPN on Pfsense 2.3.1

Select Allow connected clients to retain their connections if their IP address changes.

Select Provide a virtual adapter IP address to clients (see Tunnel Network).

Configure any DNS Settings that you want to provide to the VPN clients.

Client DNS Settings - Configure OpenVPN on Pfsense 2.3.1

You will need to select Save on this page and it will ask if you want Pfsense to automatically configure the firewall rules. Select both of these tick boxes and it will automatically set these up for you. Make sure you still add the NAT rules mentioned earlier.

You will now need to export the client configuration by navigating to Client Export. If you do not have this option you will need to install the openvpn-client-export package, this can be installed in the same way as the VMware Tools package.

Client Export - Configure OpenVPN on Pfsense 2.3.1

Client Export Installers - Configure OpenVPN on Pfsense 2.3.1

You need to download the correct client as per the below screenshot. If you are installing on IOS you do not need to enable anything in this page. If you are installing this on Windows you should select use Microsoft Certificate Storage instead of local files and enable use a password to protect the pkcs12 file contents or key in Viscosity bundle. Once you have installed the relevant bundle this should be working correctly.

Pin It on Pinterest

Share This