OpenVPN is the most simplest open source software out there that implements a secure virtual private networking (VPN) techniques to secure your connection, whether it be a site-to-site or point-to-point connection. It is comes built-in with pfSense router software and it’s simple to use and easy to configure. In this guide, you’ll gonna learn how to configure an OpenVPN server under pfSense’s long list of useful features and services. I will show you how you would configure a client machine to connect to the OpenVPN server, both under Windows and Linux machines. To start with this guide, you must have already
installed and configured your pfSense machine and that you already have a working local area network.
Part 1: Setting Up The Server
The first part of this guide will show you how to bring up the OpenVPN server instance using pfSense’s webConfigurator GUI. This method is by far the most easiest way to setup an VPN access server, compared to the command-line method of configuration. Take note that, version 2.1.4 release of pfSense was used for this guide.
Step 1: For the first step, you need to create a Certificate Authority that will be used to sign future user certificates. So whenever you create a new user certificate, this Certificate Authority shall be in charge in signing those newly created certificates. To do this, you must login to pfSense webConfigurator or admin web page, by accessing its IP address using a browser. So type in
192.168.1.1and pressEnterkey. Login by supplying the correct data for theadminuser and user-password. Upon logging in, navigate to Main Menu ->System->Cert Manager. Make sure you’re on theCAstab, to add a new CA (Certificate Authority), click on plus+button. A new page should open, now fill up the necessary fields.This is how I did:
- Method – Create an internal Certificate
- Descriptive name – MyCA
- Method – Create an internal Certificate Authority
- Key length – 2048 bits
- Digest Algorithm – SHA256
- Lifetime – 3650
- Common Name – Internal-CA
Those are the most important fields to fill up on this page. But don’t miss to fill up the Country Code, State or Province, City, Organization and Email Address. Enter what’s applicable to you. Save your settings by clicking the Save button. You should see a page similar to the image shown below.
Reference Images:
[jig ids="1568,1569,1570"]
Step 2: While still on the
Certificatestab, add another certificate by clicking the plus button. This process is similar to the steps you took under Step 1. But this time, you’ll be creating aServer Certificatefor OpenVPN Server. Click the add button again and fill up the necessary fields like so:- Method – Create an internal Certificate
- Descriptive name – MyOpenVPN-Server-Cert
- Certificate authority – MyCA
- Key length – 2048 bits
- Digest Algorithm – SHA256
- Certificate Type – Server Certificate
- Lifetime – 3650
- Common Name – ovpn.chubbable.com
Note: Substitute the values with your own data. Fill up the other fields; Country Code, State or Province, City, Organization and Email Address. Then to save your settings. You should see a page similar to the image shown below. Reference Image: [jig ids=”1573″]
Step 3: The third step you should take is to create a new user account for the VPN client to use. While still on
Certificate Managerpage, do the next step below. Navigate to Main Menu ->System->User Manager. Reference Image: [jig ids=”1575″] You should be now at theUser Managerpage. On this page, create a new user by clicking plus+button, you should be taken to a new page where you should enter the details of the new user account. Fill up theUsernamefield,Passwordfields twice, Full name, Expiration date (blank = no expiration). In my case, I named my first user account asvpnuser-one.Note: Remember to create a corresponding certificate for this user.
Tick the check-box next to
Click to create a user certificatedialog. It should expand and let’s you fill the necessary fields to create a new user certificate.Fill up the
Descriptive Namefield. Make it similar with your user account name. In my case, I named my first VPN user account asvpnuser-one, while I putvpnuser-one-certas my certificateDescriptive Name. Fill upCertificate Authority, but this should be automatically filled showing an entry that you’ve previously made from step 1, the Certificate Authority (CA). So in this case,MyCAshould show up here. Select aKey Lengthfor the certificate, in my case I chose2048.Reference Image:
[jig ids=”1577″]
Finally, save your settings by clicking the
Savebutton. You should see a screen similar to the image shown below.Reference Image:
[jig ids=”1578″]
Step 4: Next you should install the
OpenVPN Client Export Utilityfrom the package manager page. Take the next steps below. Navigate to main menu ->System->Packages->Available Packages. You should see a list of available packages. Now scroll further down below and look for the package nameOpenVPN Client Export Utility. To install the package, click the add+button and you should be taken to a new sub-page. Click theConfirmbutton to start the installation. You should see a screen similar to this one. Reference Images: [jig ids=”1579,1580,1581,1582″] You’ll have a hint about the progress of the install process by watching your screen. Upon successful installation, you should see a messageInstallation completed.Step 5: While still logged in, navigate to main menu then
VPN->OpenVPN. Reference Image: [jig ids=”1586″] You should be now on the OpenVPN Server page, now click theWizardstab, to start a wizard-assisted configuration. A new page should open, entitledOpenVPN Remote Access Server Setup Wizard. On this page, selectLocal User AccessforType of Server:, then clickNext. Reference Image: [jig ids=”1587″] On the next page, choose a Certificate Authority (CA). Select the CA you’ve previously created from step 1 of this guide. In this case, it’s theMyCA. Click Next to continue. The next page should ask you to choose a Server Certificate. You had created this already from step 2 above, and in this case it’s theMyOpenVPN-Server-Cert. In case you named it like you wished, then choose that entry as your server certificate. Then click Next when done.The next page contains a long list of field set. The first field set that you should see is the
General OpenVPN Server Informationfield set. This is how I filled those up. General OpenVPN Server Information:- Interface = LAN
- Protocol = UDP
- Local Port = 1194
- Description = MYOpenVPN-Server-LAN
Note: The Interface settings is typically set to WAN, but if you have a Dynamic IP address, your VPN connection will break if your IP address changes. So it’s better to set it to LAN if you only intend to use OpenVPN within your Local Area Network.
For a site-to-site implementation of OpenVPN, Interface should be set to WAN. Cryptographic Settings:
- Cryptographic Settings = Enable authentication of TLS packets – CHECKED
- Generate TLS Key = Automatically generate a shared TLS authentication key = CHECKED
- DH Parameters Length = 2048
- Encryption Algorithm = AES-256-CBC (256-bit)
- Hardware Crypto = No Hardware…
Tunnel Settings:
- Tunnel Network = 10.0.1.0/24
- Redirect Gateway = Force all client generated traffic through the tunnel = CHECKED
- Local Network = 192.168.1.0/24 > Note: Leave Local Network blank if you don’t want to add a route to your LAN, using this VPN tunnel.
- Concurrent Connections = 10
- Compression = CHECKED
Client Settings:
- Dynamic IP = CHECKED
- Address Pool = CHECKED
Note: Other fields that were not mentioned here, were left blank. After filling those necessary fields, click next to advance to the next page. The next page should be the
Firewall Rule Configuration Page. This is what I did to this page.- Firewall Rule = CHECKED
- OpenVPN Rule = CHECKED
After doing the above step, click NEXT and then finally, click FINISH. You should be taken back to the Server` tab.
At this point, you’ve already configured a working OpenVPN Server in pfSense. Next step will be to export your user config files for your chosen VPN client. A client could be a Windows machines, Android Devices, Mac or Linux machines. You need to export the client configuration file by downloading the file from pfSense’s webConfigurator page, using OpenVPN Client Export utility. Read Part 2 of this guide to learn how to export your configuration files for specific VPN clients.
Part 2: Client Config Files Export & Client Connection
Now that you’ve set up an OpenVPN Server, it’s for you to test it and let your chosen client machine connects to it. This part of the guide has sub-parts, broken according to client types. So you will learn how to connect from Windows and Linux based machines.
Connecting From Linux Clients
For this guide, I’m going to show you how you would connect from a Linux-Mint-based machine.
Step 1: Login to pfSense webConfigurator and navigate to main menu, then go to
VPN->OpenVPN->Client Exporttab. You should be now on the Client Export Utility page.This is how I’ve set up my client before exporting it for my Linux Mint machine:
Remote Access Server = MyOpenVPN-Server-LAN UDP:1194 > Note: This is the name of the OpenVPN server instance that you’ve configured from step 5 above, under General OpenVPN Server Information -> Description. If you named it otherwise, then it should appear from the drop-down menu.
Host Name Resolution = Interface IP Address
Verify Server CN = Automatic – Use verify-x509-name (OpenVPN 2.3+) where possible
Use Random Local Port = CHECKED
Certificate Export Options = Use a password to protect the pkcs12 file contents or key in Viscosity bundle – CHECKED
Then enter your desired password.
This is an additional password on top of your pfSense user-password. And that’s it. I left other fields untouched. Scroll further down below ’till you reach the
Client Installblock. Look for the user-name you wish to export this configuration from.Under the
Exportcolumn, clickArchivetext link just below theStandard Configurationstext. It should let you download the configuration files in ZIP format. Choose the location where you want to save it and keep note of this. Save the file and extract it after. You should find three files similar to the ones listed below:- vpn-user-name.ovpn
- vpn-user-name-tls.key
- vpn-user-name.p12
Note: vpn-user-name should be your OpenVPN account user-name that you were exporting from.
Step 2: For this step, I think it’s better to teach you this by showing a video guide. So watch this video guide on how to connect from Linux Mint 17. Make sure you have the package
network-manager-openvpn-gnomeinstalled on your Linux Mint 17 instance. You won’t see the OpenVPN Import dialog if you haven’t installed this yet. To install this package, open a terminal and type:sudo apt-get install network-manager-openvpn-gnomeAnd proceed with the steps shown from the video guide.
Connecting From Windows Clients
Connecting to pfSense-based OpenVPN server from a Windows client is very straight-forward. I decided to show you a quick video guide on how to do this. Windows XP was used in the guide, but it’s also applicable to Windows Vista/7/8. Prior to exporting the configuration file, make sure you have set following from the Client Export utility page: Host Name Resolution = Interface IP Address
- Verify Server CN = Automatic – Use verify-x509-name (OpenVPN 2.3+) where possible
- Use Random Local Port = CHECKED
- Certificate Export Options = Use Microsoft Certificate Storage instead of local files
- Certificate Export Options = Use a password to protect the pkcs12 file contents or key in Viscosity bundle – CHECKED
Watch the mini-video guide:
That’s a Wrap
I hope you now know how to setup your OpenVPN server. It’s not that difficult really when you set it under pfSense, since it takes care all the tasks involve during your VPN setup. Creating your client certificate is done in no time, just point and click and you’re done. Thanks to pfSense! But if you still having issues with your setup, please feel free to ask about it and put your comments below. Till next time, and hope you enjoyed this guide.
