So you have now a working local VPN setup with pfSense and you wanted it to connect to another VPN server which is a remote one. You have several devices and machines connected to the pfSense box and everyone is connected through the VPN server that was configured from the pfSense Admin GUI.
And you’re next goal now is to connect to another remote VPN server for the purpose of acquiring a US-based IP address or a secured Internet connection, then this guide would be helpful to achieve your very purpose of connecting a pfSense box to an OpenVPN Server.
For this guide, I’m going to show you how to set up pfSense as OpenVPN client. You may also implement this guide to connect your pfSense box to other VPN providers like, Cyberghost, TorGuard, Hide My Ass and StrongVPN. But you need to do some extra step, since your downloaded VPN profile uses a password and it’s more complicated than this guide. Read the alternate configuration part if you intend to use a passworded VPN configuration file.
Moving on, you need to have the following if you decide to follow this guide:
- OpenVPN Access Server Installed on a VPS or an OpenVPN configuration file from VPN provider like CyberGhost.
- A working VPN server setup in pfSense
- Another way of connecting to the Internet, in case you run through issues with your connection while following this guide. Proceed when you got everything handy.
Configure pfSense as OpenVPN client
Before starting off with this guide, make sure that you’ve already set up your access server by following the guide mentioned above (requirement no. 1). If you think you have set up all the requirements, then proceed to the following steps below.
Step 1: Create a new VPN user from the OpenVPN Access Server admin page. To create a new user, login to
https://your-server-ip-address/adminYou need to enableAuto Login Profilefor the VPN client, in this case, pfSense is the client. To do this, navigate to main menu (left-pane), then click onClient SettingsunderConfigurationsUnderCustomize Client Web Server UItick the check-box that corresponds toOffer auto-login profileand clickSave Settings.Reference Image:
[jig ids=”1845″]
Then click on
User PermissionsunderUser Managementmenu. A new page should open, now create a new VPN user account by filling up theNew Usertext field and tick the corresponding check-box forAllow Auto-loginsetting. ClickSave Settingsand thenUpdate Running Server.Reference Image:
[jig ids=”1846″]
Step 2: Login to the Web-GUI as VPN client and download the necessary configuration file. Login to
https://your-server-ip-address/by using the credentials you set from step 1 above. This should also be the credential you set when you invoke theaddusercommand in Ubuntu. If you’re currently logged in asopenvpnoradmin, log out first and then log in again using the previously created user-account. Upon logging in, you should see a screen similar to the image shown below:Reference Image:
[jig ids=”1847″]
Click
Yourself (autologin profile)to download the configuration file. The file should have an.ovpnfile extension.Reference Image:
[jig ids=”1848″]
Step 3: Connect pfSense to OpenVPN Server. Now it’s time to set up pfSense as a VPN client and we’ll use the OpenVPN configuration file that was downloaded from step 2 above.
Step 3-A: Login to your pfSense Web-UI and navigate to main menu, then
System=>Certificate Manager=>CAstab.Click on the+button from the right side of the page to add a newInternal CA. Fill up theDescriptive Namefield. Put something descriptive, a name that you could identify from the rest of other Certificate Authority inside your pfSense box. In my case, I’d put in…OpenVPN-AS-CA. UnderMethod, selectImport an existing Certificate Authorityfrom the drop-down select menu. UnderCertificate datatext field, copy the data found in your downloaded.ovpnconfiguration file. Open the file and copy everything that sits between<ca>and</ca>tag and paste it to the designated text field.
Click
SAVEbutton to confirm your setting.- Step 3-B: Import the OpenVPN client certificate. While still on the same page, navigate to
Certificatestab just beside theCAstab, click the tab to open up the page. Click the+button to open theadd/import certificate page. SetMethodtoImport an existing Certificate. Fill up theDescriptive name, for example,OpenVPN-Client-CertSwitch back to your downloaded.ovpnfile and copy the block of text that sits between<cert>and</cert>tag. Paste it to theCertificate datatext field. Switch back to your.ovpnfile again and copy the texts between<key>and</key>tag, then paste it to thePrivate key datatext field. ClickSavebutton to save your changes.
Step 4: Set up a Peer-to-Peer VPN connection. In this guide, pfSense box shall be the VPN client, so you need to set the OpenVPN Server mode to Peer-to-peer. To do this, follow the next step below.
- Step 4-A: Navigate to main menu, then
VPN=>OpenVPNand thenClienttab.Click the+button to open up a new page, then fill up the necessary fields like so:- Server Mode =
Peer to Peer (SSL/TLS) - Protocol =
UDP - Device mode =
tun - Interface =
WAN - Local port =
blank - Server host or address =
your-server-ip-address - Server port =
1194 - Proxy host or address =
blank - Proxy port =
blank - Proxy authentication… =
leave default - Server host name resolution =
leave default - Description =
DO-OVPN-CLIENTor anything you want
- Server Mode =
Then under
TLS AuthenticationuncheckAutomatically generate a shared TLS authentication key.That should open a new text field. Switch back to your.ovpnfile and copy the texts between<tls -auth>and</tls>.You should start from
-----BEGIN OpenVPN Static key V1-----Paste it in the text field.
Peer Certificate Authority =
OpenVPN-AS-CAor the descriptive name you set when you imported the CA certificate.Client Certificate =
OpenVPN-Client-Certor the descriptive name you set in step 3-B. * Encryption algorithm =BF-CBC (128-bit)Hardware Crypto =
leave defaultIPv4 Tunnel Network =
10.0.8.0/24or any private IP network you wantIPv4 Remote Network =
192.168.1.0/24Compression = Checked
Type-of-service = Checked Then click
Savebutton to save your setting.Step 4-B: Check your settings and see if your VPN tunnel is actually up.
Navigate to main menu then
Status=>OpenVPN.You should see a block labeled
Client Instance Statisticand your created tunnel should appear in that block. It should have a name labeledDO-OVPN-CLIENTor the one you set in step 4. It should have aStatusset toup, and has a Virtual address. If everything is good, then proceed to the next step.Reference Image:
- Step 4-A: Navigate to main menu, then
Step 5: Create a new interface and assign the newly created VPN tunnel to it. Navigate to main menu then
Interfaces=>(assign). You should be now at theInterface assignmentstab. You’ll notice that your WAN and LAN interface is listed there. Now click on the+button to create a new interface and assign your previously created tunnel to it, in this case, its theDO-OVPN-CLIENT.Reference Image:
[jig ids=”1849″]
So click the
+button, a new interface should be loaded with a labelOPT1. Then from theNetwork portpane, click the drop-down menu that corresponds toOPT1and then selectDO-OVPN-CLIENTor whatever name you configured from step 4-A. Then click onSavebutton. ClickInterfacesmenu again and then clickOPT1. TickEnable Interfacecheck-box, A new sets of fields will be presented:- Description = You may change
OPT1to something likeRemoteVPN-Interface - IPv4 Configuration Type = Set to
None - IPv6 Configuration type = Set to
None - MAC address = leave blank
- MTU = leave blank
- MSS = leave blank
- Block private networks =
checked - Block bogon networks =
checked
Then click
Savebutton and then finallyApply changesto commit the changes. Now reboot your pfSense box, it’s recommended to initiate the reboot sequence from the console, rather from the web-ui. So press5thenenterand pressythenenteragain to initiate the reboot. After rebooting your box, login again from the web-ui and navigate toStatus=>OpenVPN. Now checkClient Instance Statisticsblock, check your client instance, it should be up this time, with a virtual address of172.27.232.<em>*</em>. Or not unless you configured it to have another virtual address.Reference Image:
[jig ids=”1850″]
- Description = You may change
Step 6: Add an outbound NAT rule for the newly set interface
OPT1or the name you set.Step 6-A: Enable manual outbound NAT rule.Navigate to main menu then
Firewall=>NAT. Click onOutboundtab. Tick the radio box labeledManual Outbound NAT rule generation (AON - Advanced Outbound NAT). ClickSavethenApply Changes.Step 6-B: Create the NAT rule.While still on the
Firewall: NAT: Outboundpage, click the+button from the left side of the page, right after the last entry for theDescriptioncolumn. You should now be atFirewall: NAT: Outbound: Editpage. Now fill up the fields like so:- Do Not NAT =
unchecked - Interface =
OPT1or the name you configured from step 5 - Protocol =
any - Source =
any - Destination =
any - Translation =
Interface address - No XMLRPC Sync =
Unchecked - Description =
DO-OVPN-NATor some descriptive name you like.
- Do Not NAT =
Then click Save button then Apply Settings. Reboot your pfSense box either from the Web-UI of directly from the console.
- Step 7: Check your Internet connection. After rebooting, check your connection by browsing a page or ping a hostname. If it’s working, then go to
google.comand type inwhat is my ipand press enter. It should return your latest IP address, and it should show your server’s IP address. You may also check your connection speed by making a speed test over atspeedtest.net. It will not only show your server’s connection speed, but also the server’s location. You now have configured pfSense as OpenVPN client.
Alternate Configuration
If you prefer to have a login password for you VPN user account, like the ones offered by CyberGhost, AirVPN, Ghost and StrongVPN, then you need to perform the following steps. This step is tricky, especially if you’re not so familiar with the command line and the “VI” text editor. To configure a user-account to use a password authentication in OpenVPN access server, login as admin to your server and navigate to user Permissions under User Management Menu. Then uncheck Allow Auto Login for the user you wanted to configure. Then click Save button and then Update Running Server.
Now let’s configure pfSense
Read back the procedure stated under Step 4-A. If you wanted to use a passworded VPN configuration file with pfSense, you need to follow these extra steps.
Step 1: Following Step 4-A, add this additional configuration to the
Advance Configurationblock.You may just edit your previous configuration by navigating to
VPN=>OpenVPN=>Clienttab =>ebutton that corresponds to your client name.Insert the the following texts inside the
Advancetext field:auth-user-pass /root/myvpnpass auth-nocacheReference Image:
[jig ids=”1851″]
Note: Insert other settings as instructed by your VPN provider. Also, you have to download the Linux-based configuration file for this. It’s a file with
.ovpnextension.Step 2: Create a file that contains your VPN user-name and user-password.To do this, you need to login directly to your pfSense box by using the console.
If your pfSense box is a PC-based one, then you could just attach a keyboard and monitor to it and start a shell. But if you were using an embedded type or router board, you need to enable SSH first.
To enable SSH from pfSense 2.1.4, navigate to
System=>Advance, then scroll down toSecure Shellsection and tickEnable Secure Shelland save your settings.After this, ssh your way in to the pfSense box to create the file. If you have a PC-based setup, just type
8and then enter key from theEnter an optioncommand-line.Reference Image:
[jig ids=”1852″]
Once you started a shell, type in
vi myvpnpassand enter key to start theVItext editor and at the same time it also creates themyvpnpassfile. The location of this file is under/rootdirectory, since your in root directory upon logging in to the shell.Reference Image:
[jig ids=”1853″]
Then your user-name and user-password. One line for user-name and another for your password.
your-user-name your-user-passwordTo start typing you data, pressiand start typing your VPN user-name. Hitenterkey to start a new line and enter your VPN user-password. Note: In case you already started typing your user-name without pressing “i” first, you’ll see characters like these…Reference Image: [jig ids=”1854″]
To delete that, press left arrow keys to the left-most side and hit
delkey to remove the characters. Then pressiagain and enter your data. Theiby the way, won’t be printed on your screen. If you’re done inputting your data, save the file by pressingesckey then type in:wq=>enterkey. If you mistyped your user-name or password, pressdownarrow key and use left/right arrow keys to select the character you want to delete and then pressdelkey. After this step, you should be good to go. Now go ahead and restart your pfSense box and check your connection after it reboots. To check your connection, navigate toVPN=>OpenVPNand your client instance should now be up and running. If not, then double check your user-name, password and other advance settings instructed by your VPN provider.
That’s a Wrap!
So that’s how easy it is to connect your pfSense box to an OpenVPN access server. Keep in mind that we’ve used the Access Server software package, which is the downloadable version. It’s actually a commercial version, but you can use it for free with a maximum of 2 user accounts. But a single user-account can have several concurrent connections, you just have to set it up from your web-ui. Keep in mind that you need to set up pfSense as the OpenVPN client, not the server.
And if you need an IP address from another country, you could do that by choosing your server location. For instance; Singapore, London or Amsterdam. With this kind of setup, you’re in total control, no third-party services and no one could log any of your online activities. This is my guide on “How To Set Up pfSense As OpenVPN Client”. I hope you find this post useful, and don’t forget to put your comments below.
