How to set up pfSense as OpenVPN Client

So you have now a working local VPN setup with pfSense and you wanted it to connect to another VPN server which is a remote one. You have several devices and machines connected to the pfSense box and everyone is connected through the VPN server that was configured from the pfSense Admin GUI.

And you’re next goal now is to connect to another remote VPN server for the purpose of acquiring a US-based IP address or a secured Internet connection, then this guide would be helpful to achieve your very purpose of connecting a pfSense box to an OpenVPN Server.

For this guide, I’m going to show you how to set up pfSense as OpenVPN client. You may also implement this guide to connect your pfSense box to other VPN providers like, Cyberghost, TorGuard, Hide My Ass and StrongVPN. But you need to do some extra step, since your downloaded VPN profile uses a password and it’s more complicated than this guide. Read the alternate configuration part if you intend to use a passworded VPN configuration file.

Moving on, you need to have the following if you decide to follow this guide:

  1. OpenVPN Access Server Installed on a VPS or an OpenVPN configuration file from VPN provider like CyberGhost.
  2. A working VPN server setup in pfSense
  3. Another way of connecting to the Internet, in case you run through issues with your connection while following this guide. Proceed when you got everything handy.

Configure pfSense as OpenVPN client

Before starting off with this guide, make sure that you’ve already set up your access server by following the guide mentioned above (requirement no. 1). If you think you have set up all the requirements, then proceed to the following steps below.

  • Step 1: Create a new VPN user from the OpenVPN Access Server admin page. To create a new user, login to https://your-server-ip-address/admin You need to enable Auto Login Profile for the VPN client, in this case, pfSense is the client. To do this, navigate to main menu (left-pane), then click on Client Settings under Configurations Under Customize Client Web Server UI tick the check-box that corresponds to Offer auto-login profile and click Save Settings.

    Reference Image:

    Then click on User Permissions under User Management menu. A new page should open, now create a new VPN user account by filling up the New User text field and tick the corresponding check-box for Allow Auto-login setting. Click Save Settings and then Update Running Server.

    Reference Image:

  • Step 2: Login to the Web-GUI as VPN client and download the necessary configuration file. Login to https://your-server-ip-address/ by using the credentials you set from step 1 above. This should also be the credential you set when you invoke the adduser command in Ubuntu. If you’re currently logged in as openvpn or admin, log out first and then log in again using the previously created user-account. Upon logging in, you should see a screen similar to the image shown below:

    Reference Image:

    Click Yourself (autologin profile) to download the configuration file. The file should have an .ovpn file extension.

    Reference Image:

    • Step 3: Connect pfSense to OpenVPN Server. Now it’s time to set up pfSense as a VPN client and we’ll use the OpenVPN configuration file that was downloaded from step 2 above.

    • Step 3-A: Login to your pfSense Web-UI and navigate to main menu, then System => Certificate Manager => CAs tab.Click on the + button from the right side of the page to add a new Internal CA. Fill up the Descriptive Name field. Put something descriptive, a name that you could identify from the rest of other Certificate Authority inside your pfSense box. In my case, I’d put in… OpenVPN-AS-CA. Under Method, select Import an existing Certificate Authority from the drop-down select menu. Under Certificate data text field, copy the data found in your downloaded .ovpn configuration file. Open the file and copy everything that sits between <ca> and </ca> tag and paste it to the designated text field.

    Click SAVE button to confirm your setting.

    • Step 3-B: Import the OpenVPN client certificate. While still on the same page, navigate to Certificates tab just beside the CAs tab, click the tab to open up the page. Click the + button to open the add/import certificate page. Set Method to Import an existing Certificate. Fill up the Descriptive name, for example, OpenVPN-Client-Cert Switch back to your downloaded .ovpn file and copy the block of text that sits between <cert> and </cert> tag. Paste it to the Certificate data text field. Switch back to your .ovpn file again and copy the texts between <key> and </key> tag, then paste it to the Private key data text field. Click Save button to save your changes.
  • Step 4: Set up a Peer-to-Peer VPN connection. In this guide, pfSense box shall be the VPN client, so you need to set the OpenVPN Server mode to Peer-to-peer. To do this, follow the next step below.

    • Step 4-A: Navigate to main menu, then VPN => OpenVPN and then Client tab.Click the + button to open up a new page, then fill up the necessary fields like so:
      • Server Mode = Peer to Peer (SSL/TLS)
      • Protocol = UDP
      • Device mode = tun
      • Interface = WAN
      • Local port = blank
      • Server host or address = your-server-ip-address
      • Server port = 1194
      • Proxy host or address = blank
      • Proxy port = blank
      • Proxy authentication… = leave default
      • Server host name resolution = leave default
      • Description = DO-OVPN-CLIENT or anything you want

    Then under TLS Authentication uncheck Automatically generate a shared TLS authentication key. That should open a new text field. Switch back to your .ovpn file and copy the texts between <tls -auth> and </tls>.

    You should start from

    -----BEGIN OpenVPN Static key V1-----
    

    Paste it in the text field.

    • Peer Certificate Authority = OpenVPN-AS-CA or the descriptive name you set when you imported the CA certificate.

    • Client Certificate = OpenVPN-Client-Cert or the descriptive name you set in step 3-B. * Encryption algorithm = BF-CBC (128-bit)

    • Hardware Crypto = leave default

    • IPv4 Tunnel Network = 10.0.8.0/24 or any private IP network you want

    • IPv4 Remote Network = 192.168.1.0/24

    • Compression = Checked

    • Type-of-service = Checked Then click Save button to save your setting.

    • Step 4-B: Check your settings and see if your VPN tunnel is actually up.

    Navigate to main menu then Status => OpenVPN.

    You should see a block labeled Client Instance Statistic and your created tunnel should appear in that block. It should have a name labeled DO-OVPN-CLIENT or the one you set in step 4. It should have a Status set to up, and has a Virtual address. If everything is good, then proceed to the next step.

    Reference Image:

    openvpn-client-instance

  • Step 5: Create a new interface and assign the newly created VPN tunnel to it. Navigate to main menu then Interfaces => (assign). You should be now at the Interface assignments tab. You’ll notice that your WAN and LAN interface is listed there. Now click on the + button to create a new interface and assign your previously created tunnel to it, in this case, its the DO-OVPN-CLIENT.

    Reference Image:

    So click the + button, a new interface should be loaded with a label OPT1. Then from the Network port pane, click the drop-down menu that corresponds to OPT1 and then select DO-OVPN-CLIENT or whatever name you configured from step 4-A. Then click on Save button. Click Interfaces menu again and then click OPT1. Tick Enable Interface check-box, A new sets of fields will be presented:

    • Description = You may change OPT1 to something like RemoteVPN-Interface
    • IPv4 Configuration Type = Set to None
    • IPv6 Configuration type = Set to None
    • MAC address = leave blank
    • MTU = leave blank
    • MSS = leave blank
    • Block private networks = checked
    • Block bogon networks = checked

    Then click Save button and then finally Apply changes to commit the changes. Now reboot your pfSense box, it’s recommended to initiate the reboot sequence from the console, rather from the web-ui. So press 5 then enter and press y then enter again to initiate the reboot. After rebooting your box, login again from the web-ui and navigate to Status => OpenVPN. Now check Client Instance Statistics block, check your client instance, it should be up this time, with a virtual address of 172.27.232.<em>*</em>. Or not unless you configured it to have another virtual address.

    Reference Image:

  • Step 6: Add an outbound NAT rule for the newly set interface OPT1 or the name you set.

    • Step 6-A: Enable manual outbound NAT rule.Navigate to main menu then Firewall => NAT. Click on Outbound tab. Tick the radio box labeled Manual Outbound NAT rule generation (AON - Advanced Outbound NAT). Click Save then Apply Changes.

    • Step 6-B: Create the NAT rule.While still on the Firewall: NAT: Outbound page, click the + button from the left side of the page, right after the last entry for the Description column. You should now be at Firewall: NAT: Outbound: Edit page. Now fill up the fields like so:

      • Do Not NAT = unchecked
      • Interface = OPT1 or the name you configured from step 5
      • Protocol = any
      • Source = any
      • Destination = any
      • Translation = Interface address
      • No XMLRPC Sync = Unchecked
      • Description = DO-OVPN-NAT or some descriptive name you like.

Then click Save button then Apply Settings. Reboot your pfSense box either from the Web-UI of directly from the console.

  • Step 7: Check your Internet connection. After rebooting, check your connection by browsing a page or ping a hostname. If it’s working, then go to google.com and type in what is my ip and press enter. It should return your latest IP address, and it should show your server’s IP address. You may also check your connection speed by making a speed test over at speedtest.net. It will not only show your server’s connection speed, but also the server’s location. You now have configured pfSense as OpenVPN client.

Alternate Configuration

If you prefer to have a login password for you VPN user account, like the ones offered by CyberGhost, AirVPN, Ghost and StrongVPN, then you need to perform the following steps. This step is tricky, especially if you’re not so familiar with the command line and the “VI” text editor. To configure a user-account to use a password authentication in OpenVPN access server, login as admin to your server and navigate to user Permissions under User Management Menu. Then uncheck Allow Auto Login for the user you wanted to configure. Then click Save button and then Update Running Server.

Now let’s configure pfSense

Read back the procedure stated under Step 4-A. If you wanted to use a passworded VPN configuration file with pfSense, you need to follow these extra steps.

  • Step 1: Following Step 4-A, add this additional configuration to the Advance Configuration block.

    You may just edit your previous configuration by navigating to

    VPN => OpenVPN => Client tab => e button that corresponds to your client name.

    Insert the the following texts inside the Advance text field: auth-user-pass /root/myvpnpass auth-nocache

    Reference Image:

    Note: Insert other settings as instructed by your VPN provider. Also, you have to download the Linux-based configuration file for this. It’s a file with .ovpn extension.

  • Step 2: Create a file that contains your VPN user-name and user-password.To do this, you need to login directly to your pfSense box by using the console.

    If your pfSense box is a PC-based one, then you could just attach a keyboard and monitor to it and start a shell. But if you were using an embedded type or router board, you need to enable SSH first.

    To enable SSH from pfSense 2.1.4, navigate to System => Advance, then scroll down to Secure Shell section and tick Enable Secure Shell and save your settings.

    After this, ssh your way in to the pfSense box to create the file. If you have a PC-based setup, just type 8 and then enter key from the Enter an option command-line.

    Reference Image:

    Once you started a shell, type in vi myvpnpass and enter key to start the VI text editor and at the same time it also creates the myvpnpass file. The location of this file is under /root directory, since your in root directory upon logging in to the shell.

    Reference Image:

    Then your user-name and user-password. One line for user-name and another for your password. your-user-name your-user-password To start typing you data, press i and start typing your VPN user-name. Hit enter key to start a new line and enter your VPN user-password. Note: In case you already started typing your user-name without pressing “i” first, you’ll see characters like these…

    Reference Image:

    To delete that, press left arrow keys to the left-most side and hit del key to remove the characters. Then press i again and enter your data. The i by the way, won’t be printed on your screen. If you’re done inputting your data, save the file by pressing esc key then type in :wq => enter key. If you mistyped your user-name or password, press down arrow key and use left/right arrow keys to select the character you want to delete and then press del key. After this step, you should be good to go. Now go ahead and restart your pfSense box and check your connection after it reboots. To check your connection, navigate to VPN => OpenVPN and your client instance should now be up and running. If not, then double check your user-name, password and other advance settings instructed by your VPN provider.

That’s a Wrap!

So that’s how easy it is to connect your pfSense box to an OpenVPN access server. Keep in mind that we’ve used the Access Server software package, which is the downloadable version. It’s actually a commercial version, but you can use it for free with a maximum of 2 user accounts. But a single user-account can have several concurrent connections, you just have to set it up from your web-ui. Keep in mind that you need to set up pfSense as the OpenVPN client, not the server.

And if you need an IP address from another country, you could do that by choosing your server location. For instance; Singapore, London or Amsterdam. With this kind of setup, you’re in total control, no third-party services and no one could log any of your online activities. This is my guide on “How To Set Up pfSense As OpenVPN Client”. I hope you find this post useful, and don’t forget to put your comments below.

Chubbable

Hi, I'm Chubby! That's what my friends call me. I'm a tech savvy dude who is passionate in learning stuffs by himself. I post stuffs that I recently learned and also stuffs that I'm very knowledgeable of. I also post articles here to serve as my own reference and knowledge base archiving.

  • Gustavo Couto

    i have this
    Oct 9 02:33:18openvpn[1760]: AUTH: Received control message: AUTH_FAILEDOct 9 02:33:18openvpn[1760]: SIGTERM[soft,auth-failure] received, process exiting

    • Double check your username and password and private key password. Make sure they are correct.

  • NEK4TE

    I am having issues for some reason, i did follow your instructions, but, i am stuck @ having pfSense conencting to OpenVPN-AS

    Logs show this:

    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    Please advise

  • Simen Stavdal

    Thank you very much for this well written, concise and excellent article. Fit my purpose (and setup) perfectly. I have two foreign vpn servers runnning openvpn as, and was able to get them both running from pfsense after following this guide. I applaud thee.

  • Gustavo Couto

    i try a lot , but not sucess …
    AUTH: Received control message: AUTH_FAILED

    • Hi Gustavo! How did you do it? Did you complete the part where you have to create a file inside Pfsense using vi text editor? Who’s your provider?

  • Gustavo Couto

    i try a lot , but not sucess …
    AUTH: Received control message: AUTH_FAILED

    • Hi Gustavo! How did you do it? Did you complete the part where you have to create a file inside Pfsense using vi text editor? Who’s your provider?

  • Samuel Seidel

    Now what if you want to connect from the outside world to your main provider’s public IP.

    • If you’re on a Dynamic Public IP, you need to setup DDNS in pfSense. Then forward the necessary ports. Otherwise, just point to your public IP address. You prior setup for incoming connection. Firewall and Port forwarding.