Posted inHow To Technology

Configuring OpenVPN on pfSense Firewall

No Comments

OpenVPN is a powerful open-source VPN solution used for secure and private communication over the internet. pfSense, a widely adopted open-source firewall and router platform, supports OpenVPN to facilitate secure remote access and site-to-site VPN connections. In this guide, we will walk through the technical steps required to configure OpenVPN on pfSense, focusing on a robust and secure setup suitable for enterprise or advanced use cases.

Contents show

Prerequisites

  • pfSense firewall installed and running.
  • Access to pfSense admin interface.
  • Basic understanding of networking and VPN concepts.
  • A valid OpenVPN certificate authority (CA) and server certificate.

Step 1: Setting up the OpenVPN Certificate Authority (CA)

Before configuring OpenVPN on pfSense, you must create a Certificate Authority (CA) that will be used for issuing the server and client certificates. This step is essential for maintaining secure and trusted connections.

1. Log into pfSense admin interface.
2. Navigate to System → Cert. Manager → CAs.
3. Click 'Add' to create a new Certificate Authority.
4. Fill in the details for the CA:
   - Descriptive name: OpenVPN_CA
   - Method: Internal Certificate Authority
   - Key Type: RSA
   - Key Length: 2048 bits (recommended)
   - Lifetime: 3650 days (default is 10 years)
   - Distinguished Name: Fill in appropriate details like Country, State, and Organization.
5. Click 'Save' to create the CA.

Step 2: Creating the OpenVPN Server Certificate

Next, create a server certificate that will be used by the OpenVPN server for establishing secure connections with clients.

1. Navigate to System → Cert. Manager → Certificates.
2. Click 'Add/Sign' to create a new certificate.
3. Fill in the following fields:
   - Descriptive Name: OpenVPN_Server_Cert
   - Certificate Authority: Select the CA you created earlier.
   - Certificate Type: Server Certificate
   - Key Size: 2048 bits
   - Lifetime: 3650 days
4. Click 'Save' to generate the server certificate.

Step 3: Configuring OpenVPN Server

With the necessary certificates in place, you can now configure the OpenVPN server on pfSense. The server will provide VPN access to remote clients.

1. Navigate to VPN → OpenVPN → Servers.
2. Click 'Add' to create a new OpenVPN server.
3. Configure the following settings:
   - Server Mode: Remote Access (SSL/TLS + User Auth)
   - Protocol: UDP (recommended for performance) or TCP
   - Device Mode: tun (recommended for routing)
   - Interface: WAN
   - Local Port: 1194 (default OpenVPN port)
   - Description: OpenVPN Server
4. Under 'Cryptographic Settings':
   - TLS Authentication: Enable
   - TLS Key: Automatically generate a TLS key.
   - Peer Certificate Authority: Select the CA created earlier.
   - Server Certificate: Select the OpenVPN server certificate created earlier.
   - Encryption Algorithm: AES-256-CBC (recommended)
   - Auth Digest Algorithm: SHA256 (recommended)
5. Under 'Tunnel Settings':
   - Tunnel Network: 10.8.0.0/24 (customizable)
   - Redirect Gateway: Enable to route all traffic through the VPN.
   - DNS Default Domain: (Optional) Enter the domain for VPN clients.
6. Under 'Advanced Configuration':
   - Custom Options: You may add additional configuration options like 'push "dhcp-option DNS 8.8.8.8"' to specify DNS servers.
7. Click 'Save' to create the OpenVPN server.

Step 4: Configuring Firewall Rules

Firewall rules need to be adjusted to allow VPN traffic to pass through pfSense. By default, the firewall may block OpenVPN traffic, so you must create specific rules to permit the VPN connections.

1. Navigate to Firewall → Rules → WAN.
2. Click 'Add' to create a new rule.
3. Set the following parameters:
   - Action: Pass
   - Interface: WAN
   - Protocol: UDP (or TCP if using that protocol)
   - Source: any
   - Destination: WAN address
   - Destination Port Range: 1194 (or your custom OpenVPN port)
4. Click 'Save' to apply the rule.
5. Navigate to Firewall → Rules → OpenVPN and repeat similar steps to allow traffic on the VPN interface.

Step 5: Generating Client Certificates

Client certificates are required for each remote user to establish a secure connection to the OpenVPN server. Each client must have its own certificate.

1. Navigate to System → Cert. Manager → Certificates.
2. Click 'Add/Sign' to generate a new certificate.
3. Fill in the following:
   - Descriptive Name: OpenVPN_Client1
   - Certificate Authority: Select the previously created OpenVPN_CA.
   - Certificate Type: User Certificate
   - Key Size: 2048 bits
   - Lifetime: 3650 days
4. Click 'Save' to create the client certificate.
5. Export the client certificate and private key by selecting the certificate and clicking 'Export'.

Step 6: Exporting the OpenVPN Configuration for Clients

Finally, you need to export the OpenVPN configuration file that will be used by remote clients to connect to the server. This configuration file will include all necessary settings, such as server address, certificate information, and encryption options.

1. Navigate to VPN → OpenVPN → Client Export.
2. Select the OpenVPN server from the list.
3. Choose the client you want to export for.
4. Click 'Download' to export the OpenVPN configuration file.

We earn commissions using affiliate links.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *