How to Set Up a VPN Gateway with pfSense and OpenVPN

In this tutorial, we will go over how to set up a VPN gateway using pfSense and OpenVPN. pfSense is an open-source firewall and router that offers extensive features, while OpenVPN is a highly configurable VPN solution. By combining these tools, you can create a secure and robust VPN gateway for your network.

Prerequisites

• A pfSense instance installed and running on your network.
• Basic knowledge of networking and VPNs.
• Access to the pfSense web interface.
• OpenVPN package installed on pfSense (this is usually pre-installed with pfSense).

Step 1: Install OpenVPN on pfSense

Before configuring the VPN gateway, you need to ensure that OpenVPN is installed on your pfSense system. To install OpenVPN:

1. Log in to the pfSense web interface.
2. Navigate to System > Package Manager > Available Packages.
3. Search for the OpenVPN package and click Install.
4. Wait for the installation to complete.

Step 2: Configure OpenVPN Server

Now that OpenVPN is installed, it’s time to configure it to run as a server:

1. In pfSense, go to VPN > OpenVPN.
2. Click the Servers tab and click + Add to create a new OpenVPN server.
3. Under General Information, choose the interface (usually WAN) where the VPN server will be listening.
4. For the Protocol, select UDP for better performance or TCP for more reliable connections.
5. Select the Cryptographic Settings that fit your needs. AES-256-CBC is a good choice for strong encryption.
6. Under Authentication Settings, select the Authentication Method to either password-based or certificate-based authentication (certificate is more secure).
7. Configure the Tunnel Network for your VPN clients (for example, 10.8.0.0/24).
8. Define the Local Network(s) which the VPN clients will have access to, such as your internal LAN network (e.g., 192.168.1.0/24).
9. Enable Compression (optional) and configure other settings as needed for your specific use case.
10. Save the settings.

Step 3: Create Client Certificate

In order to authenticate the OpenVPN server, you must create a certificate for the client:

1. Navigate to System > Cert. Manager > Certificates.
2. Click + Add to create a new certificate.
3. Select Internal Certificate Authority (CA) that will sign the certificate.
4. Set the Certificate Type to User Certificate.
5. Configure the certificate details, ensuring it matches your security requirements.
6. After creation, you will use this certificate on your client devices to authenticate with the OpenVPN server.

Step 4: Configure OpenVPN Client Export

To simplify client configuration, pfSense offers a package that can export client configuration files. To configure it:

1. Go to System > Package Manager > Installed Packages.
2. Install the OpenVPN Client Export Utility package.
3. Once installed, go to VPN > OpenVPN > Client Export.
4. Choose the VPN server you created earlier and select a client export format (e.g., .ovpn for use with OpenVPN clients).
5. Download the client configuration file and install the OpenVPN client on your device.

Step 5: Adjust Firewall Rules

To allow traffic to and from the OpenVPN server, configure the appropriate firewall rules:

1. Navigate to Firewall > Rules.
2. Select the WAN interface and add a new rule to allow traffic on the port used by OpenVPN (e.g., UDP port 1194).
3. Select the LAN interface and add rules to allow VPN clients to access internal resources.
4. Save the firewall rules.

Step 6: Test the VPN Connection

To test the VPN connection:

1. On your client device, import the OpenVPN configuration file (.ovpn) you downloaded.
2. Launch the OpenVPN client and connect to your pfSense OpenVPN server.
3. Verify that the connection is established and you can access internal resources.
4. Check the OpenVPN logs on pfSense for troubleshooting if the connection fails.