Setting Up OpenVPN on pfSense: A Beginner’s Step-by-Step Guide

by | Aug 25, 2024 | IT | 0 comments

Setting Up OpenVPN on pfSense: A Beginner’s Step-by-Step Guide

What is OpenVPN?

OpenVPN is a popular open-source software application that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections. By setting up OpenVPN on your pfSense router, you can securely access your home network from anywhere in the world, ensuring your data is encrypted and safe.

Step 1: Prepare pfSense for OpenVPN Installation

  1. Access the pfSense Web Interface:
  • Open your web browser and navigate to your pfSense web interface. The default address is 192.168.1.1.
  • Log in using your admin username and password.
  1. Navigate to the VPN Section:
  • On the top menu, go to VPN > OpenVPN.
  1. Run the OpenVPN Wizard:
  • Select the “Wizards” tab within the OpenVPN section. This wizard simplifies the setup process.

Step 2: Set Up the Certificate Authority (CA)

  1. Create a New CA:
  • The first step in the wizard is setting up a Certificate Authority (CA). The CA is needed to generate certificates for the server and clients.
  • Choose “Create a new Certificate Authority.”
  • Fill in the required details:
    • Descriptive Name: Name your CA (e.g., “Home_CA”).
    • Key Length: Leave at 2048 bits.
    • Lifetime (days): 3650 (approximately 10 years).
    • Country Code, State, City: Fill in your details.
    • Organization Name: You can use your last name or any identifier.
    • Common Name: Use a unique name like “HomeVPN_CA.”
  1. Click on “Create CA” to proceed.

Step 3: Create the Server Certificate

  1. Generate a Server Certificate:
  • After creating the CA, the next step is to generate a server certificate.
  • Select “Create an Internal Certificate.”
  • Descriptive Name: Name the certificate (e.g., “HomeVPN_Server”).
  • Certificate Type: Server Certificate.
  • Common Name: Use something descriptive like “HomeVPN_Server.”
  • Leave other fields as default.
  1. Click on “Create Certificate.”

Step 4: Configure the OpenVPN Server

  1. General OpenVPN Server Settings:
  • Server Mode: Choose “Remote Access (User Auth).”
  • Backend for Authentication: Choose “Local Database.”
  • Protocol: Select “UDP” (recommended for speed), but you can use “TCP” if needed.
  • Device Mode: Select “tun” (Layer 3 routed VPN).
  1. Network Settings:
  • Interface: Select “WAN” (this is your internet-facing interface).
  • Local Port: You can leave it at 1194 (default) or choose another if you prefer.
  • Tunnel Network: Specify a subnet that doesn’t conflict with your LAN. For example, 10.0.8.0/24.
  • Local Network: Enter the IP range of your home network (e.g., 192.168.1.0/24).
  • Redirect Gateway: Check this box if you want all traffic from your clients to route through the VPN.
  1. Cryptographic Settings:
  • TLS Authentication: Enable this option and click on the “Generate” button to create a new TLS key.
  • Peer Certificate Authority: Choose the CA you created earlier.
  • Server Certificate: Select the server certificate you just created.
  • DH Parameter Length: Leave as default (2048 bits).
  • Encryption Algorithm: Select AES-256-CBC (recommended for strong security).
  • Auth Digest Algorithm: Select SHA256 or SHA512.
  1. Advanced Configuration:
  • Leave the default settings unless you know you need something specific.
  1. Save the Configuration:
  • After filling in all the necessary fields, click on “Save” to create your OpenVPN server.

Step 5: Configure Firewall Rules

  1. Add a Firewall Rule for OpenVPN:
  • Go to Firewall > Rules > WAN.
  • Click on the “+Add” button to create a new rule.
  • Action: Pass.
  • Interface: WAN.
  • Protocol: UDP (or TCP if you selected TCP earlier).
  • Source: Any.
  • Destination: WAN address.
  • Destination Port Range: Choose the port number you set for OpenVPN (default is 1194).
  1. Save and Apply Changes:
  • After setting up the rule, click “Save” and then “Apply Changes” to activate it.

Step 6: Create OpenVPN Client Profiles

  1. Navigate to the Client Export Utility:
  • Go to System > Package Manager > Available Packages.
  • Search for “openvpn-client-export” and install the package.
  1. Export Client Configuration:
  • Go back to VPN > OpenVPN and select the “Client Export” tab.
  • Under “OpenVPN Clients,” find the user you want to create a profile for.
  • Click on the desired format (Windows, macOS, etc.). Most users will use “Archive” (a .zip file).
  1. Download and Save:
  • Download the generated file and save it to the device you will use to connect to the VPN.

Step 7: Connect to OpenVPN from a Client Machine

  1. Install OpenVPN Client:
  • Windows: Download and install the OpenVPN client from OpenVPN’s website.
  • macOS: Use Tunnelblick or Viscosity.
  • Linux: Install OpenVPN via your package manager.
  1. Import the Configuration:
  • Open the OpenVPN client and import the configuration file you exported earlier.
  1. Connect to the VPN:
  • Open the OpenVPN client, select the profile you imported, and click “Connect.”
  • You’ll be prompted for your username and password (created during the user setup in pfSense).
  1. Verify the Connection:
  • Once connected, check if you can access your home network resources (like a NAS or printer).
  • You can also check your public IP address (using a service like WhatIsMyIP) to ensure it matches your home network’s IP.

Troubleshooting Tips

  • Can’t Connect to OpenVPN?
  • Double-check the firewall rule on the WAN interface.
  • Ensure that the correct port is open and forwarded if necessary.
  • Connection Drops?
  • Try using TCP instead of UDP if your connection is unstable.
  • Authentication Errors?
  • Ensure that your username and password are correctly entered and that the user is set up in pfSense.

Submit a Comment

Your email address will not be published. Required fields are marked *