pfSense is a great way to secure your network. One of the best things about pfSense is that it also includes OpenVPN for remote access (or site-to-site VPNs but we’re not going to cover that in this article. Setting up a remote access VPN is very simple to do and I’ll explain some of the features.
Before we get into the meat and potatoes of OpenVPN, we have a few things we need to do first.
Setting up a Certificate CA
In order to issue certificates, which OpenVPN needs, we need to be able to generate those. To do that, we need a CA. Setting up a CA in pfSense is really easy. Just go to the System > Cert. Manager menu. Once there, click “New” under the CAs tab. You’ll see a screen similar to this. Just fill it out like this:
Once you have your CA setup, switch over to the Certificates tab.
Generating a VPN certificate
When you go to the certificates tab you’ll probably see that you already have a certificate for the web interface. This cert won’t work for OpenVPN, so we need to make a new one. Click the New button at the bottom of the page to get started.
In the first part, give your certificate a descriptive name and then also give it a common name. Since this is an internal cert, calling it “openvpn” will be fine.
Make sure you select Server Certificate in the certificate attributes. You can leave the alternative names blank.
Setting up an OpenVPN server
First things first, we need a server configured that we can connect to. Get started by going to the VPN menu and selecting OpenVPN.
Click on the Wizard tab at the top and then we’ll walk through the Wizard. This is by far the easiest solution to get up and running quickly and then tweak settings later.
The first thing we need to do is to tell pfSense where to find our users. We’re going to use Local User Access, which is the default option. I’ll cover LDAP and RADIUS later on and show you how to switch.
The next thing we need to is select our CA that we generated before. Then, select the server certificate we generated. Once you advance to the next screen, you’re going to get overloaded with options so I’ll break these down by section.
A. You’ll want this set to WAN.
B. Set protocol to default of UDP on IPv4 only, unless you’re also using IPv6. You can also choose to use TCP, which may give you better reliability. I typically use UDP, but if you encounter issues, you can try switching to TCP.
C. The default port is 1194. Change the port number if you have multiple VPN servers running.
D. A description 🙂
This is the one college course that went right over my head. I’m not a math whiz, but we’ll handle this together!
The good news is that this section can mostly be left alone. Depending on your client, you may have to tweak the encryption algorithm. When I last setup a fresh OpenVPN server and used Tunnelblick, I had to change the algorithm. On another OpenVPN server, I was able to leave it as AES-128-CBC 128-bit.
If you’re running pfSense on a VM like I am in this instance, set Hardware Crypto to No Hardware Crypto Acceleration. This will make things run smoother.
This is a more involved section.
First, we need to set our tunnel network. This is the subnet that clients will have an IP address on when they connect to the VPN. This requires a little bit of network engineering. This subnet cannot overlap an existing subnet. You should use a subnet that can be summarized for simplicity. For example, you can see that my tunnel network is 172.16.2.0/24 because my Local Network is 172.16.1.0/24. If I want to have firewall rules affect both, I could summarize with 172.16.0.0/22.
Redirect gateway means that you’d want all traffic to go through the VPN. This is known as a full tunnel VPN. This will force all traffic, including Internet traffic out of the VPN. Here’s a diagram of what this means if the local client wants to go to google.com.
The traffic goes to the VPN server and then access the internet from that location.
Add any local networks you want the VPN to have access to in the Local Networks section. Otherwise, just enter your single LAN network.
Inter-client communication may be if you’d like your VPN clients to be able to talk to each other. If you’re treating your VPN like a corporate network, you may want this. Otherwise, keeping this unchecked will not allow the clients to talk to each other.
Duplicate Connections is something I’ve found I’ve usually needed to enable. Especially if you have a single profile that you’ll distribute. So for example, I share a profile with all my devices. My laptop, my cell phone, and my tablet use the same profile. If I connect two devices at once, one of them will constantly lose access to the VPN and have to keep reconnecting as all devices will then share an IP. Checking this will treat each connection as a separate connection.
I recommend checking Dynamic IP. This is useful if you’re going to be using a profile on cell phones or other mobile devices that may change IPs.
Topology is explanatory. When in doubt, leave as is.
The DNS, NTP, and WINS server options let you force these servers on the clients. For example, in a corporate environment, you’d provide your internal DNS servers so clients could access internal DNS records.
Finally, you’ll want to enable the firewall rules. This allows the clients to talk to server. Without this, they won’t be able to connect. Then there’s the Traffic from clients through VPN. This allows the network to talk to the clients.
Save, save, done.
This is the final step so finish the wizard. At this point, if you don’t have the Client Export package installed, go ahead and install it from the pfSense package manager.
Export your client and you’re good to go!