PfSense OpenVPN Config: A Step-by-Step Guide

Alright guys, let's dive deep into the world of pfSense and OpenVPN! If you're looking to secure your network and create a safe tunnel for your data, you've come to the right place. This comprehensive guide will walk you through the process of setting up an OpenVPN configuration file on pfSense. We'll break down each step, making it super easy to follow, even if you're not a networking guru.

Understanding OpenVPN and pfSense

Before we get our hands dirty with the configuration, let's quickly understand what we're dealing with.

• OpenVPN: Think of OpenVPN as your personal bodyguard for internet traffic. It's an open-source VPN solution that creates a secure point-to-point or site-to-site connection. This means your data is encrypted and protected as it travels across the internet. This is especially useful when you're using public Wi-Fi or want to access resources on your home network remotely.
• pfSense: pfSense is a free, open-source firewall and router software distribution based on FreeBSD. It's incredibly powerful and flexible, allowing you to manage your network with granular control. When you combine pfSense with OpenVPN, you get a robust and secure network solution.

Why is understanding these two important? Well, configuring OpenVPN on pfSense involves tweaking settings in both. Knowing their roles helps you troubleshoot and customize your VPN to fit your specific needs.

Why Use OpenVPN with pfSense?

Using OpenVPN with pfSense offers several advantages:

• Enhanced Security: OpenVPN encrypts your network traffic, protecting it from eavesdropping and tampering. This is crucial for privacy and security, especially when dealing with sensitive data.
• Remote Access: Securely access your home or office network from anywhere in the world. This is perfect for telecommuting or accessing files and resources while traveling.
• Bypass Geo-Restrictions: Access content that may be blocked in your region. By connecting to a VPN server in another location, you can bypass these restrictions.
• Cost-Effective: Both pfSense and OpenVPN are open-source and free to use, making it a budget-friendly solution for securing your network.

Now that we've covered the basics, let's move on to the exciting part: configuring OpenVPN on pfSense!

Step-by-Step Configuration Guide

Follow these steps carefully to set up your OpenVPN configuration file on pfSense.

1. Install the OpenVPN Client Export Package

First, you'll need to install the OpenVPN Client Export package on your pfSense firewall. This package allows you to easily generate client configuration files.

1. Log in to your pfSense web interface.
2. Navigate to System > Package Manager > Available Packages.
3. Search for "OpenVPN Client Export".
4. Click the Install button next to the package.
5. Confirm the installation.

This package simplifies the process of creating configuration files that your client devices will use to connect to the VPN server. Without it, you'd have to manually create these files, which can be a pain.

2. Configure the OpenVPN Server

Next, we'll set up the OpenVPN server on your pfSense box.

1. Go to VPN > OpenVPN > Servers.
2. Click Add to create a new OpenVPN server.
3. General Information:
   • Disable this server: Unchecked (unless you want to disable it later).
   • Server Mode: Select Remote Access (SSL/TLS + User Auth). This is the most common and recommended mode for most users, as it combines SSL/TLS encryption with user authentication.
   • Protocol: Choose between UDP or TCP. UDP is generally faster, but TCP is more reliable. If you're unsure, start with UDP. TCP might be better if you're experiencing connectivity issues.
   • Device Mode: tun is the most common and usually works well.
   • Interface: Select WAN (or the interface connected to the internet).
   • Local Port: 1194 is the default OpenVPN port, but you can choose another port if you prefer. Just make sure it's not already in use.
   • Description: Give your server a descriptive name, like OpenVPN Server.
4. Cryptographic Settings:
   • TLS Configuration:
     • TLS Authentication: Check this box for added security. This adds an extra layer of authentication beyond just username and password. It is strongly recommended.
   • Certificate Settings:
     • Server Certificate: Either select an existing certificate or create a new one. To create a new certificate:
       • Click the Add or Register new CA button.
       • Fill in the required information (Country Code, State, City, Organization, Email Address, Common Name). The Common Name should be something descriptive, like OpenVPN Server CA.
       • Create the Certificate Authority (CA).
       • Create a server certificate, linking it to the newly created CA. Ensure the Common Name is something like OpenVPN Server Certificate.
   • Encryption Algorithm: Choose an encryption algorithm. AES-256-CBC is a strong and widely used option. Selecting stronger algorithms may impact performance, especially on older hardware.
   • Hash Algorithm: SHA256 is a good choice.
5. Tunnel Settings:
   • IPv4 Tunnel Network: This is the internal network that OpenVPN will use for the VPN tunnel. Choose a network that doesn't conflict with your existing networks, such as 10.0.8.0/24.
   • IPv4 Local Network(s): Specify the local networks that clients should be able to access through the VPN. This is typically your LAN network, like 192.168.1.0/24. You can add multiple networks if needed.
   • IPv6 Tunnel Network: Optional, but configure if you use IPv6.
   • IPv6 Local Network(s): Optional, but configure if you use IPv6.
   • Concurrent Connections: Set the maximum number of clients that can connect simultaneously. This depends on your hardware and network bandwidth.
   • Compression: Adaptive LZO Compression is a good balance of speed and compression.
   • Type-of-Service: Leave unchecked.
6. Client Settings:
   • DNS Server(s): Specify DNS servers for clients to use. You can use your pfSense firewall's IP address or public DNS servers like Google DNS (8.8.8.8, 8.8.4.4) or Cloudflare DNS (1.1.1.1, 1.0.0.1).
   • Domain Name: Enter your local domain name, if you have one.
   • NetBIOS Options: Configure if you need NetBIOS support.
7. Advanced Configuration:
   • Custom Options: You can add custom OpenVPN options here if needed. Consult the OpenVPN documentation for available options. This is for advanced users who need to fine-tune their configuration.
8. Click Save to save the OpenVPN server configuration.

This step is the heart of your OpenVPN setup. Make sure to choose strong encryption settings and a unique tunnel network to ensure the security and stability of your VPN.

3. Configure Firewall Rules

Now, we need to create firewall rules to allow OpenVPN traffic.

1. Go to Firewall > Rules.
2. Select the WAN interface.
3. Click Add to create a new rule.
4. Edit Firewall Rule:
   • Action: Pass
   • Interface: WAN
   • Address Family: IPv4
   • Protocol: UDP (or TCP if you chose that for your OpenVPN server).
   • Source: Any
   • Destination: WAN address
   • Destination Port Range: OpenVPN (or the custom port you chose).
   • Description: Allow OpenVPN traffic
5. Click Save.
6. Click Apply Changes.

Next, create a rule on the OpenVPN interface to allow traffic to your internal network.

1. Go to Firewall > Rules.
2. Select the OpenVPN interface.
3. Click Add to create a new rule.
4. Edit Firewall Rule:
   • Action: Pass
   • Interface: OpenVPN
   • Address Family: IPv4
   • Protocol: Any
   • Source: OpenVPN net
   • Destination: LAN net (or the specific networks you want to allow access to).
   • Description: Allow OpenVPN to LAN
5. Click Save.
6. Click Apply Changes.

These firewall rules are essential for allowing OpenVPN traffic to pass through your pfSense firewall. Without them, your clients won't be able to connect or access your internal network.

4. Configure User Authentication

You'll need to create user accounts for clients to authenticate with the OpenVPN server.

1. Go to System > User Manager.
2. Click Add to create a new user.
3. Edit User:
   • Username: Enter a username for the user.
   • Password: Enter a strong password.
   • Confirm Password: Re-enter the password.
   • Certificate: Create a new user certificate or associate the user with an existing one. To create a new certificate:
     • Click the "Click to create a user certificate" button.
     • Fill in the required information, ensuring the Common Name is unique for each user.
4. Click Save.

Each user needs a unique certificate. This ensures that even if someone gets their hands on a username and password, they still can't connect without the corresponding certificate.

5. Export the OpenVPN Client Configuration

Now, you can export the OpenVPN client configuration file for each user.

1. Go to VPN > OpenVPN > Client Export.
2. Client Export:
   • Remote Access Server: Select the OpenVPN server you created.
   • User: Select the user you created.
   • Host Name: This should automatically populate with your WAN IP or dynamic DNS hostname. Verify it's correct.
   • Port: The port your OpenVPN server is listening on (usually 1194).
   • Protocol: UDP or TCP, matching your server config.
   • Client Configuration: Choose the appropriate configuration based on your client operating system, for example Inline Configurations or Archive. Inline Configurations will show the configuration directly in the browser to copy, while Archive downloads a .zip or .tgz file, often more convenient.
3. Click Download (or copy the inline configuration).

The exported configuration file contains all the necessary settings for the client to connect to the OpenVPN server. This includes the server address, port, protocol, encryption settings, and user certificate.

6. Install and Configure the OpenVPN Client

Finally, install the OpenVPN client on your device and import the configuration file.

1. Download the OpenVPN client: Download the appropriate OpenVPN client for your operating system from the OpenVPN website (https://openvpn.net/).
2. Install the OpenVPN client: Follow the installation instructions for your operating system.
3. Import the configuration file: Import the configuration file you exported from pfSense into the OpenVPN client. The process varies depending on the client, but it usually involves selecting "Import" or "Import Configuration" and browsing to the file.
4. Connect to the VPN: Enter your username and password (if prompted) and click the "Connect" button.

Once connected, your device's traffic will be routed through the OpenVPN tunnel, providing you with a secure and private connection.

Troubleshooting

If you encounter any issues, here are some troubleshooting tips:

• Check the logs: Check the OpenVPN logs on both the server and client for errors. These logs can provide valuable clues about what's going wrong.
• Verify firewall rules: Double-check your firewall rules to ensure that OpenVPN traffic is allowed.
• Check DNS settings: Make sure your DNS settings are configured correctly on both the server and client.
• Test connectivity: Use ping or traceroute to test connectivity between the client and server.
• MTU Issues: Sometimes, the Maximum Transmission Unit (MTU) can cause connection problems. Try lowering the MTU on your OpenVPN interface in pfSense to see if it resolves the issue.

Conclusion

Setting up OpenVPN on pfSense might seem daunting at first, but with this step-by-step guide, you should be well on your way to creating a secure and private network connection. Remember to pay close attention to the details and double-check your settings to ensure everything is configured correctly. By following these instructions carefully, you can take control of your network security and enjoy the benefits of a secure VPN connection. Happy networking!