In this tutorial, we will set up a remote access VPN using OpenVPN, OpenVPN is an open source VPN project and it comes bundled with pfSense. The tutorial works for both community edition pfsense and pfSense plus.
The configuration works best when the pfSense WAN interface carries a static public IP Address. The configuration will also work If you are planning to use Dynamic DNS IP. Here is more on how to configure a dynamic DNS client with pfsense.
The configuration is ideal for pfsense remote management, and to access the work resources from outside. Here is more for further assistance.
- Create Certs and Users.
- Create and Configure OpenVPN Server Instance.
- Installing The Client Export Package.
- Testing Our Configuration.
Create Certs and Users
We will be setting up our remote access VPN server in SSL/TLS + User Auth mode. This configuration provides the best security and requires both certificates and authentication, here is a list of items needed to start the configuration:
- For certificates, we need a CA certificate, a Server certificate, and a per-user certificate.
- For authentication, we can use pfsense local user database or we can integrate with Active Directory using LDAP or RADIUS.
For this tutorial, we will be using the pfsense local user database and creating a new user in the User Manager section. While creating a user we will also opt to create an individual user cert.
Certification Authority CA Certificate
The CA certificate validates our Server certificate, both are created in Cert. Manager section. To create the CA cert, log in to the web console–>System–> Cert. Manager–>CAs–> press the Add button, and add the following details below:
- Descriptive Name: cert.openvpn.ca
- Lifetime(days): Reduce to 365 (1 year).
- Common Name: Same as Descriptive name, cert.openvpn.ca
The page comes with defaults, you need not change it unless necessary.
Once the CA cert is ready then create the Server certificate, for this, move to Certificates–> press the Add/Sign button, now add the following details:
- Method: Choose, Create an internal Certificate.
- Descriptive name: cert.openvpn.srv.
- Certificate authority: cert.openvpn.ca.
- Lifetime(days):365 (1 year).
- Common name:cert.openvpn.srv.
- Certificate Type: Choose, Server Certificate.
Leave the rest of the values at their default, and then press the save button.
Next, move to User Manager–>Users–>Add, now add the following details:
- Username: user1
- Password: Enter a strong user password, and then confirm it.
- Certificate: Select the check box to create a user certificate as well.
- Descriptive name:user1.
- Certificate authority: choose, cert.openvpn.ca.
Rest, let other values be at their default, and then press the save button. You can create as many users as you like.
Create and Configure OpenVPN Server Instance
Once the certificate part is completed then a remote access VPN server instance needs to be created.
In pfsense, the OpenVPN server comes with some default values, we only need to add or change a few settings and leave the rest alone.
To create the VPN server instance, move to VPN–>OpenVPN–>Servers–>press the Add button, now add the following config parameters for your server instance:
- Server mode: Choose, Remote Access (SSL/TLS + User Auth).
- Backend for authentication: Local Database.
- Protocol: Default, UDP on IPv4 only.
- Interface: Choose your WAN interface, If you are using a Gateway Group for multiple WANs then choose the Gateway Group. This WAN interface will be used to receive incoming VPN traffic.
- Local port: The default is 1194, as it’s a known port so it may be prone to attacks and also some ISP restrictions, so you may choose a higher port number, I have chosen 65001. This will be the port used to receive incoming VPN traffic.
- Peer Certificate Authority: Choose, cert.openvpn.ca.
- Server certificate: Choose, cert.openvpn.srv.
- IPv4 Tunnel Network:172.31.250.0/24; (Uncommon IP Address Range For VPN clients).
The VPN clients can be mobile workers, so frequently changing local IP Addresses, may cause tunnel IP to overlap with their LAN IP address. To avoid the issue, It is recommended for the tunnel network to use an uncommon RFC 1918 IP Addressing scheme.
- Redirect IPv4 Gateway: Select the checkbox, by turning on this setting, the OpenVPN server acts as the default gateway for the client connection, and all client traffic including the internet traffic is redirected to the VPN server.
You can uncheck the setting if you want to send specific client traffic to the server side, this is called split tunneling. For this tutorial, A full tunnel is created and all client traffic is redirected to the VPN server.
- Dynamic IP: Select the checkbox, this setting is helpful in the case of cellular 4G/LTE VPN clients. The VPN clients will be able to retain their VPN session even if their 4G IP address changes.
- Ping Settings:Inactive: Default 300 seconds of inactivity, you can disable it by changing it to 0, as a result, the OpenVPN client connection will persist unless the client disconnects manually.
- Ping Settings:Interval: 5
- Ping Settings:Timeout: 15 (make sure timeout is 3 X Interval, otherwise, the server will not start), this setting speeds up the reconnection on failure.
- Send/Receive Buffer: Choose, 512KB.
- Gateway creation: Select IPv4 only.
Here are the complete configuration screenshots:
Once done press the save button. To verify that our VPN server is created successfully, move to Status–>OpenVPN: check if the status has a green tick mark.
Firewall Rules For OpenVPN Server
We need to add a firewall rule in the OpenVPN tab and the WAN tab, for OpenVPN, move to Firewall–>Rules–> select OpenVPN–> select the Add button with the up arrow, and then add the following settings:
- Action: Pass.
- Interface: OpenVPN.
- Address Family: IPv4.
- Protocol: UDP.
- Source: Choose Network, 172.31.250.0/24.
- Destination: Default, any.
Once done, then press the Save button.
Next, we need to add a rule in the WAN tab, for this, move to Firewall–>Rules–> select WAN–>then select the Add button with the up arrow. Now add the following settings:
- Action: Pass.
- Interface: Your WAN interface.
- Address Family: IPv4.
- Protocol: UDP.
- Source: Choose any.
- Destination: Choose, WAN address.
- Destination Port Range: 65001.
then press the Save button, and apply changes.
If you have already allowed all incoming and outgoing traffic to the WAN interface by setting the source and destination to any-any in the firewall tab, then the above WAN rule is not useful.
Installing The OpenVPN Client Export Package.
Once the OpenVPN server config is complete, now we need a mechanism to distribute our OpenVPN client program and OpenVPN profile, for this, we need to install a client export package in pfsense.
To install the package, move to System–>Package Manager–>Available Packages–>Search term, openvpn–> press the Search button–> then press the install button next to openvpn-client-export, here is the screenshot:
Testing VPN Server Configuration
Once the package installation is a success then move to VPN–>OpenVPN–>Client Export and add the following settings.
- Remote Access Server: choose, RA.OPENVPN.SRV UDP:65001.
- Host Name: Your WAN IP ADDRESS.
Once, entered your WAN IP address, press the Save as default button. Once the client config is saved, move to the OpenVPN Clients section, and select the Most Clients profile under Export: Inline configuration, this will download the profile for user1.
To download the client program, choose respect to your operating system, say, Windows, Linux, or mac then download and transfer the profile and client setup to a remote user machine, there install the client program.
After installing the client program, import the OpenVPN client profile, for windows, here is a screenshot:
After the profile import, click Connect, you will be asked for a username and password, provide user1 and related password.
Once connected, open the internet browser on the user’s machine and type “what is my IP”, if you see your OpenVPN server IP address, then you have successfully configured the Remote Access VPN server in pfSense.
If having problems, Here is more for further assistance.