pfSense is a free and open source firewall and router based on FreeBSD. Here’s everything you need to know about setting up your own OpenVPN server on pfSensepfSense is a popular firewall/router that offers a flexible alternative to the average consumer release. It comes with advanced capabilities compared to a typical router, and it is constantly updated with new firmware for increased security. A comprehensive GUI makes it easy to configure and manage whether it’s used with a home or office network.
You can set up your own OpenVPN server with pfSense, allowing the user to access their home network securely with a Virtual Private Network (VPN). As such, your local machine will be accessible from anywhere, and you can use your home internet connection remotely via your device.
We'll take you through the necessary steps to configure your own OpenVPN server on pfSense in this detailed guide.
pfSense and authentication
To begin, you’ll need to select an authentication method, whether it’s password-based authentication, certificate-based authentication, or a combination of the two. If you decide to use only password-based authentication, you won’t need to generate a user certificate. In any case, you will need to generate a Certificate Authority and a server certificate.
Generating the Certificate Authority (CA)
Generating your Certificate Authority (CA) is necessary to validate the OpenVPN server’s identity and authenticate user certificates.
- Within pfSense, select System, and then Cert. Manager.
- Click Add, and enter a name for your CA.
- Set the Method to Create an internal Certificate Authority.
- You’ll need to select your Key type (RSA, ECDSA).
- The Key length needs to be at least 2048.
- The Digest Algorithm needs to be at least sha256.
- You can pick a Common Name for your certificate. The default is internal-ca.
- Click Save to create your Certificate Authority.
Generating the server certificate
Here’s a step-by-step guide to generating your server certificate.
- Within pfSense, select System, and then Cert. Manager.
- Open the Certificates sub-menu. Click the Add/Sign button.
- Set the Method to Create an internal Certificate.
- You’ll now need to enter a Descriptive name for the server certificate.
- For the Key type, key length, and the Digest Algorithm, enter the same values used for the Certificate Authority.
- The Lifetime should be set to 365 days.
- The Certificate Type should be Server Certificate.
- Click Save to create your server certificate.
Create your OpenVPN user and your user certificate
Next up, you’ll need to create a user for the OpenVPN server. This process can be replicated as many times as you’d like for multiple users.
- From pfSense, select System, and then User Manager.
- Click Add, and enter a Username and Password for this user. Hit Save.
- If you’re using certificate-based authentication or certificate and password-based authentication, open the Edit User window (pencil icon).
- Click the Add button under User Certificates. This will open the Certificate Manager. Input the parameters for your user certificate.
- Set the Method to Create an internal Certificate.
- You’ll now need to enter a Descriptive name for the server certificate.
- For the Key type, key length, and the Digest Algorithm, enter the same values used for the Certificate Authority.
- The Lifetime should be 365 days.
- The Certificate Type should be User Certificate.
- Save, and click Save again when taken back to the User Manager menu.
Create the OpenVPN server
It’s now time to create your OpenVPN server.
For the General Information fields:
- From the pfSense menu, select VPN, and OpenVPN. Click Add.
- Select the Server mode, either Remote Access (SSL/TLS), Remote Access (User Auth), or Remote Access (SSL/TLS + User Auth).
- Change the Local port if necessary. Otherwise, the default is 1194.
- Name your server in the Description section.
For the Cryptographic Settings fields:
- Check Use a TLS Key and Automatically generate a TLS Key.
- Match the Peer Certificate Authority to the CA created above.
- Do the same for the Server certificate you’ve previously created.
- The DH Parameter Length should be 4096.
- The Auth digest algorithm should be set to RSA-SHA512 (512-bit).
For the Tunnel Network fields:
- Enter a subnet in the IPv4 Tunnel Network. This is to be used as the OpenVPN network’s internal subnet, and it should not be present on your network already. For example: 192.168.1.0/24.
- You can also set your OpenVPN tunnel to support IPv6 within the IPv6 Tunnel Network field.
- Check the box for Redirect IPv4 Gateway. This works with all IPv4 traffic over the VPN tunnel. Do the same for Redirect IPv6 Gateway if applicable.
In the Advanced Configuration fields:
- Make sure UDP Fast I/O is checked.
- Within Gateway creation, select IPv4 only. If you’re also using IPv6, keep it set to Both.
- Click Save to finish creating your OpenVPN server.
- It’s a good idea to make sure that everything is set up correctly. Open the Status menu in pfSense, and click System Logs.
- Select OpenVPN, and take a look at the logs. It should say Initialization Sequence Completed.
Creating the firewall rules
Next up, you’ll need to create a firewall rule which will allow traffic to and from your server. Here's a step-by-step guide to get started:
Allowing outbound traffic
Firstly, we’ll focus on the rule to allow traffic from the OpenVPN subnet onto the internet.
- Select Firewall, and then Rules.
- Click the OpenVPN sub-menu.
- Next, click Add to create a new rule.
- Choose between IPv4 and IPv4 + IPv6, depending on your setup.
- The Protocol should be set to Any, and the Source set to Network.
- Enter the OpenVPN subnet information you created earlier in the Source Address field. Remove the last two digits. For example, 192.168.1.0 rather than 192.168.1.0/24.
- Select the Source Address, matching the last two digits. In the above example, it would be 24.
- Name your rule in the Description section.
- Click Save, and Apply Changes.
Connecting to the server from the internet
If you want to connect to your newly created OpenVPN server from the internet, you’ll need to open your ports within the WAN interface.
Here’s a quick guide detailing how to create a rule to allow client connections to the OpenVPN server via the internet.
- Select Firewall, and then Rules.
- Click the WAN sub-menu.
- Next, click Add to create a new rule.
- Choose between IPv4 and IPv4 + IPv6, depending on your setup. The default is IPv4.
- The Protocol should be set to UDP, and the Source set to Any.
- The Destination Port Range should be set to the port your server runs on.
- Name your rule in the Description section.
- Click Save, and Apply Changes to finish.
Install the OpenVPN Client Export Utility
pfSense comes with an automated configuration generator for OpenVPN, although it requires manual installation. To do so:
- From the main menu, select System, and click Package Manager.
- Click Available Packages, and find openvpn-client-export. Hit Install to open the Package Installer menu.
- Click Confirm to install the package. Once complete, it should say Success.
Export the OpenVPN client configuration
- From the pfSense menu, select VPN, and OpenVPN.
- Open the Client Export menu.
- Double check that the Remote Access Server lists the right OpenVPN server.
- For Dynamic DNS users, select Other in Host Name Resolution. Next, you’ll need to enter your hostname in the Host Name field. This works to access your WAN without the IP address. For non-Dynamic DNS users, leave the Host Name Resolution set to Interface IP Address.
- You’ll find a collection of generated configurations for a selection of apps and operating systems depending on the information you’ve provided. Pick the option that works with your device.
- Download the configuration. You may be prompted to enter your username and password. You’ll then be free to connect to your OpenVPN server.
- Open Google, and type in ‘what is my IP’. Your public IP address should have changed to the WAN address of your home internet.
Summary
You now have a basic OpenVPN server in pfSense! You can remotely access your home devices and internet connection, and you should have a basic understanding of how to set and configure new rules within pfSense. It’s worth checking out add-ons, with features including split tunneling and the ability to block ads and malicious sites. There are multiple advanced options to pick from once you get the hang of things.
You'll be able to route any client device as long as it's connected to the server. This is the case whether it's an office network or a mobile network. It's slightly more difficult to set up than your typical connection, but it's a valid option for any VPN users. If you're having issues while using a pfSense box with an OpenVPN connection, make sure to check the firewall rules, as well as the OpenVPN logs and the network itself.
Comments have been disabled for this article.