OpenVPN is a powerful tool for creating secure connections between remote devices and your home or office network. When combined with pfSense, a robust open-source firewall and router platform, you can create a flexible and secure remote access solution. This article will walk you through the process of setting up OpenVPN on pfSense, allowing you to access your network resources from anywhere in the world.
Why Use OpenVPN with pfSense?
Before we dive into the setup process, let’s look at some reasons why you might want to use OpenVPN with pfSense:
- Secure remote access to your network
- Ability to use your home internet connection while away
- Protection from unsecured public Wi-Fi networks
- Access to region-restricted content
Prerequisites
Before starting, make sure you have:
- A working pfSense installation
- Admin access to your pfSense router
- A basic understanding of networking concepts
Step 1: Planning Your VPN Setup
Before configuring OpenVPN, it’s important to plan your network layout. You’ll need to choose:
- An IP range for your VPN clients
- The port your VPN server will use (default is 1194)
- The protocol (UDP or TCP)
For this guide, we’ll use:
- VPN Client IP range: 10.3.201.0/24
- Port: 1194
- Protocol: UDP
Step 2: Creating a Certificate Authority (CA)
OpenVPN uses certificates for authentication. To create these, we first need a Certificate Authority:
- Go to System > Cert Manager
- Click “Add” under the “CAs” tab
- Fill in the following:
- Descriptive Name: OpenVPN-CA
- Method: Create an internal Certificate Authority
- Key length: 2048
- Lifetime: 3650
- Common Name: Your-CA-Name
- Click “Save”
Step 3: Creating a Server Certificate
Now, create a certificate for your OpenVPN server:
- Go to System > Cert Manager
- Click “Add” under the “Certificates” tab
- Fill in:
- Descriptive Name: OpenVPN-Server-Cert
- Method: Create an internal Certificate
- Certificate Authority: Select the CA you just created
- Key length: 2048
- Lifetime: 3650
- Common Name: Your-Server-Name
- Click “Save”
Step 4: Setting Up the OpenVPN Server
Now we’ll configure the OpenVPN server:
- Go to VPN > OpenVPN
- Click “Add” under the “Servers” tab
- Fill in these key settings:
- Server mode: Remote Access (SSL/TLS + User Auth)
- Protocol: UDP on IPv4 only
- Device mode: tun
- Interface: WAN
- Local port: 1194
- Description: OpenVPN Server
- TLS Authentication: Enable authentication of TLS packets
- Peer Certificate Authority: Select your CA
- Server Certificate: Select your server certificate
- DH Parameters Length: 2048 bit
- Encryption Algorithm: AES-256-GCM
- Auth Digest Algorithm: SHA256
- Tunnel Network: 10.3.201.0/24
- Redirect Gateway: Force all client-generated traffic through the tunnel
- Local Network: Your LAN subnet (e.g., 192.168.1.0/24)
- Concurrent Connections: Set a limit if desired
- Compression: Disable compression (legacy)
- Push “redirect-gateway def1”: Checked
- Push “block-outside-dns”: Checked
- DNS Server 1: Your preferred DNS server
- DNS Server 2: A backup DNS server
- Inter-client communication: Allow clients to communicate with each other
- Duplicate Connections: Allow multiple connections from clients with the same common name
- Click “Save”
Step 5: Creating Firewall Rules
To allow traffic through your VPN, you need to create firewall rules:
- Go to Firewall > Rules
- Click “Add” on the WAN tab
- Set:
- Action: Pass
- Interface: WAN
- Protocol: UDP
- Source: Any
- Destination: WAN Address
- Destination Port Range: 1194
- Click “Save”
Now, create a rule for the OpenVPN interface:
- Go to the OpenVPN tab
- Click “Add”
- Set:
- Action: Pass
- Interface: OpenVPN
- Protocol: Any
- Source: Any
- Destination: Any
- Click “Save”
Don’t forget to apply your changes after creating these rules.
Step 6: Creating User Accounts
If you’re using local authentication, you’ll need to create user accounts:
- Go to System > User Manager
- Click “Add”
- Fill in:
- Username: Choose a username
- Password: Set a strong password
- Full name: User’s full name
- Under “Certificate”, click “Add”
- Fill in:
- Descriptive name: User’s name
- Certificate authority: Your OpenVPN CA
- Click “Save”
Repeat this process for each user who needs VPN access.
Step 7: Installing the OpenVPN Client Export Package
To easily generate client configurations, install the OpenVPN Client Export package:
- Go to System > Package Manager
- Click “Available Packages”
- Find “openvpn-client-export”
- Click “Install” and confirm
Step 8: Exporting Client Configurations
Now you can export client configurations:
- Go to VPN > OpenVPN
- Click the “Client Export” tab
- Select your OpenVPN server in the “Remote Access Server” dropdown
- Scroll down to see various export options for different devices
For most clients, the “Most Clients” option works well. For Windows users, the installer can be convenient.
Step 9: Connecting Clients
The process for connecting clients varies depending on the device and operating system. Generally, you’ll need to:
- Install an OpenVPN client on the device
- Import the configuration file you exported
- Connect using the username and password you set up
Troubleshooting Tips
If you encounter issues, try these steps:
- Check firewall rules: Ensure your rules are correctly configured
- Verify server settings: Double-check your OpenVPN server configuration
- Check client logs: Most OpenVPN clients provide logs that can help identify issues
- Test connectivity: Make sure the client can reach the server’s IP and port
- Verify certificates: Ensure client certificates are valid and not expired
Advanced Configuration Options
Once you have a basic setup working, you might want to explore more advanced options:
- Two-factor authentication: Add an extra layer of security
- Split tunneling: Allow certain traffic to bypass the VPN
- Traffic shaping: Prioritize certain types of VPN traffic
- Multiple VPN servers: Set up different servers for different purposes
- Site-to-site VPNs: Connect entire networks together
Maintaining Your VPN
To keep your VPN running smoothly and securely:
- Regularly update pfSense and the OpenVPN package
- Monitor server logs for unusual activity
- Periodically review and update firewall rules
- Rotate certificates and keys on a schedule
- Keep track of user accounts and revoke access when no longer needed
Conclusion
Setting up OpenVPN on pfSense provides a powerful and flexible VPN solution. While the initial setup process might seem complex, it offers robust security and a wide range of configuration options. By following this guide, you should now have a functioning OpenVPN server on your pfSense router, allowing secure remote access to your network.
Remember, network security is an ongoing process. Regularly review and update your VPN configuration to ensure it continues to meet your needs and security requirements. With proper setup and maintenance, your pfSense OpenVPN server will provide a reliable and secure way to access your network resources from anywhere in the world.