Tips on setting up a PfSense VPN using OpenVPN. A VPN (Virtual Private Network) allows you to remote into a home or work network to access local resources. Using a VPN to remote into a network infrastructure is incredible because you can work as if you are physically there. You will have access to all of that network’s resources, including the router, shared folders, cameras, etc.
A (VPN) is much safer than other methods for accessing your remote networks. Some of the unsafe remote access measures include port forwarding, File Transfer Protocol (FTP) servers & Remote Desktop Protocol (RDP).
For those of you who don’t know what PfSense is, it is a free software-based routing and firewall solution for networks. PfSense built on FreeBSD, a reliable and robust Unix operating system. You can download & install PfSense on virtual machines or physical computers. PfSense also sells pre-built router boxes if you wish to avoid the hassle of setting up your own.
OpenVPN is a free safe to use & open source software solution for creating a Virtual Private Network (VPN). OpenVPN uses a variety of strong encryption standards to secure your connections over a public network. OpenVPN integrates into PfSense, which is excellent because it gives you a single point of control.
Another great option, if you would like a hardware router/firewall box, is router boxes made by Protectli, which allows you to install any open-source router software.
However, being hardcore fans of PfSense, we stick by their hardware solutions because it allows us to give back to the community in some way and help support the PfSense open-source project.
PfSense VPN Setup | OpenVPN Configuration
Setting up your Virtual Private Network is not always an easy process, but by following these directions, you should be able to implement it without too much hassle within PfSense.
There are three parts you must complete within PfSense to get your (VPN) working.
1. Create a Certificate Authority (CA)
First, we will need to create a certificate by following the steps below.
Once the Cert Manager opens up, as you can see below, we don’t yet have a Certificate created. You can obtain a new certificate, as shown below.
Next, you want to give it a descriptive name and select the “Create an internal Certificate Authority” under method. The security information for the Certificate Authority will be automatically filled in for you. You can fill out some of the straight-forward information requested by the form such as location, organization, and click save.
2. Create a PfSense VPN Certificate for the OpenVPN Server
Next, we will create a PfSense VPN certificate for the OpenVPN server. A VPN certificate allows for client verification of the server’s identity.
Go to System > Certificate Manager > Certificates and add a new certificate, as shown below.
The certificate form is easy to fill and straight-forward. Here are some of the critical options to change.
Method: Create an Internal Certificate
Descriptive Name: a friendly name of your choosing
Certificate Authority: The (CA) that you created in Step 1
Country Code: Same as the one in the CA that you created in the previous step.
Certificate Type: Server Certificate
3. Setup PfSense VPN (OpenVPN)
Next, we will create the OpenVPN server on PfSense. Luckily, we are provided with an easy to follow Wizard to set up the server. From the PfSense menu bar, go to VPN > OpenVPN, as shown below.
Next, click on the Wizards tab, as shown below.
We will then select the VPN backend authentication method, which, in our case, will be “Local User Access.” If you are using (LDAP) with Active Directory for your authentication, be sure to check out the article OpenVPN Active Directory Authentication.
Select the Certificate Authority that you have created earlier and click Next, as shown below.
You will again select next, as shown below, after selecting a Server Certificate this time around, which we have created earlier.
Upcoming steps will contain the actual configuration of the OpenVPN server. You can change the security settings and network settings to meet your own needs.
In the “General OpenVPN Server Information” menu, be sure to match your settings the same as mine below. You can change your local port information, or you can keep the default port. Be sure to type in a friendly description, and mine is “remote users.”
In the “Cryptographic Settings” menu, be sure to pick a strong auto digest algorithm. The recommendation is SHA 256 (256-bit) or higher.
Under hardware crypto, I was able to use the Intel RDRAND engine, as shown below, even though I am running PfSense as a Virtual Machine inside an Intel Xeon based system.
In the “Tunnel Settings” menu, you can keep the tunnel network settings the same as mine, but your local network settings may vary depending on your local network address.
Be sure to keep the “Redirect Gateway” box checked and set concurrent connections to at least five for two users. You should always set it to a slightly higher value than the number of users connecting to your virtual private network. Sometimes, not having enough concurrent connections can prevent a user from connecting and reconnecting, if they are doing it too quickly.
Pfsense Local Network Tunnel Settings in IPv6
Now sometimes, PfSense only allows you to input an IPv6 value for the Local Network. Here is a resolution to this problem. We can convert our IPv4 local network address to an IPv6 local network address and input that value into the IPv6 Local network box.
Using the IPv4 to IPv6 conversion tool, you can paste your network address in, and it will give you the IPv6 conversion of that address. (Note: your network address may differ from mine).
You can now take that IPv6 converted address and paste it into the following IPv6 Subnet Calculator tool, and it will give you the CIDR notation, network address, IP address start, and end range as well as the subnet value.
We will need the IPv6 information within the address field as well as the subnet field, as shown below.
Use the information above to fill in the IPv6 Local Networks field in PfSense tunnel settings, as shown below.
In the “Client Settings” menu, you don’t need to mess with any of the settings unless you want to send the clients to a specific DNS server, WINS server, etc.
Once you are done, click next.
We are almost done with the OpenVPN server setup, and we still need to pass some rules through the firewall. Please check the firewall rule and the OpenVPN rule, as shown below, and continue.
We will now finish up the OpenVPN server setup process, go ahead and click on the finish button.
Now you will be able to view the OpenVPN server that you have created under the VPN > OpenVPN > Servers menu of PfSense.
Under the PfSense firewall rules, you will notice that the VPN server Wizard automatically created some firewall rules for you.
This PfSense VPN server guide is getting pretty lengthy, so we will stop here and continue with the PfSense Client Setup in another article.