Out of popular demand, I created this complete beginner guide on how to install OpenVPN on pfSense 2.5. This was one of the most requested tutorials that you guys wanted to have. As always, my guide is accompanied by a video and I guide you through each and every step, so you can easily follow along!
This guide uses the newest version of pfSense, version 2.5.1.
This guide has been updated in Mai 2021 to pfSense version 2.5.1
Step 1 – Creating a NO-IP Account
If you have a Static IP Address or already got a different DynDNS Service in place, you can continue with Step 2. For everyone else, we first set up a NO-IP Account because we will need it later on. Head over to NO-IP and create yourself a hostname. I recommend choosing a generic hostname so nobody can guess at it.
After clicking on Sign Up fill out the required fields and create your account. The free account requires you to confirm your hostname every 30 days. Activate your account via email. Log in to NO-IP with your account once confirmed and create a Username as prompted.
In your NO-IP Dashboard navigate to Dynamic DNS -> No-IP Hostnames and you should already see your IP Address and your DynDNS Name. In case you use another IP, adjust the entry accordingly. If you want to confirm that the IP is correct head to this website.
Good, now we have a DynDNS account, we can set this up in pfSense next.
Step 2 – Setting up DynDNS in pfSense
In pfSense, navigate to Services / Dynamic DNS and click on +Add. Now fill out the required fields as in the screenshot below. Choose your service from the list of services. In case you opted for NO-IP Free like me, choose No-IP (free).
Interface to Monitor is WAN. The hostname is the Hostname you set up for yourself on No-IP, in my case ceos3c.hopto.org. Scroll down and enter your No-IP Username and Password. Give the service a description and click Save.
Once this is done, you should see the Cached IP in green, that means the IP is up to date.
Good. We are done setting up DynDNS.
Step 3 – Creating Certificates
Now we need to create a new Certificate Authority and a new certificate to install OpenVPN on pfSense 2.5.
Creating a new Certificate Authority
Navigate to System / Cert. Manager. Click on +Add to create a new Certificate Authority.
Fill everything as in the screenshot below. You can choose a higher Digest Algorithm if you want to.
Click on Save once you are done.
Creating a Server Certificate
Now we need to create a new Server Certificate. Therefore, navigate to System / Certificate Manager / Certificates. Click on +Add/Sign to create a new certificate. Make sure to select your OpenVPN-CA that we created above as the Certificate Authority and also that you use your DynDNS Hostname as the Common Name. For Certificate Type make sure to choose Server Certificate.
Update Mai 2021: As Key type select RSA
Fill the rest out like in the Screenshot below. Click Save at the end.
Step 4 – Creating a VPN User
Now we are going to create a VPN User. This User will be used to login to our VPN Client from a remote location.
Navigate to System / User Manager and click +Add to add a new User.
Make sure to tick Create Certificate for User and give the Certificate a descriptive name. Also, make sure to choose our OpenVPN-CA as the Certificate Authority.
Update Mai 2021: Also choose Key type RSA here.
Click on Save once you are done with that.
Step 5 – Installing the OpenVPN Client Export Package
Now we need to install the OpenVPN Client Export Package to create our Windows Installer or download VPN Configuration Files for Linux. Navigate to System / Package Manager / Available Packages and type OpenVPN in the search field. Click on +Install to install it.
Now that we have this in place we can go ahead and install OpenVPN on pfSense 2.5.
Step 6 – Install OpenVPN on pfSense 2.5
Navigate to VPN / OpenVPN / Wizards. Choose Local User Access and click Next.
Select our OpenVPN-CA and click Next.
Select the OpenVPN-Cert (Server Certificate) we created earlier.
The next step is a bit lengthy and will be divided into a couple of Screenshots. Make sure you fill everything out as in my example or adjust according to your own needs.
General OpenVPN Server Information and Cryptography Settings
Tunnel Settings
This is quite important to get right. Let me quickly elaborate. Let’s assume your local Network is 192.168.10.0/24. You want your Tunnel Network to be on a different Subnet, so you could choose 192.168.11.0/24 for your Tunnel Network.
Concurrent Connections means how many people can connect via OpenVPN simultaneously. If you only have one user for yourself, just set it to 1 for good measure. Also, check Redirect Gateway to force all traffic through the tunnel.
Leave the rest on Tunnel Settings on default.
Client Settings
For DNS Default Domain enter the Domain you specified under System / General Setup. If you are unsure, just Navigate to System / General Setup (Right-Click -> Open in a new tab if you don’t want to interrupt the Wizard). And enter the IP Address of your DNS Server, if it’s your pfSense, enter the IP of your pfSense Firewall.
Click on next to continue.
Firewall Rule Configuration
On the last step of the Wizard tick both checkboxes to create Firewall Rules for both OpenVPN and Clients.
Finally, click Next and Finish. Now we are almost done.
Step 7 – Exporting and Installing the Client
Navigate to VPN / OpenVPN / Client Export. On top under Client, Connection Behaviour make sure to choose your DynDNS Hostname for Host Name Resolution. After this scroll down a little bit and hit Save as Default.
Check Use Random Local Port in case you want to connect more than 1 client simultaneously.
Now scroll down until you find OpenVPN Clients and you should see your VPNUser and a couple of Client Export Options next to it. If you are on Windows, you want to download the Current Windows Installer.
Once downloaded, right-click and select Install as Administrator. If a Windows Smart Screen Warning pops up, click on More Info and Run Anyway. Install OpenVPN leaving everything on Default. When getting prompted if you would like to install the TAP-Windows Provider V9 Network Adapters, click on Install.
Once installed double-click the OpenVPN GUI Icon from your Desktop to start it. When you restart your computer, OpenVPN will be started automatically in the future. You will see a little Screen+Lock Icon in your Taskbar now.
Step 8 – Connecting to OpenVPN with pfSense 2.5
Right-click the lock icon and select Connect. Enter your VPNUser Username and Password.
Allow connection through your Windows Firewall when prompted for it for both, Private & Public Networks. You should now see that you are connected to your VPN indicated by the green light showing in the small Screen+Lock Symbol in your Taskbar.
Congratulations, you successfully installed OpenVPN on pfSense 2.5!
Troubleshooting
In case you run into any problems these are the first things to check:
- Is the OpenVPN Service running? Navigate to Status / Services. Eventually, restart your pfSense if you’re not able to start it.
- Check your Firewall Rules of all Rules were created, both the WAN and the OpenVPN Rule
- Check if you entered the correct subnet mask (192.168.1.0/24) on your Tunnel and Local Network in your OpenVPN Config. It has to be .0/24 on the end, not .1/24 or something like that.
- Check the System Logs under Status / System Logs to get hints
Conclusion
It can be a bit confusing if you go through this process for the first time, but once you have it set up, it’s a gift that keeps on giving. You have successfully learned how to install OpenVPN on pfSense 2.5!
The post How to install OpenVPN on pfSense: Ultimate Beginner Guide appeared first on Ceos3c.