pfSense 2.1 OpenVPN Configuration Settings

pfSense 2.1 OpenVPN Settings

This will allow you connect in from a roaming machine/device via OpenVPN to pfSense.

Step 1 Create a New Certificate Authority (CA) Certificate (System: Certificate Authority Manager)

Descriptive name: ca-01 (Make up a unique name. You typically will only need to make one of these.)
Method: Create an internal Certificate Authority
Key Length: 2048 bit
Digest Algorithm: SHA256
Lifetime: 3650 days
Complete remainder of form with bogus information. Make sure every certificate has a different common name (CN).

Step 2 Create a New Server Certificate (System: Certificate Manager)

Note: You will create one server certificate for each VPN server you create.

Method: Create an internal Certificate
Descriptive name: server-cert-01 (Make up a unique name.)
Certificate Authority: ca-01 (Select the same CA name that you created in step 1.)
Key Length: 2048 bit
Digest Algorithm: SHA256
Certificate Type: Server Certificate
Lifetime: 3650 days
Complete remainder of form with bogus information. Make sure every certificate has a different common name (CN).

Step 3 Create a New User Certificate (System: Certificate Manager)

Note: You will create one user certificate for every server certificate. So each VPN server will result in two certificates. One server cert and one user cert. Recommend a naming scheme that will help you identify which server cert goes with what user cert e.g. server-cert-01, user-cert-01, server-cert-02, user-cert-02, etc.

Method: Create an internal Certificate
Descriptive name: user-cert-01 (Make up a unique name.)
Certificate Authority: ca-01 (Select the same CA name that you created in step 1.)
Key Length: 2048 bit
Digest Algorithm: SHA256
Certificate Type: Server Certificate
Lifetime: 3650 days
Complete remainder of form with bogus information. Make sure every certificate has a different common name (CN).

Step 4: Create OpenVPN Server (OpenVPN: Server)

General Information
Server Mode: Remote Access (SSL/TLS)
Protocol: UDP
Local Port: Option 1) Use default setting of 1194 (This port should be avoided as it is both a target and easily blocked.). Option 2) Anything between 34,981 - 36,000 (The ports in this range are typically unused and available.). Option 3) Use 443 and change protocol from UDP to TCP (This will make the VPN traffic look like you were accessing a secure web page.).
Description: vpn-01

Crytographic Settings
TLS Authentication: Checked
Generate TLS Key: Checked
Peer Certificate Authority: ca-01 (Select the same CA name that you created in step 1.)
Peer Certificate Revocation List: Not used at this time.
Server Certificate: server-cert-01 (Select the same Certificate name that you created in step 2.)
DH Parameters Length: 1024 bits
Encryption Algorithm: BF-CBC 128 (Use BF-CBC 128 for maximum compatibility as AES will not work with some configs. Use AES-256-CBC for maximum security if client will accept.)
Hardware Crypto: No Hardware Crypto Acceleration
Certificate Depth: One (Client+Server)

Tunnel Settings
IPv4 Tunnel Network: 10.0.8.0/24 (Pick a subnet that you are not using.)
IPv4 Tunnel Network: Leave Blank
Redirect Gateway: Checked (This is optional and can be enabled on the client side if necessary.)
IPv4 Local Network: This is generally set to your LAN network.
Concurrent Connections: 200
Compression: Checked (Optional but highly recommended.)
Type-of-Service: NOT Checked
Inter-Client Communication: Checked (Optional.)
Duplicate Connections: NOT Checked
Note: Duplicate Connections check box on server will allow multiple concurrent connections from clients using the same Common Name, so one cert can be used by more than one connection/users. This is not generally recommended, but may be needed for some scenarios. Every VPN cert should have their own CN, so every connection/user will have one unique cert.

Client Settings
Dynamic IP: Checked
Address Pool: Checked
Topology: NOT Checked
DNS Default Domain: NOT Checked
DNS Servers: Checked (Any two valid DNS server IPs e.g. Server 1) 75.75.75.75 Server 2) 75.75.76.76)
NTP Servers: NOT Checked
NetBIOS Options: NOT Checked

Advanced Configuration
Advanced: Not used. Leave blank.

Step 5: Open WAN Firewall for VPN Use (Firewall: Rules: WAN)

Edit Firewall Rules
Action: Pass
Disabled: NOT Checked
Interface: WAN
TCP/IP Version: IPv4
Protocol: UDP (Or TCP if you are using port 443 in step 4.)
Source: Any
Destination: WAN address
Destination port range: 1194 (Or what ever you selected in step 4.Both from and to will have same value.)
Log: NOT Checked
Description: Enter a name here.

Step 6: Open OpenVPN Firewall for VPN Use (Firewall: Rules: OpenVPN)

Edit Firewall Rules
Action: Pass
Disabled: NOT Checked
Interface: OpenVPN
TCP/IP Version: IPv4
Protocol: Any
Source: Any
Destination: Any
Destination port range: Any
Log: NOT Checked
Description: Enter a name here.

Step 7: Install OpenVPN Client Export Utility (System: Package Manager)

Step 8: Export OpenVPN Client Files (OpenVPN: Client Export Utility)

Remote Access Server: Select the server you created in step 4.  If the wrong server is selected the exported files will not work!  This is very easy to overlook.
Host Name Resolution: Interface IP Address
Verify Server CN: Automatic
Use Random Local Port: Checked
Certificate Export Options: NOT Checked
Use Proxy: NOT Checked
Management Interface OpenVPNManager: NOT Checked
Additional configurations options: ping 10;verb 3
Note: Add the following as needed:
redirect-gateway def1 #(redirect-gateway def1 will force all the traffic from client across VPN e.g., web browsing)
auth-user-pass #(allows the OpenVPN server to securely obtain a username and password from a connecting client, and to use that information as a basis for authenticating the client)
Client Install Packages: Select the user cert that matches up with the Remote Access Server name you selected earlier.

Step 9: Create Firewall Rules (Firewall: Rules)

WAN
Proto: Select the protocol that you selected in step 4 e.g. TCP or UDP.
Source Type: Any
Source Port: Any
Destination Type: WAN address
Destination Port: Select the port that you selected in step 4 e.g. 443, 1194, etc.
Gateway: Any
Queue: None
Schedule: None

OpenVPN
Proto: Any
Source Type: Any
Source Port: Any
Destination Type: Any
Destination Port: Any
Gateway: Any
Queue: None
Schedule: None

Popular Posts