pfSense is a free and open source firewall and router based on FreeBSD. Here’s everything you need to know about setting up your own OpenVPN server on pfSensepfSenseis a popular firewall/router that offers a flexible alternative to the average consumer release. It comes with advanced capabilities compared to a typical router, and it is constantly updated with new firmware for increased security. A comprehensive GUI makes it easy to configure and manage whether it’s used with a home or office network.
You can set up your ownOpenVPNserver with pfSense, allowing the user to access their home network securely with a Virtual Private Network (VPN). As such, your local machine will be accessible from anywhere, and you can use your home internet connection remotely via your device.
We'll take you through the necessary steps to configure your own OpenVPN server on pfSense in this detailed guide.
pfSense and authentication
To begin, you’ll need to select an authentication method, whether it’s password-based authentication, certificate-based authentication, or a combination of the two. If you decide to use only password-based authentication, you won’t need to generate a user certificate. In any case, you will need to generate a Certificate Authority and a server certificate.
Generating the Certificate Authority (CA)
Generating your Certificate Authority (CA) is necessary to validate the OpenVPN server’s identity and authenticate user certificates.
- Within pfSense, selectSystem, and thenCert. Manager.
- ClickAdd, and enter a name for your CA.
- Set theMethodtoCreate an internal Certificate Authority.
- You’ll need to select yourKey type(RSA, ECDSA).
- TheKey lengthneeds to be at least2048.
- TheDigest Algorithmneeds to be at leastsha256.
- You can pick aCommon Namefor your certificate. The default is internal-ca.
- ClickSaveto create your Certificate Authority.
Generating the server certificate
Here’s a step-by-step guide to generating your server certificate.
- Within pfSense, selectSystem, and thenCert. Manager.
- Open theCertificatessub-menu. Click theAdd/Signbutton.
- Set theMethodtoCreate an internal Certificate.
- You’ll now need to enter aDescriptive namefor the server certificate.
- For theKey type,key length, and theDigest Algorithm, enter the same values used for the Certificate Authority.
- TheLifetimeshould be set to365 days.
- TheCertificate Typeshould beServer Certificate.
- ClickSaveto create your server certificate.
Create your OpenVPN user and your user certificate
Next up, you’ll need to create a user for the OpenVPN server. This process can be replicated as many times as you’d like for multiple users.
- From pfSense, selectSystem, and thenUser Manager.
- ClickAdd, and enter aUsername and Passwordfor this user. HitSave.
- If you’re using certificate-based authentication or certificate and password-based authentication, open theEdit Userwindow (pencil icon).
- Click theAddbutton underUser Certificates. This will open theCertificate Manager. Input the parameters for your user certificate.
- Set theMethodtoCreate an internal Certificate.
- You’ll now need to enter aDescriptive namefor the server certificate.
- For theKey type,key length, and theDigest Algorithm, enter the same values used for the Certificate Authority.
- TheLifetimeshould be365 days.
- TheCertificate Typeshould beUser Certificate.
- Save, and click Save again when taken back to theUser Managermenu.
Create the OpenVPN server
It’s now time to create your OpenVPN server.
For the General Information fields:
- From the pfSense menu, selectVPN, andOpenVPN. ClickAdd.
- Select the Server mode, either Remote Access (SSL/TLS), Remote Access (User Auth), or Remote Access (SSL/TLS + User Auth).
- Change theLocal portif necessary. Otherwise, the default is 1194.
- Name your server in theDescriptionsection.
For the Cryptographic Settings fields:
- CheckUse a TLS KeyandAutomatically generate a TLS Key.
- Match thePeer Certificate Authorityto the CA created above.
- Do the same for theServer certificateyou’ve previously created.
- TheDH Parameter Lengthshould be 4096.
- TheAuth digest algorithmshould be set toRSA-SHA512 (512-bit).
For the Tunnel Network fields:
- Enter a subnet in theIPv4 Tunnel Network. This is to be used as the OpenVPN network’s internal subnet, and it should not be present on your network already. For example: 192.168.1.0/24.
- You can also set your OpenVPN tunnel to support IPv6 within theIPv6 Tunnel Networkfield.
- Check the box forRedirect IPv4 Gateway. This works with all IPv4 traffic over the VPN tunnel. Do the same forRedirect IPv6 Gatewayif applicable.
In the Advanced Configuration fields:
- Make sureUDP Fast I/Ois checked.
- WithinGateway creation, selectIPv4 only. If you’re also using IPv6, keep it set toBoth.
- ClickSaveto finish creating your OpenVPN server.
- It’s a good idea to make sure that everything is set up correctly. Open theStatusmenu in pfSense, and clickSystem Logs.
- SelectOpenVPN, and take a look at the logs. It should sayInitialization Sequence Completed.
Creating the firewall rules
Next up, you’ll need to create a firewall rule which will allow traffic to and from your server. Here's a step-by-step guide to get started:
Allowing outbound traffic
Firstly, we’ll focus on the rule to allow traffic from the OpenVPN subnet onto the internet.
- SelectFirewall, and thenRules.
- Click theOpenVPNsub-menu.
- Next, clickAddto create a new rule.
- Choose betweenIPv4andIPv4 + IPv6, depending on your setup.
- TheProtocolshould be set toAny, and the Source set toNetwork.
- Enter the OpenVPN subnet information you created earlier in theSource Addressfield. Remove the last two digits. For example, 192.168.1.0 rather than 192.168.1.0/24.
- Select theSource Address, matching the last two digits. In the above example, it would be24.
- Name your rule in theDescriptionsection.
- ClickSave, andApply Changes.
Connecting to the server from the internet
If you want to connect to your newly created OpenVPN server from the internet, you’ll need to open your ports within the WAN interface.
Here’s a quick guide detailing how to create a rule to allow client connections to the OpenVPN server via the internet.
- SelectFirewall, and thenRules.
- Click theWANsub-menu.
- Next, clickAddto create a new rule.
- Choose betweenIPv4andIPv4 + IPv6, depending on your setup. The default is IPv4.
- TheProtocolshould be set toUDP, and the Source set toAny.
- TheDestination Port Rangeshould be set to the port your server runs on.
- Name your rule in theDescriptionsection.
- ClickSave, andApply Changesto finish.
Install the OpenVPN Client Export Utility
pfSense comes with an automated configuration generator for OpenVPN, although it requires manual installation. To do so:
- From the main menu, selectSystem, and clickPackage Manager.
- ClickAvailable Packages, and findopenvpn-client-export. HitInstallto open thePackage Installermenu.
- ClickConfirmto install the package. Once complete, it should saySuccess.
Export the OpenVPN client configuration
- From the pfSense menu, selectVPN, andOpenVPN.
- Open theClient Exportmenu.
- Double check that theRemote Access Serverlists the right OpenVPN server.
- ForDynamic DNS users, selectOtherinHost Name Resolution. Next, you’ll need to enter your hostname in theHost Namefield. This works to access your WAN without the IP address. For non-Dynamic DNS users, leave theHost Name Resolutionset toInterface IP Address.
- You’ll find a collection of generated configurations for a selection of apps and operating systems depending on the information you’ve provided. Pick the option that works with your device.
- Download the configuration. You may be prompted to enter your username and password. You’ll then be free to connect to your OpenVPN server.
- Open Google, and type in ‘what is my IP’. Your public IP address should have changed to the WAN address of your home internet.
Summary
You now have a basic OpenVPN server in pfSense! You can remotely access your home devices and internet connection, and you should have a basic understanding of how to set and configure new rules within pfSense. It’s worth checking out add-ons, with features includingsplit tunnelingand the ability to block ads and malicious sites. There are multiple advanced options to pick from once you get the hang of things.
You'll be able to route any client device as long as it's connected to the server.This is the case whether it's an office network or a mobile network. It's slightly more difficult to set upthan your typical connection, but it's a valid option for any VPN users. If you're having issues while using a pfSense box with an OpenVPN connection, make sure to check the firewall rules, as well as the OpenVPN logs and the network itself.
Did you know
The following information is available to any site you visit:
Your IP Address:
Your Location:
Your Internet Provider:
BLEEPINGCOMPUTER RECOMMENDS:
Using a VPN will hide these details and protect your privacy. We recommend using NordVPN - #1 VPN in our tests. It offers outstanding privacy features and is currently available with three months extra free.
Get NordVPN