Hi folks, today I will show you how to configure OpenVPN for pfSense 2.3 Step By Step. I found that some tutorials out there are lacking detail, here I will guide you through each and every step to achieve a working VPN connection to your internal Network.
I run the newest pfSense release, 2.3.3.
So let’s get started.
1. Log in to your pfSense and head to System / Certificate Manager / CAs and click on Add
We need to create a Certificate Authority first.
2. Fill out the form accordingly. Make sure you choose "Create an internal Certificate Authority" and give it a Common Name, this is the Name that will show up in your dropdown later.
3. Now head over to System / Certificate Manager / Certificates and click on Add. We will now create the openVPN Certificate.
4. Fill out the form. Make sure to choose Create an Internal Certificate and choose the OpenVPNCA Certificate we just created as the Certificate Authority. Also make sure to use Server Certificate as Certficate Type.
5. Now we will create our VPN User, so head over to System / User Manager / Users and click on Add.
6. Fill everything out to your liking and hit Save.
7. Once this is done, we need to go back to System / Certificate Manager / Certificates and create our User Certificate for the User we just created. Choose a Name and be sure to Choose User Certificate this time under Certificate Type. Click on Save when youre done.
8. Now back to System / User Manager / Users / and click on Edit on the vpnuser we created earlier. We need to assign the just created certificate to this user. Under User Certificates, click on Add and choose the Cert you just created.
9. As Method select "Choose an existing certificate", give it a name and choose the vpnuser Cert you created earlier. Hit save and Save again.
10. Coming closer to the end, we will now install the openvpn-client-export package. Head over to Syste / Package Manager / Available Packages and just put "open" in the Search bar and hit "Search". Click install next to the openvpn-client-export package and wait for it to finish.
11. Now you will probably have to set up a Dynamic DNS Service, so that your router is reachable from the Internet. I have a fixed IP address that never changes, so I don't need it. You need it because your ISP will change your IP Address every 24 hours, so your pfSense will automatically send an update of that new IP Address to the DynDNS provider of your choice. I found the company www.noip.com very easy to set up and integrate in pfSense, it's free on top of it. After you set up your NO-IP Account, go over to Services / Dynamic DNS / and click on Add. Choose your Service Type and select WAN as the interface. Enter the Hostname you set up and enter your credentials for that service below. Give it a description and hit Save.
12. With DynDNS in place, we can finally start setting up our actual OpenVPN Server. Head to VPN / OpenVPN / and click on Wizards.
13. As "Type of Server we want "Local User Access" and click Next.
14. As Certificate Authority, we choose our OpenVPNCA that we created earlier. Hit Next.
15. And as Certificate we choose our openVPN Certificate. Who would have guessed. As you can see, I take step by step serious.
16. As Interface choose WAN. 16.1 For the Tunnel Network, choose an address on your Subnet but NOT a Subnet that is in use on YOUR Local Network. So for example if your local network is 192.168.100.0/24 choose 192.168.101.0/24 as your tunnel. Redirect Gateway Check. Under Local Network choose your Local Network. Concurrent Connections to your liking. 16.2 Enter your DNS default domain. In my case it's .lan in your case it might be your own Domain. Enter your DNS Server! This is important. If your firewall is handling DNS, enter it's IP address. 16.3 Everything else on Default, hit Next.
17. Almost done folks! Now head over to OpenVPN / Client Export Utility. Under "Interface IP Address" choose your NO-IP DNS Name, for example: yourname.hopto.org. In my case I chose "Interface IP Address", because my IP does not change. Optionally you can check the "Use Random Local Port" box if you wan't more than 1 client connect simultaniously.
17.2 Scroll down until you find your OpenVPN Clients. Choose the Current Windows Installer and click on it to download. Remember, to test the VPN, use a different Internet Connection than the one the Server is running on. For a trial run you could use your mobile phones hotspot function to connect your laptop and try the VPN connection.
18. FIRST Install the openvpn-install.exe , run it with right click and "Run as Administrator". After that is installed, do the same with "openvpn-postinstall.exe". NOTE: When you start OpenVPN GUI, do it with right click and "Run as Administrator" too! Otherwise it can cause problems. You can set the OpenVPN GUI to automatically start as admin every time when you right click on it and edit the preferences.
19. When OpenVPN is running, you got that little lock and screen symbol on your task bar. Right click it and choose "Connect" to connect to your vpn server. Enter the Username and Password you created for your VPN User and you are good to go.
That’s it! That should get you up and running in no time. I did some trial and error to get here, so I tried to give a complete as possible tutorial on it.
Pro Tip: If something does not work, make sure to check the following things first:
- Status / Services and see if OpenVPN Server is running.
- Check under Firewall Rules if both the WAN and the OpenVPN Rule were created.
- Check if you entered the correct subnet mask (0/24) on your tunnel and local network
Recommended pfSense Hardware: