Configure openVPN for pfSense 2.3 Step By Step

Hi folks, today I will show you how to configure OpenVPN for pfSense 2.3 Step By Step. I found that some tutorials out there are lacking detail, here I will guide you through each and every step to achieve a working VPN connection to your internal Network.

I run the newest pfSense release, 2.3.3.

So let’s get started.

1. Log in to your pfSense and head to System / Certificate Manager / CAs and click on Add

We need to create a Certificate Authority first.

2. Fill out the form accordingly. Make sure you choose "Create an internal Certificate Authority" and give it a Common Name, this is the Name that will show up in your dropdown later.

3. Now head over to System / Certificate Manager / Certificates and click on Add. We will now create the openVPN Certificate.

4. Fill out the form. Make sure to choose Create an Internal Certificate and choose the OpenVPNCA Certificate we just created as the Certificate Authority. Also make sure to use Server Certificate as Certficate Type.

5. Now we will create our VPN User, so head over to System / User Manager / Users and click on Add.

6. Fill everything out to your liking and hit Save.

7. Once this is done, we need to go back to System / Certificate  Manager / Certificates and create our User Certificate for the User we just created. Choose a Name and be sure to Choose User Certificate this time under Certificate Type. Click on Save when youre done.

8. Now back to System / User Manager / Users /  and click on Edit on the vpnuser we created earlier. We need to assign the just created certificate to this user. Under User Certificates, click on Add and choose the Cert you just created.

9. As Method select "Choose an existing certificate", give it a name and choose the vpnuser Cert you created earlier. Hit save and Save again.

10. Coming closer to the end, we will now install the openvpn-client-export package. Head over to Syste / Package Manager / Available Packages and just put "open" in the Search bar and hit "Search". Click install next to the openvpn-client-export package and wait for it to finish.

11. Now you will probably have to set up a Dynamic DNS Service, so that your router is reachable from the Internet. I have a fixed IP address that never changes, so I don't need it. You need it because your ISP will change your IP Address every 24 hours, so your pfSense will automatically send an update of that new IP Address to the DynDNS provider of your choice. 

I found the company www.noip.com very easy to set up and integrate in pfSense, it's free on top of it.  After you set up your NO-IP Account, go over to Services / Dynamic DNS / and click on Add. 

Choose your Service Type and select WAN as the interface. Enter the Hostname you set up and enter your credentials for that service below. Give it a description and hit Save.

12. With DynDNS in place, we can finally start setting up our actual OpenVPN Server. Head to VPN / OpenVPN / and click on Wizards.

13. As "Type of Server we want "Local User Access" and click Next.

14. As Certificate Authority, we choose our OpenVPNCA that we created earlier. Hit Next.

15. And as Certificate we choose our openVPN Certificate. Who would have guessed. As you can see, I take step by step serious.

16.   As Interface choose WAN.
16.1  For the Tunnel Network, choose an address on your Subnet but NOT a Subnet that is in use on YOUR Local Network. So for example if your local network is 192.168.100.0/24 choose 192.168.101.0/24 as your tunnel.
Redirect Gateway Check.
Under Local Network choose your Local Network.
Concurrent Connections to your liking.
16.2  Enter your DNS default domain. In my case it's .lan in your case it might be your own Domain.
Enter your DNS Server! This is important. If your firewall is handling DNS, enter it's IP address. 
16.3  Everything else on Default, hit Next.

17. Almost done folks! Now head over to OpenVPN / Client Export Utility. Under "Interface IP Address" choose your NO-IP DNS Name, for example: yourname.hopto.org. In my case I chose "Interface IP Address", because my IP does not change. 
Optionally you can check the "Use Random Local Port" box if you wan't more than 1 client connect simultaniously.

17.2 Scroll down until you find your OpenVPN Clients. Choose the Current Windows Installer and click on it to download. Remember, to test the VPN, use a different Internet Connection than the one the Server is running on. For a trial run you could use your mobile phones hotspot function to connect your laptop and try the VPN connection.

18. FIRST Install the openvpn-install.exe , run it with right click and "Run as Administrator". After that is installed, do the same with "openvpn-postinstall.exe". NOTE: When you start OpenVPN GUI, do it with right click and "Run as Administrator" too! Otherwise it can cause problems. 

You can set the OpenVPN GUI to automatically start as admin every time when you right click on it and edit the preferences.

19. When OpenVPN is running, you got that little lock and screen symbol on your task bar. Right click it and choose "Connect" to connect to your vpn server. Enter the Username and Password you created for your VPN User and you are good to go.

 

That’s it! That should get you up and running in no time. I did some trial and error to get here, so I tried to give a complete as possible tutorial on it.

Pro Tip: If something does not work, make sure to check the following things first:

  • Status / Services and see if OpenVPN Server is running.
  • Check under Firewall Rules if both the WAN and the OpenVPN Rule were created.
  • Check if you entered the correct subnet mask (0/24) on your tunnel and local network

 

 

Recommended pfSense Hardware:

29 thoughts on “Configure openVPN for pfSense 2.3 Step By Step

  • June 17, 2017 at 11:12 pm
    Permalink

    Hi, thanks for your tutorial. Im getting this errors in Windows client:

    Sat Jun 17 14:10:58 2017 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
    Sat Jun 17 14:10:58 2017 Windows version 6.1 (Windows 7) 64bit
    Sat Jun 17 14:10:58 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
    Enter Management Password:
    Sat Jun 17 14:11:05 2017 Control Channel Authentication: using ‘pfSense-udp-1194-alexmora-tls.key’ as a OpenVPN static key file
    Sat Jun 17 14:11:05 2017 TCP/UDP: Socket bind failed on local address [undef]: Address already in use (WSAEADDRINUSE)
    Sat Jun 17 14:11:05 2017 Exiting due to fatal error

    Any advice?
    Thanks
    Alex

    Reply
  • June 25, 2017 at 7:36 pm
    Permalink

    OMG!!! THANK YOU!! I have been trying to set this up for months now. And this has been the BIGGEST thorn in my side. Thank you so very much!!

    Reply
    • June 26, 2017 at 9:27 am
      Permalink

      Amazing. I do it for comments like these 🙂

      Reply
  • July 22, 2017 at 1:02 pm
    Permalink

    Thank you very much, really clear and working guide!!

    Reply
    • July 24, 2017 at 1:54 pm
      Permalink

      Very welcome!

      Reply
  • July 22, 2017 at 1:03 pm
    Permalink

    BTW works excellent for 2.3.4-RELEASE-p1 too…

    Reply
    • July 24, 2017 at 1:54 pm
      Permalink

      Great to know. Thanks for the Information.

      Reply
  • August 16, 2017 at 9:46 am
    Permalink

    Hi, i successfully conected to my remote openn vpn server, but i can’t acces local computers behind pfsense server. What i did wrong? Thanks

    Reply
    • August 21, 2017 at 9:55 am
      Permalink

      If you’re in a Domain you might need to use the FQDN, like, mycomputer.mydomain.com

      Reply
  • August 24, 2017 at 4:44 pm
    Permalink

    Wonderful, thanks for this step by step. I would like to ask permission to create a manual taking
    this step by step as a reference, so I can show to my co-workers how to setup their home firewall, and vpn.

    Reply
    • September 4, 2017 at 2:10 pm
      Permalink

      Hi Elvis thanks for asking. Yes you can do that, as long as you do not publish it anywhere online.

      Reply
  • September 5, 2017 at 9:09 am
    Permalink

    Maaaaaaaan!!!! Thanks alot!!!! Been looking for this for ages!!!!! Blessings upon blessings……

    Reply
    • September 5, 2017 at 9:45 am
      Permalink

      Haha, welcome man 🙂

      Reply
  • September 10, 2017 at 1:41 pm
    Permalink

    Hey just wanted to say thank you for a great guide and also for not skipping over any of the small details like many people do.

    I’ve had plenty of experience setting up OpenVPN, but there were a few steps in doing it myself on pfSense that threw me. Thanks again!

    Reply
    • September 11, 2017 at 10:45 am
      Permalink

      You are welcome! Thanks for sharing your experience!

      Reply
  • October 17, 2017 at 8:39 pm
    Permalink

    Great writeup with concise instructions on how to get it all running. If people are having issues with the free windows OpenVPN client I would recommend Viscosity OpenVPN client. It works very well with Windows & Mac plus pFSense also supports it as a one click export. The client does cost a little but, but it’s worth avoiding the headache that the free client can sometimes bring.

    Lastly after doing the setup I would recommend people research a little about enhancing the security of the VPN by increasing the default encryption selections. Most hardware now a days has support for some type of encryption offloading so increasing from 1024 to 2048 have very little impact on CPU usage.

    Reply
    • October 18, 2017 at 8:48 am
      Permalink

      Thanks for the recommendation!

      Reply
  • November 24, 2017 at 3:28 pm
    Permalink

    Great tutorial! I’m succesfully connect, but i can access only at remote pfsense and not to the other device of remote network (for exaple printers, pc ecc) Some suggestion? thanks!!

    Reply
  • November 28, 2017 at 2:03 pm
    Permalink

    Thank You. Worked perfectly!

    Reply
    • November 28, 2017 at 2:38 pm
      Permalink

      Happy to help my friend 🙂

      Reply
  • November 29, 2017 at 9:53 am
    Permalink

    Hi everybody, thanks for the tuto.

    I Get that:

    Wed Nov 29 09:45:33 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]5.196.43.192:1194
    Wed Nov 29 09:45:33 2017 UDP link local (bound): [AF_INET][undef]:0
    Wed Nov 29 09:45:33 2017 UDP link remote: [AF_INET]5.196.43.192:1194
    Wed Nov 29 09:45:33 2017 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=FR, ST=Midi-Pyrénée, L=Toulouse, O=Solyann, emailAddress=support@overlaps.fr, CN=www.solyann.fr, OU=Agence
    Wed Nov 29 09:45:33 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Wed Nov 29 09:45:33 2017 TLS_ERROR: BIO read tls_read_plaintext error
    Wed Nov 29 09:45:33 2017 TLS Error: TLS object -> incoming plaintext read error
    Wed Nov 29 09:45:33 2017 TLS Error: TLS handshake failed
    Wed Nov 29 09:45:33 2017 SIGUSR1[soft,tls-error] received, process restarting

    Any advice ?

    Reply
    • November 29, 2017 at 1:13 pm
      Permalink

      VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=FR, ST=Midi-Pyrénée, L=Toulouse, O=Solyann, emailAddress=support@overlaps.fr, CN=www.solyann.fr, OU=Agence
      Wed Nov 29 09:45:33 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

      It seems like you made a mistake somewhere in the certificate process. I’d suggest running through it again from the beginning and pay special attention to the Certificate part. The instruction definitely work if you follow along every step.

      Reply
      • November 30, 2017 at 12:47 pm
        Permalink

        Found the issue, I made the mistake while not specifying “server certificate” at setp 4.
        Thanks for ypour reply

        Reply
  • November 30, 2017 at 12:48 pm
    Permalink

    another question, hostname are not resolved through the VPN. My clients can’t ping the FQDN, qny advices ? thanks

    Reply
    • November 30, 2017 at 3:12 pm
      Permalink

      Under the client export make sure the Host Name Resolution is set correctly. It defaults to the WAN ip.

      Reply
    • December 1, 2017 at 9:44 am
      Permalink

      Under Services / DNS Resolver / Outgoing Network Interfaces: Only select LAN and Localhost. That should fix the issue. Also, if you are in a domain environment, do you have Domain Override in Place?

      Reply
  • December 8, 2017 at 1:32 pm
    Permalink

    worked like a charm, cheers

    Reply
  • Pingback:Happy Holidays and Wrapping Up 2017! -

  • February 17, 2018 at 7:51 pm
    Permalink

    Excellent write up! Quick question. Is this a split tunnel design? or is all internet traffic now tunneled through this VPN connection?

    Reply

Leave a Reply