Configure OpenVPN for pfSense 2.4: The Complete Guide

In this Configure OpenVPN for pfSense 2.4 guide, you will learn how to set up OpenVPN for pfSense 2.4 and establish a VPN connection to your internal network using the free NO-IP DynDNS Service. I will guide you through each step.

I use pfSense version 2.4.4 for this guide, which as of writing this article is still in development.

Step 1 – Creating a NO-IP Account

If you have a Static IP Address or already got a different DynDNS Service in place, you can continue with Step 2. For everyone else, we first set up a NO-IP Account because we will need it later on. Head over to NO-IP and create yourself a hostname. I recommend choosing a generic hostname so nobody can guess at it.

Configure OpenVPN for pfSense 2.4

 

After clicking on Sign Up fill out the required fields and create your account. The free account requires you to confirm your hostname every 30 days. Activate your account via email. Log in to NO-IP with your account once confirmed and create a Username as prompted.

In your NO-IP Dashboard navigate to Dynamic DNS -> No-IP Hostnames and you should already see your IP Address indicated by 3 and your DynDNS Name indicated by 4. In case you use another IP, adjust the entry accordingly. If you want to confirm that the IP is correct head to this website.

Good, now we have a DynDNS account, we can set this up in pfSense next.

Step 2 – Setting up DynDNS in pfSense

In pfSense, navigate to Services / Dynamic DNS and click on +Add. Now fill out the required fields as in the screenshot below. Choose your service from the list of services. In case you opted for NO-IP Free like me, choose No-IP (free).

Interface to Monitor is WAN. The hostname is the Hostname you set up for yourself on No-IP, in my case ceos3c.hopto.org. Scroll down and enter your No-IP Username and Password. Give the service a description and click save.

Configure OpenVPN for pfSense 2.4

 

Once this is done, you should see the Cached IP in green, that means the IP is up to date.

Configure OpenVPN for pfSense 2.4

 

Good. We are done setting up DynDNS.

Step 3 – Creating Certificates

Now we need to create a new Certificate Authority and a new certificate to configure OpenVPN for pfSense 2.4.

Creating a new Certificate Authority

Navigate to System / Cert. Manager. Click on +Add to create a new Certificate Authority.

Configure OpenVPN for pfSense 2.4

 

Fill everything as in the screenshot below. You can choose a higher Digest Algorithm if you want to.

Configure OpenVPN for pfSense 2.4

 

Click on Save once you are done.

Creating a Server Certificate

Now we need to create a new Server Certificate. Therefore, navigate to System / Certificate Manager / Certificates. Click on +Add/Sign to create a new certificate. Make sure to select your OpenVPN-CA that we created above as the Certificate Authority and also that you use your DynDNS Hostname as the Common Name. For Certificate, Type make sure to choose Server Certificate.

Fill the rest out like in the Screenshot below. Click Save at the end.

Configure OpenVPN for pfSense 2.4

 

Step 4 – Creating a VPN User

Now we are going to create a VPN User. This User will be used to login to our VPN Client from a remote location.

Navigate to System / User Manager and click +Add to add a new User.

Make sure to tick Create Certificate for User and give the Certificate a descriptive name. Also, make sure to choose our OpenVPN-CA as the Certificate Authority. Click on Save once you are done with that.

Configure OpenVPN for pfSense 2.4

 

Step 5 – Installing the OpenVPN Client Export Package

Now we need to install the OpenVPN Client Export Package to create our Windows Installer or download VPN Configuration Files for Linux. Navigate to System / Package Manager / Available Packages and type OpenVPN in the search field. Click on +Install to install it.

Configure OpenVPN for pfSense 2.4

 

Now that we have this in place we can go ahead and configure OpenVPN for pfSense 2.4.

Step 6 – Configure OpenVPN for pfSense 2.4

Navigate to VPN / OpenVPN / Wizards. Choose Local User Access and click Next.

Configure OpenVPN for pfSense 2.4

 

Select our OpenVPN-CA and click Next.

Configure OpenVPN for pfSense 2.4

 

Select the OpenVPN-Cert (Server Certificate) we created earlier.

Configure OpenVPN for pfSense 2.4

 

The next step is a bit lengthy and will be divided into a couple of Screenshots. Make sure you fill everything out as in my example or adjust according to your own needs.

General OpenVPN Server Information and Cryptography Settings

Configure OpenVPN for pfSense 2.4

 

Tunnel Settings

This is quite important to get right. Let me quickly elaborate. Let’s assume your local Network is 192.168.1.0/24. You want your Tunnel Network to be on a different Subnet, so you could choose 192.168.2.0/24 for your Tunnel Network.

Concurrent Connections means how many people can connect via OpenVPN simultaneously. If you only have one user for yourself, just set it to 1 for good measure. Also, check Redirect Gateway to force all traffic through the tunnel.

Configure OpenVPN for pfsense 2.4

 

Client Settings

For DNS Default Domain enter the Domain you specified under System / General Setup. If you are unsure, just Navigate to System / General Setup (Right-Click -> Open in a new tab if you don’t want to interrupt the Wizard). And enter the IP Address of your DNS Server, if it’s your pfSense, enter the IP of your pfSense Firewall.

Configure OpenVPN for pfSense 2.4

 

Puh, this bit was tough, eh? But click on Next and you are golden! Well, almost.

Firewall Rule Configuration

On the last step of the Wizard tick both checkboxes to create Firewall Rules for both OpenVPN and Clients.

Configure OpenVPN for pfSense 2.4

Finally, click Next and Finish. Now we are almost done.

 

Step 7 – Exporting and Installing the Client

Navigate to VPN / OpenVPN / Client Export. On top under Client, Connection Behaviour make sure to choose your DynDNS Hostname for Host Name Resolution. After this scroll down a little bit and hit Save as Default.

Check Use Random Local Port in case you want to connect more than 1 client simultaneously.

Configure OpenVPN for pfSense 2.4

 

Now scroll down until you find OpenVPN Clients and you should see your VPNUser and a couple of Client Export Options next to it. If you are on Windows, you want to download the Current Windows Installer.

Configure OpenVPN for pfSense 2.4

Once downloaded, right-click and select Install as Administrator. If a Windows Smart Screen Warning pops up, click on More Info and Run Anyway. Install OpenVPN leaving everything on Default. When getting prompted if you would like to install the TAP-Windows Provider V9 Network Adapters, click on Install.

Once installed double-click the OpenVPN GUI Icon from your Desktop to start it. When you restart your computer, OpenVPN will be started automatically in the future. You will see a little Screen+Lock Icon in your Taskbar now.

 

Step 8 – Connecting to OpenVPN with pfSense 2.4

Right-click the lock icon and select Connect. Enter your VPNUser Username and Password.

Configure OpenVPN for pfSense 2.4

Allow connection through your Windows Firewall when prompted for it for both, Private & Public Networks.  You should now see that you are connected to your VPN indicated by the green light showing in the small Screen+Lock Symbol in your Taskbar.

Congratulations, you successfully setup OpenVPN for pfSense 2.4!

 

Troubleshooting

In case you run into any problems these are the first things to check:

  • Is the OpenVPN Service running? Navigate to Status / Services. Eventually, restart your pfSense if you’re not able to start it.
  • Check your Firewall Rules of all Rules were created, both the WAN and the OpenVPN Rule
  • Check if you entered the correct subnet mask (192.168.1.0/24) on your Tunnel and Local Network in your OpenVPN Config. It has to be .0/24 on the end, not .1/24 or something like that.
  • Check the System Logs under Status / System Logs to get hints

35 thoughts on “Configure OpenVPN for pfSense 2.4: The Complete Guide

  • February 20, 2019 at 9:11 am
    Permalink

    Hi sir thanks for the tutorial. But I do received an error while try to connect using a laptop which is connected to my phone’s hotspot. “Error: TLS Key negotiation failed to occur within 60seconds”.
    I’ve disabled my firewall and anti virus
    I’ve disabled the DNS Resolver
    Checked the firewall rules that has been created from WAN and OpenVPN int
    But still error occurred. What could be the problem? Thanks!

    Reply
  • February 20, 2019 at 9:02 am
    Permalink

    Hi sir, Thank you for the tutorial… But even though i followed it step by step I still encountered the “error: TLS Key negotiation failed to occur within 60seconds”. I’ve already disabled my firewall and anti virus.. then re do the tutorial but still receiving the same error. Should I disabled the DNS Resolver? When I tried to install it on my computer within the network the connection established but unidentified network on the TAP Driver, then when I’m installing and connecting using a laptop which is connected to a phone’s hotspot.. I get the error about TLS. Please help thanks!

    Reply
  • January 17, 2019 at 8:28 pm
    Permalink

    Great write up and Video! Thanks for taking the time.

    I implemented quickly and works great.

    One question, how do I configure pfSense to allow the VPN Client to have outgoing Internet access when connected by VPN?

    I have my client connecting to the VPN server successfully. Client is able to access internal servers / systems on the 192.168.1.0/24 network.

    But when I try to access public internet sites it can’t connect. Disconnect the VPN and able to connect to public internet sites no problems.

    Is there additional setup to configure the VPN network (192.168.2.0/24 in your example) to access public internet sites when connected?

    Thx.

    Reply
    • January 18, 2019 at 8:40 am
      Permalink

      Are you trying this while you are in the internal network? So, you connect to the VPN while you are actually inside of pfSense’s network? Because that wouldn’t work. If you connect from the outside, you should have internet access.

      Reply
  • September 9, 2018 at 9:43 pm
    Permalink

    Thank you for this write-up. The good news is, if I use the IP address in my export file, I can connect to the VPN no problem.

    I set up a domain using Dynu (e.g. homeserver.somedomain.com) and have successfully setup Dynamic DNS to point to it. I can ping the domain no problem using a PING command in Terminal. However, when I try to use the domain name in my export file, OpenVPN doesn’t connect. I see the following things in the log:

    Time Process PID Message
    Sep 9 15:39:06 openvpn 24411 172.56.4.120:34855 TLS Error: TLS handshake failed
    Sep 9 15:39:06 openvpn 24411 172.56.4.120:34855 TLS Error: Auth Username/Password was not provided by peer

    Any suggestions?

    Reply
    • September 10, 2018 at 3:48 pm
      Permalink

      Weeeeeeeeell…this is interesting. Using Dynu with pfsense doesn’t allow the web address to redirect through to my VPN. However, I switched to no-ip and…tada…it works! So, choosing a DNS service that works natively with pfsense is important.

      I’m now up and running. Thank you so much for this guide. It worked like a charm.

      Reply
      • September 10, 2018 at 4:17 pm
        Permalink

        Paul, thanks for coming back and leaving a positive reply. I am happy it worked out for you in the End! If you want, subscribe to the Newsletter (No ads, only content updates). I have a lot of pfSense content in the Making 🙂

        Reply
  • February 17, 2018 at 7:51 pm
    Permalink

    Excellent write up! Quick question. Is this a split tunnel design? or is all internet traffic now tunneled through this VPN connection?

    Reply
  • December 8, 2017 at 1:32 pm
    Permalink

    worked like a charm, cheers

    Reply
  • November 30, 2017 at 12:48 pm
    Permalink

    another question, hostname are not resolved through the VPN. My clients can’t ping the FQDN, qny advices ? thanks

    Reply
    • November 30, 2017 at 3:12 pm
      Permalink

      Under the client export make sure the Host Name Resolution is set correctly. It defaults to the WAN ip.

      Reply
    • December 1, 2017 at 9:44 am
      Permalink

      Under Services / DNS Resolver / Outgoing Network Interfaces: Only select LAN and Localhost. That should fix the issue. Also, if you are in a domain environment, do you have Domain Override in Place?

      Reply
  • November 29, 2017 at 9:53 am
    Permalink

    Hi everybody, thanks for the tuto.

    I Get that:

    Wed Nov 29 09:45:33 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]5.196.43.192:1194
    Wed Nov 29 09:45:33 2017 UDP link local (bound): [AF_INET][undef]:0
    Wed Nov 29 09:45:33 2017 UDP link remote: [AF_INET]5.196.43.192:1194
    Wed Nov 29 09:45:33 2017 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=FR, ST=Midi-Pyrénée, L=Toulouse, O=Solyann, [email protected], CN=www.solyann.fr, OU=Agence
    Wed Nov 29 09:45:33 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Wed Nov 29 09:45:33 2017 TLS_ERROR: BIO read tls_read_plaintext error
    Wed Nov 29 09:45:33 2017 TLS Error: TLS object -> incoming plaintext read error
    Wed Nov 29 09:45:33 2017 TLS Error: TLS handshake failed
    Wed Nov 29 09:45:33 2017 SIGUSR1[soft,tls-error] received, process restarting

    Any advice ?

    Reply
    • November 29, 2017 at 1:13 pm
      Permalink

      VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=FR, ST=Midi-Pyrénée, L=Toulouse, O=Solyann, [email protected], CN=www.solyann.fr, OU=Agence
      Wed Nov 29 09:45:33 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

      It seems like you made a mistake somewhere in the certificate process. I’d suggest running through it again from the beginning and pay special attention to the Certificate part. The instruction definitely work if you follow along every step.

      Reply
      • November 30, 2017 at 12:47 pm
        Permalink

        Found the issue, I made the mistake while not specifying “server certificate” at setp 4.
        Thanks for ypour reply

        Reply
  • November 28, 2017 at 2:03 pm
    Permalink

    Thank You. Worked perfectly!

    Reply
    • November 28, 2017 at 2:38 pm
      Permalink

      Happy to help my friend 🙂

      Reply
  • November 24, 2017 at 3:28 pm
    Permalink

    Great tutorial! I’m succesfully connect, but i can access only at remote pfsense and not to the other device of remote network (for exaple printers, pc ecc) Some suggestion? thanks!!

    Reply
  • October 17, 2017 at 8:39 pm
    Permalink

    Great writeup with concise instructions on how to get it all running. If people are having issues with the free windows OpenVPN client I would recommend Viscosity OpenVPN client. It works very well with Windows & Mac plus pFSense also supports it as a one click export. The client does cost a little but, but it’s worth avoiding the headache that the free client can sometimes bring.

    Lastly after doing the setup I would recommend people research a little about enhancing the security of the VPN by increasing the default encryption selections. Most hardware now a days has support for some type of encryption offloading so increasing from 1024 to 2048 have very little impact on CPU usage.

    Reply
    • October 18, 2017 at 8:48 am
      Permalink

      Thanks for the recommendation!

      Reply
  • September 10, 2017 at 1:41 pm
    Permalink

    Hey just wanted to say thank you for a great guide and also for not skipping over any of the small details like many people do.

    I’ve had plenty of experience setting up OpenVPN, but there were a few steps in doing it myself on pfSense that threw me. Thanks again!

    Reply
    • September 11, 2017 at 10:45 am
      Permalink

      You are welcome! Thanks for sharing your experience!

      Reply
  • September 5, 2017 at 9:09 am
    Permalink

    Maaaaaaaan!!!! Thanks alot!!!! Been looking for this for ages!!!!! Blessings upon blessings……

    Reply
    • September 5, 2017 at 9:45 am
      Permalink

      Haha, welcome man 🙂

      Reply
  • August 24, 2017 at 4:44 pm
    Permalink

    Wonderful, thanks for this step by step. I would like to ask permission to create a manual taking
    this step by step as a reference, so I can show to my co-workers how to setup their home firewall, and vpn.

    Reply
    • September 4, 2017 at 2:10 pm
      Permalink

      Hi Elvis thanks for asking. Yes you can do that, as long as you do not publish it anywhere online.

      Reply
  • August 16, 2017 at 9:46 am
    Permalink

    Hi, i successfully conected to my remote openn vpn server, but i can’t acces local computers behind pfsense server. What i did wrong? Thanks

    Reply
    • August 21, 2017 at 9:55 am
      Permalink

      If you’re in a Domain you might need to use the FQDN, like, mycomputer.mydomain.com

      Reply
  • July 22, 2017 at 1:03 pm
    Permalink

    BTW works excellent for 2.3.4-RELEASE-p1 too…

    Reply
    • July 24, 2017 at 1:54 pm
      Permalink

      Great to know. Thanks for the Information.

      Reply
  • July 22, 2017 at 1:02 pm
    Permalink

    Thank you very much, really clear and working guide!!

    Reply
    • July 24, 2017 at 1:54 pm
      Permalink

      Very welcome!

      Reply
  • June 25, 2017 at 7:36 pm
    Permalink

    OMG!!! THANK YOU!! I have been trying to set this up for months now. And this has been the BIGGEST thorn in my side. Thank you so very much!!

    Reply
    • June 26, 2017 at 9:27 am
      Permalink

      Amazing. I do it for comments like these 🙂

      Reply
  • June 17, 2017 at 11:12 pm
    Permalink

    Hi, thanks for your tutorial. Im getting this errors in Windows client:

    Sat Jun 17 14:10:58 2017 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016
    Sat Jun 17 14:10:58 2017 Windows version 6.1 (Windows 7) 64bit
    Sat Jun 17 14:10:58 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
    Enter Management Password:
    Sat Jun 17 14:11:05 2017 Control Channel Authentication: using ‘pfSense-udp-1194-alexmora-tls.key’ as a OpenVPN static key file
    Sat Jun 17 14:11:05 2017 TCP/UDP: Socket bind failed on local address [undef]: Address already in use (WSAEADDRINUSE)
    Sat Jun 17 14:11:05 2017 Exiting due to fatal error

    Any advice?
    Thanks
    Alex

    Reply

Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: