In this Configure OpenVPN for pfSense 2.4 guide, you will learn how to set up OpenVPN for pfSense 2.4 and establish a VPN connection to your internal network using the free NO-IP DynDNS Service. I will guide you through each step.
I use pfSense version 2.4.4 for this guide, which as of writing this article is still in development.
Step 1 – Creating a NO-IP Account
If you have a Static IP Address or already got a different DynDNS Service in place, you can continue with Step 2. For everyone else, we first set up a NO-IP Account because we will need it later on. Head over to NO-IP and create yourself a hostname. I recommend choosing a generic hostname so nobody can guess at it.
After clicking on Sign Up fill out the required fields and create your account. The free account requires you to confirm your hostname every 30 days. Activate your account via email. Log in to NO-IP with your account once confirmed and create a Username as prompted.
In your NO-IP Dashboard navigate to Dynamic DNS -> No-IP Hostnames and you should already see your IP Address indicated by 3 and your DynDNS Name indicated by 4. In case you use another IP, adjust the entry accordingly. If you want to confirm that the IP is correct head to this website.
Good, now we have a DynDNS account, we can set this up in pfSense next.
Step 2 – Setting up DynDNS in pfSense
In pfSense, navigate to Services / Dynamic DNS and click on +Add. Now fill out the required fields as in the screenshot below. Choose your service from the list of services. In case you opted for NO-IP Free like me, choose No-IP (free).
Interface to Monitor is WAN. The hostname is the Hostname you set up for yourself on No-IP, in my case ceos3c.hopto.org. Scroll down and enter your No-IP Username and Password. Give the service a description and click save.
Once this is done, you should see the Cached IP in green, that means the IP is up to date.
Good. We are done setting up DynDNS.
Step 3 – Creating Certificates
Now we need to create a new Certificate Authority and a new certificate to configure OpenVPN for pfSense 2.4.
Creating a new Certificate Authority
Navigate to System / Cert. Manager. Click on +Add to create a new Certificate Authority.
Fill everything as in the screenshot below. You can choose a higher Digest Algorithm if you want to.
Click on Save once you are done.
Creating a Server Certificate
Now we need to create a new Server Certificate. Therefore, navigate to System / Certificate Manager / Certificates. Click on +Add/Sign to create a new certificate. Make sure to select your OpenVPN-CA that we created above as the Certificate Authority and also that you use your DynDNS Hostname as the Common Name. For Certificate, Type make sure to choose Server Certificate.
Fill the rest out like in the Screenshot below. Click Save at the end.
Step 4 – Creating a VPN User
Now we are going to create a VPN User. This User will be used to login to our VPN Client from a remote location.
Navigate to System / User Manager and click +Add to add a new User.
Make sure to tick Create Certificate for User and give the Certificate a descriptive name. Also, make sure to choose our OpenVPN-CA as the Certificate Authority. Click on Save once you are done with that.
Step 5 – Installing the OpenVPN Client Export Package
Now we need to install the OpenVPN Client Export Package to create our Windows Installer or download VPN Configuration Files for Linux. Navigate to System / Package Manager / Available Packages and type OpenVPN in the search field. Click on +Install to install it.
Now that we have this in place we can go ahead and configure OpenVPN for pfSense 2.4.
Step 6 – Configure OpenVPN for pfSense 2.4
Navigate to VPN / OpenVPN / Wizards. Choose Local User Access and click Next.
Select our OpenVPN-CA and click Next.
Select the OpenVPN-Cert (Server Certificate) we created earlier.
The next step is a bit lengthy and will be divided into a couple of Screenshots. Make sure you fill everything out as in my example or adjust according to your own needs.
General OpenVPN Server Information and Cryptography Settings
This is quite important to get right. Let me quickly elaborate. Let’s assume your local Network is 192.168.1.0/24. You want your Tunnel Network to be on a different Subnet, so you could choose 192.168.2.0/24 for your Tunnel Network.
Concurrent Connections means how many people can connect via OpenVPN simultaneously. If you only have one user for yourself, just set it to 1 for good measure. Also, check Redirect Gateway to force all traffic through the tunnel.
For DNS Default Domain enter the Domain you specified under System / General Setup. If you are unsure, just Navigate to System / General Setup (Right-Click -> Open in a new tab if you don’t want to interrupt the Wizard). And enter the IP Address of your DNS Server, if it’s your pfSense, enter the IP of your pfSense Firewall.
Puh, this bit was tough, eh? But click on Next and you are golden! Well, almost.
Firewall Rule Configuration
On the last step of the Wizard tick both checkboxes to create Firewall Rules for both OpenVPN and Clients.
Finally, click Next and Finish. Now we are almost done.
Step 7 – Exporting and Installing the Client
Navigate to VPN / OpenVPN / Client Export. On top under Client, Connection Behaviour make sure to choose your DynDNS Hostname for Host Name Resolution. After this scroll down a little bit and hit Save as Default.
Check Use Random Local Port in case you want to connect more than 1 client simultaneously.
Now scroll down until you find OpenVPN Clients and you should see your VPNUser and a couple of Client Export Options next to it. If you are on Windows, you want to download the Current Windows Installer.
Once downloaded, right-click and select Install as Administrator. If a Windows Smart Screen Warning pops up, click on More Info and Run Anyway. Install OpenVPN leaving everything on Default. When getting prompted if you would like to install the TAP-Windows Provider V9 Network Adapters, click on Install.
Once installed double-click the OpenVPN GUI Icon from your Desktop to start it. When you restart your computer, OpenVPN will be started automatically in the future. You will see a little Screen+Lock Icon in your Taskbar now.
Step 8 – Connecting to OpenVPN with pfSense 2.4
Right-click the lock icon and select Connect. Enter your VPNUser Username and Password.
Allow connection through your Windows Firewall when prompted for it for both, Private & Public Networks. You should now see that you are connected to your VPN indicated by the green light showing in the small Screen+Lock Symbol in your Taskbar.
Congratulations, you successfully setup OpenVPN for pfSense 2.4!
In case you run into any problems these are the first things to check:
- Is the OpenVPN Service running? Navigate to Status / Services. Eventually, restart your pfSense if you’re not able to start it.
- Check your Firewall Rules of all Rules were created, both the WAN and the OpenVPN Rule
- Check if you entered the correct subnet mask (192.168.1.0/24) on your Tunnel and Local Network in your OpenVPN Config. It has to be .0/24 on the end, not .1/24 or something like that.
- Check the System Logs under Status / System Logs to get hints