Out of popular demand, I created this complete beginner guide on how to install OpenVPN on pfSense 2.5. This was one of the most requested tutorials that you guys wanted to have. As always, my guide is accompanied by a video and I guide you through each and every step, so you can easily follow along!
This guide has been completely updated in Mai 2021 to pfSense version 2.5.1
Table of Contents
- Step 1 – Creating a NO-IP Account
- Step 2 – Setting up DynDNS in pfSense
- Step 3 – Installing the Client Export Package
- Step 4 – Configure OpenVPN on pfSense using the OpenVPN Wizard
- Step 5 – Creating a VPN User
- Step 6 – pfSense OpenVPN Client Export
- Step 7 – Installing OpenVPN on Windows and Connecting
Step 1 – Creating a NO-IP Account
If you have a Static IP Address or already got a different DynDNS Service in place, you can continue with Step 2. For everyone else, we first set up a NO-IP Account because we will need it later on. Head over to NO-IP and create yourself a hostname. I recommend choosing a generic hostname so nobody can guess at it.
After clicking on Sign Up fill out the required fields and create your account. The free account requires you to confirm your hostname every 30 days. Activate your account via email. Log in to NO-IP with your account once confirmed and create a Username as prompted.
In your NO-IP Dashboard navigate to Dynamic DNS -> No-IP Hostnames and you should already see your IP Address and your DynDNS Name. In case you use another IP, adjust the entry accordingly. If you want to confirm that the IP is correct head to this website.
Good, now we have a DynDNS account, we can set this up in pfSense next.
Step 2 – Setting up DynDNS in pfSense
In pfSense, navigate to Services / Dynamic DNS and click on +Add. Now fill out the required fields as in the screenshot below. Choose your service from the list of services. In case you opted for NO-IP Free like me, choose No-IP (free).
Interface to Monitor is WAN. The hostname is the hostname you set up for yourself on No-IP, in my case ceos3c.hopto.org. Scroll down and enter your No-IP Username and Password. Give the service a description and click Save.
Once this is done, you should see the Cached IP in green, that means the IP is up to date.
We are done setting up DynDNS and we can go ahead and continue with installing the OpenVPN Client Export Package on pfSense.
Step 3 – Installing the Client Export Package
To be able to later download our OpenVPN installer package, we need to install the Client Export Package first. Navigate to System / Package Manager / Available Packages and then search for OpenVPN. Click on +Install next to the openvpn-client-export package.
Step 4 – Configure OpenVPN on pfSense using the OpenVPN Wizard
We are lucky since this got a whole lot easier than it used to be. We can use the pfSense OpenVPN Wizard to help us with the setup process. Navigate to VPN / OpenVPN and click on Wizards to start the process.
As Type of Server choose Local User Access.
Creating a Certificate Authority
Create a new Certificate Authority and give it a descriptive name. Click on Add new CA to continue.
Creating a Server Certificate
Basically the same as above, give it a descriptive name and fill it in like in the screenshot below.
Now we need to set up the Server for OpenVPN on pfSense. Make sure to select everything as in the screenshots below. This part does not fit into one screenshot, so it’s dissected in multiple ones.
General OpenVPN Server Information
This is an important step. Choose an IP range that is not yet in use as your Tunnel Network. So in case your regular home network has the address range of 192.168.10.0/24, choose something like 192.168.11.0/24 as your tunnel network. This is basically the IP range that will be used for your VPN clients. So if you connect to your VPN later, your client will have an IP of 192.168.11.2.
PfSense will scream at you if you use a subnet that is already in use.
The Local Network address is the address of, you’ve guessed it, your local network.
If you do not want to be able to access your local network when connecting to your VPN, leave this field empty. Otherwise, if you would like to access resources in your local network through your VPN, like a NAS or something, fill in the Local Network IP range here.
The only thing I’ve changed here is the DNS Server. If you want, you can push your local pfSense as a DNS server to your connected clients, so you can resolve internal network names. This is optional, although I recommend doing it.
Make sure to check both checkmarks to create the appropriate firewall rules.
Finishing the Setup
Finally, click on Finish to install the pfSense OpenVPN Server.
Step 5 – Creating a VPN User
This is the last step we need to do to configure OpenVPN on pfSense on the pfSense side. Navigate to System / User Manager and click on +Add to add a new user.
Give your user a Username and Password, then make sure to check “Click to create a user certificate“. Fill in everything as in the screenshot below. Make sure to select the correct Certificate Authority that we had created earlier. When you are ready, click on Create User.
Magnificient, we are as good as done.
Step 6 – pfSense OpenVPN Client Export
Now our Client Export tool that we had installed earlier comes into play. Navigate to VPN / OpenVPN / Client Export. Make sure to choose your VPN Server and for Host Name Resolution choose your DynDNS Name that you have set up earlier, or select Other in case you use a different Dynamic DNS / IP method.
OpenVPN Server & Client Connection Behaviour
Then scroll down a bit to find your VPN User that we just created in the previous step and select the appropriate package to download. For Windows 10 that would be the Current Windows Installer 64-bit.
Step 7 – Installing OpenVPN on Windows and Connecting
The package you have just downloaded is the package you want to install on your remote computer.
Simply transfer it to your remote computer and run through the installer, leaving everything as default and agreeing to everything with “Yes“. There might be the need to install a TAP network driver, do that if you get asked.
Now a great way of testing your setup is by using your mobile phone as a hotspot. If you are connected to your internal network via WiFi and you try to connect to your VPN, it won’t work.
To connect, make sure to start the OpenVPN GUI from your start menu or from your desktop. A small monitor icon with a locker on it appears in your taskbar.
Right-click on it and select Connect. Enter your VPN Username and Password. Click on OK to connect. The little monitor icon should turn green if the connection was successful.
That’s it. If you have followed through each step correctly, you should be connected and able to use your internal network’s resources.
In case you want to install OpenVPN on Linux, here is the guide for you!
In case you run into any problems these are the first things to check:
- Is the OpenVPN Service running? Navigate to Status / Services. Eventually, restart your pfSense if you’re not able to start it.
- Check your Firewall Rules of all Rules were created, both the WAN and the OpenVPN Rule
- Check if you entered the correct subnet mask (192.168.1.0/24) on your Tunnel and Local Network in your OpenVPN Config. It has to be .0/24 on the end, not .1/24 or something like that.
- Check the System Logs under Status / System Logs to get hints
It can be a bit confusing if you go through this process for the first time, but once you have it set up, it’s a gift that keeps on giving. You have successfully learned how to install OpenVPN on pfSense 2.5! If you want to dive deeper, my pfSense Fundamentals Bootcamp covers everything you need to know to operate a pfSense firewall with confidence, including a complete OpenVPN setup from scratch.