Configure OpenVPN on Pfsense 2.3.1 - Jacob Gardiner-Moon https://jacob.gardiner-moon.co.uk/2016/06/02/configure-openvpn-pfsense-...

HOME ABOUT U

 Search

 CONFIGURE OPENVPN ON PFSENSE 2.3.1


I recently setup Pfsense and when having a look at the features I noticed that
 OpenVPN was a supported type of VPN. I had this setup on a VM so I thought I may as
well set this up on my router so it could be combined in to one VM. I had multiple
 problems trying to set this up correctly (Networking isn’t my strong point!) But I have
 managed to successfully configure it now so I thought I would create a comprehensive
guide on setting up this functionality.
CATEGORIES
You will initially need a Pfsense Router/Firewall configured, If you don’t know how to Apple (2)
do this you can find my previous guide here. We will need to initially configure a El Capitan 10.11 (1)
Certificate Authority on the Pfsense box. This is relatively simple, you need to navigate Mavericks 10.9 (1)
to System –> Cert Manager.
Home Lab (3)

Linux (11)
FreeBSD (2)

Ubuntu (9)
Plex (4)

Microsoft (20)
Exchange Server 2010 (7)

Exchange Server 2013 (8)

Exchange Server 2016 (8)

Hyper-V (1)

Powershell (2)

SQL Server 2014 (1)

SQL Server 2016 (3)

Method – Create an Internal Certificate Authority

Key Length – 2048

Windows Server 2008 (6)
2
Windows Server 2008 R2 (6)

Digest Algorithm – sha256 Windows Server 2012 (4)

Windows Server 2012 R2 (4)

Lifetime – 3650
Windows Server 2016 (1)

1 de 8 18-01-2017 17:32
Configure OpenVPN on Pfsense 2.3.1 - Jacob Gardiner-Moon https://jacob.gardiner-moon.co.uk/2016/06/02/configure-openvpn-pfsense-...

Country Code – GB (Change this to your relevant country code) Windows Small Business
Server 2011 (4)
State or Province – Type in the relevant information.
Teamviewer (1)
City – Type in the relevant information.
Veeam (4)

Organization – Type in the relevant information. VMware (30)

Horizon 7 (8)
 Email Address – Type in the relevant information.
NSX 6.2 (4)
 Common Name – This can be left as the default or changed If required. Default is
PowerCLI 6.0 (4)
Internal-CA.
 vCloud Director (3)
You now need to create a Server Certificate that will be used for OpenVPN.
 vRealize Log Insight (1)

You need to make sure that the certificate type is changed to a server certificate. You vSphere 5.1 (10)

also need to fill out the common name to be the external DNS name of your VPN
vSphere 5.5 (10)
 server, for example openvpn.vmware.com – You can also add a IP address if required.
vSphere 6.0 (15)
Key Length – 2048 vSphere 6.5 (1)

Country Code – GB (Change this to your relevant country code) Workstation 12 Pro (1)

Wordpress (6)
State or Province – Type in the relevant information.

City – Type in the relevant information.

Organization – Type in the relevant information. MAGNETRONS PRODUCTERS

Continuous Wave and Pulse Magnetron Alternative E2V Mag
Email address – Type in the relevant information.

You will now need to create a user that will be connecting to the VPN. This can be
completed in System –> User Manager.

2 de 8 18-01-2017 17:32
Configure OpenVPN on Pfsense 2.3.1 - Jacob Gardiner-Moon https://jacob.gardiner-moon.co.uk/2016/06/02/configure-openvpn-pfsense-...

Configure the Username and the Full Name for the user that will be connecting.

Click to Create a User Certificate

Key Length – 2048

Descriptive Name – You can set this to anything you require, this will not change the
configuration.


You will also need to create NAT Rules for the relevant Subnets that you will be
creating as part of the VPN. For example I have used 10.0.0.0/24 for the network pool
for the VPN so I needed to add the relevant rules for this network so that it would be
able to communicate with the LAN and the WAN. You can configure these by clicking
the buttons next to the existing rules that have been created and changing the
network configuration. You will just need to create the rules below that are for the
10.0.0.0/24 network. This may be different in your scenario depending on what IP
Address scheme you will be using.

3 de 8 18-01-2017 17:32
Configure OpenVPN on Pfsense 2.3.1 - Jacob Gardiner-Moon https://jacob.gardiner-moon.co.uk/2016/06/02/configure-openvpn-pfsense-...


You need to navigate to VPN –> OpenVPN –> Wizards

Select Local User Access and Continue.

Select your CA Server and select Next.

4 de 8 18-01-2017 17:32
Configure OpenVPN on Pfsense 2.3.1 - Jacob Gardiner-Moon https://jacob.gardiner-moon.co.uk/2016/06/02/configure-openvpn-pfsense-...


Select the Server Certificate that was created earlier.


Select the Interface as WAN, Protocol as UDP and Local Port as 1194 – You can change
this port if you require, this is the default port. Often this port is blocked inside
Organizations so you may need to use SSL (443).

5 de 8 18-01-2017 17:32
Configure OpenVPN on Pfsense 2.3.1 - Jacob Gardiner-Moon https://jacob.gardiner-moon.co.uk/2016/06/02/configure-openvpn-pfsense-...

Select Enable authentication of TLS packets.

Select Automatically generate a shared TLS authentication key.

DH Parameters Length should be 2048 bit.

You will need to setup the Tunnel Settings, this will depend on your network but I
setup the example below –

Select Force all client generated traffic through the tunnel.

Concurent Connections – Set this up to the maximum number of connections you want
to allow at once. This will be dependent on the resources you assigned to the VM.

Enable Allow multiple concurrent connections from clients using the same Common
Name.

Select Allow connected clients to retain their connections if their IP address changes. 2
Select Provide a virtual adapter IP address to clients (see Tunnel Network).

Configure any DNS Settings that you want to provide to the VPN clients.

6 de 8 18-01-2017 17:32
Configure OpenVPN on Pfsense 2.3.1 - Jacob Gardiner-Moon https://jacob.gardiner-moon.co.uk/2016/06/02/configure-openvpn-pfsense-...


You will need to select Save on this page and it will ask if you want Pfsense to

automatically configure the firewall rules. Select both of these tick boxes and it will
automatically set these up for you. Make sure you still add the NAT rules mentioned
earlier.

You will now need to export the client configuration by navigating to Client Export. If
you do not have this option you will need to install the openvpn-client-export package,
this can be installed in the same way as the VMware Tools package.

7 de 8 18-01-2017 17:32
Configure OpenVPN on Pfsense 2.3.1 - Jacob Gardiner-Moon https://jacob.gardiner-moon.co.uk/2016/06/02/configure-openvpn-pfsense-...


You need to download the correct client as per the below screenshot. If you are
 installing on IOS you do not need to enable anything in this page. If you are installing
this on Windows you should select use Microsoft Certificate Storage instead of local
files and enable use a password to protect the pkcs12 file contents or key in Viscosity
bundle. Once you have installed the relevant bundle this should be working correctly.

SiteGround Terms of Service Privacy Policy

MAGNETRONS PRODUCTERS
Continuous Wave and Pulse Magnetron Alternative E2V Magnetrons

Copyright © 2017 Jacob Gardiner-Moon Consulting Ltd. All rights reserved.     

2

8 de 8 18-01-2017 17:32