Alright, guys, let's dive into setting up OpenVPN on pfSense! If you're looking to create a secure tunnel for remote access to your home or office network, or just want to browse the internet with an extra layer of privacy, you've come to the right place. pfSense is an awesome open-source firewall/router software, and OpenVPN is a rock-solid VPN solution. Combining the two gives you a powerful and flexible setup. So, grab your coffee, and let’s get started!

Why Use OpenVPN with pfSense?

Before we jump into the nitty-gritty, let's quickly cover why you might want to use OpenVPN with pfSense in the first place. Setting up OpenVPN on pfSense offers several compelling advantages, making it a popular choice for both home users and businesses. First off, security. OpenVPN uses strong encryption protocols to protect your data as it travels across the internet. This is super important if you're connecting to public Wi-Fi hotspots or accessing sensitive information remotely. Secondly, it provides remote Access. It allows you to securely access your home or office network from anywhere in the world. Imagine accessing your files, printers, and other resources as if you were sitting right there in the office. This is incredibly useful for remote workers or anyone who needs to access their network while on the go.

Another key benefit is privacy. By routing your internet traffic through an OpenVPN server, you can mask your IP address and location, making it harder for websites and advertisers to track you. This is especially useful if you're concerned about online privacy and want to protect your browsing activity. Furthermore, OpenVPN is highly configurable. It supports a wide range of encryption algorithms, authentication methods, and network configurations, allowing you to tailor the VPN to your specific needs. pfSense provides a user-friendly interface for managing OpenVPN, making it easier to set up and maintain. Finally, integrating OpenVPN with pfSense enhances your network security. pfSense acts as a firewall, protecting your network from unauthorized access and malicious attacks. By adding OpenVPN, you create an additional layer of security, ensuring that your data is protected both inside and outside your network.

Prerequisites

Before we start, make sure you have the following:

• A pfSense firewall/router already set up and running.
• Internet access for your pfSense box.
• A computer to connect to the VPN.
• Basic networking knowledge (IP addresses, subnets, etc.).

Step 1: Install the OpenVPN Client Export Package

First, we need to install the OpenVPN Client Export package. This package makes it easy to generate configuration files for your OpenVPN clients. Here’s how:

1. Log in to your pfSense web interface.
2. Go to System > Package Manager > Available Packages.
3. Search for openvpn-client-export.
4. Click the Install button next to the package.
5. Confirm the installation.

Once the installation is complete, you’ll see a success message. This package will be crucial later when we need to create configuration files for our devices.

Step 2: Create a Certificate Authority (CA)

Next, we need to create a Certificate Authority (CA). The CA is responsible for signing the certificates that will be used to authenticate our OpenVPN clients and server. Here’s how to create one:

1. Go to System > Cert. Manager.
2. Click on the CAs tab.
3. Click the Add button.
4. Fill in the following information:
   • Descriptive name: Something like MyOpenVPNCA
   • Method: Create an internal Certificate Authority
   • Key length: 2048 or 4096 (4096 is more secure but may be slower)
   • Lifetime (days): 3650 (10 years)
   • Country Code: Your country code (e.g., US)
   • State or Province: Your state or province (e.g., California)
   • City: Your city (e.g., Los Angeles)
   • Organization: Your organization (e.g., My Company)
   • Email Address: Your email address
   • Common Name: Something like MyOpenVPNCA
5. Click Save.

Step 3: Create a Server Certificate

Now, we need to create a server certificate. This certificate will be used by the OpenVPN server to identify itself to clients. Here’s how:

1. Go to System > Cert. Manager.
2. Click on the Certificates tab.
3. Click the Add button.
4. Fill in the following information:
   • Method: Create an internal Certificate
   • Descriptive name: Something like OpenVPNServerCert
   • Certificate authority: Select the CA you created in the previous step (MyOpenVPNCA)
   • Key length: 2048 or 4096 (same as the CA)
   • Lifetime (days): 3650 (10 years)
   • Country Code: Your country code
   • State or Province: Your state or province
   • City: Your city
   • Organization: Your organization
   • Email Address: Your email address
   • Common Name: This is important! Use the fully qualified domain name (FQDN) or the public IP address of your pfSense firewall. If you don't have a domain name, you can use your public IP address. For example, my.dynamic.dns.example.com or 203.0.113.1.
5. Click Save.

Step 4: Configure the OpenVPN Server

With the CA and server certificate in place, we can now configure the OpenVPN server. Here’s how:

1. Go to VPN > OpenVPN > Servers.
2. Click the Add button.
3. Configure the following settings:
   • Disable this server: Uncheck this box.
   • Server mode: Remote Access (SSL/TLS)
   • Protocol: UDP or TCP (UDP is generally faster, but TCP may be more reliable in some network environments)
   • Device mode: tun
   • Interface: WAN (or the interface that connects to the internet)
   • Local port: 1194 (the default OpenVPN port)
   • Description: Something like MyOpenVPNServer
   • Certificate authority: Select the CA you created earlier (MyOpenVPNCA)
   • Server certificate: Select the server certificate you created earlier (OpenVPNServerCert)
   • Encryption algorithm: AES-256-CBC (or another strong encryption algorithm)
   • Hash algorithm: SHA256 (or another strong hash algorithm)
   • DH Parameter Length: 2048
   • IPv4 Tunnel Network: This is the IP address range that will be used for the VPN tunnel. Choose a private IP range that doesn't conflict with your existing network. For example, 10.0.8.0/24.
   • IPv4 Local Network(s): This is the IP address range of your local network that you want to allow VPN clients to access. For example, 192.168.1.0/24.
   • IPv4 Remote Network(s): Leave blank
   • Concurrent connections: Set the maximum number of simultaneous VPN connections.
   • Compression: Adaptive LZO Compression (or No Compression if you prefer)
   • Type-of-Service: Uncheck this box.
   • Inter-client communication: Check this box if you want VPN clients to be able to communicate with each other.
   • Duplicate Connection: Uncheck this box to prevent multiple connections from the same client.
   • Custom options: Leave blank for now.
4. Click Save.

A deeper look at key configurations:

• Server Mode: Set to Remote Access (SSL/TLS) for typical client-to-server VPN setups.
• Protocol: UDP is usually faster, but TCP can be more reliable if you face connectivity issues. Experiment to see what works best for your network.
• Device Mode: tun creates a virtual network interface.
• Interface: Choose your WAN interface, the one that connects to the internet.
• IPv4 Tunnel Network: This is a virtual network for your VPN clients. Pick a range that doesn't overlap with your existing networks. For example, if your local network is 192.168.1.0/24, use something like 10.0.8.0/24.
• IPv4 Local Network(s): This is your internal network that VPN clients will access. If your LAN is 192.168.1.0/24, enter that here.

Step 5: Configure Firewall Rules

Now, we need to create firewall rules to allow traffic to pass through the VPN. Here’s how:

1. Go to Firewall > Rules.
2. Click on the OpenVPN tab.
3. Click the Add button to add a new rule.
4. Configure the following settings:
   • Action: Pass
   • Interface: OpenVPN
   • Protocol: any
   • Source: OpenVPN net
   • Destination: any
   • Description: Something like Allow OpenVPN Traffic
5. Click Save.
6. Click Apply Changes.

Next, we need to create a rule on the WAN interface to allow UDP or TCP traffic on port 1194 (or whichever port you chose for OpenVPN). Here’s how:

1. Go to Firewall > Rules.
2. Click on the WAN tab.
3. Click the Add button to add a new rule at the top.
4. Configure the following settings:
   • Action: Pass
   • Interface: WAN
   • Protocol: UDP or TCP (depending on what you chose for OpenVPN)
   • Source: any
   • Destination: WAN address
   • Destination port range: 1194 (or your chosen port)
   • Description: Something like Allow OpenVPN Access
5. Click Save.
6. Click Apply Changes.

Why These Firewall Rules Are Important

These firewall rules are crucial for ensuring that your OpenVPN server functions correctly and that your VPN clients can communicate with your internal network. The first rule, on the OpenVPN tab, allows all traffic originating from the OpenVPN network to pass through the firewall without restriction. This is essential for enabling VPN clients to access resources on your internal network and to communicate with each other if you have enabled inter-client communication.

The second rule, on the WAN tab, allows incoming OpenVPN connections from the internet to reach your pfSense firewall. This rule specifies that traffic using the UDP or TCP protocol (depending on your OpenVPN configuration) and destined for port 1194 (or the custom port you have configured for OpenVPN) should be allowed. This rule is what makes it possible for remote clients to establish a connection to your OpenVPN server and gain access to your network.

Step 6: Create OpenVPN Client Configuration

Now, we need to create a configuration file for our OpenVPN client. This file contains all the settings needed to connect to the OpenVPN server. This is where the openvpn-client-export package comes in handy. Here’s how to create the configuration file:

1. Go to VPN > OpenVPN > Client Export.
2. Scroll down to the Client Export section.
3. Configure the following settings:
   • Mode: Remote Access (SSL/TLS)
   • Host Name Resolution: Select Interface IP Address or interface hostname. If you have a dynamic DNS service set up, you can select that here. If you are using a dynamic DNS service, make sure the hostname resolves correctly to your public IP address.
   • Client Configuration: Select the options that best suit your needs. The defaults are usually fine.
   • Export Type: Choose the export type that matches your client’s operating system. For example, Inline Configurations for Viscosity or Tunnelblick, or File Only for OpenVPN Connect.
4. Scroll down and find the client configuration for your user. You may need to create a user in System > User Manager if you haven’t already.
5. Download the configuration file or copy the inline configuration, depending on the export type you chose.

Step 7: Connect with Your OpenVPN Client

Finally, it’s time to connect with your OpenVPN client. Here’s how:

1. Install an OpenVPN client on your computer or mobile device. Some popular options include OpenVPN Connect, Tunnelblick (for macOS), and Viscosity (for macOS and Windows).
2. Import the configuration file you downloaded in the previous step into your OpenVPN client.
3. Enter your username and password if prompted.
4. Connect to the VPN.
5. Verify that you can access resources on your local network. For example, try pinging a device on your LAN.

Troubleshooting

If you run into problems, here are a few things to check:

• Firewall rules: Make sure your firewall rules are configured correctly.
• DNS: Make sure your DNS settings are configured correctly. VPN clients need to resolve names on your LAN.
• Routing: Ensure that your routing is set up correctly, especially if you have multiple subnets.
• Logs: Check the OpenVPN logs on your pfSense firewall for errors.

Conclusion

And there you have it! You’ve successfully configured OpenVPN on pfSense. You now have a secure tunnel for remote access to your network. Enjoy the freedom and security that OpenVPN provides! Remember to keep your pfSense and OpenVPN software up to date to ensure you have the latest security patches. If you followed these steps, you should have a working VPN setup. Happy networking!