OpenVPN in pfSense 2.3.4

Published by admin. 25. June 2019 No Comments

I will describe the steps I took to get the OpenVPN Server on pfsense to run. This is the basic structure of the network I am assuming:

As you can see, our network is using two subnets: 192.168.2.0/24 which contains our router and the pfSense firewall and 10.0.0.0/24 which again contains the firewall and the rest of the network. That means our firewall has two network interfaces. Our wlan router is connected to the internet and works as the modem. pfSense works as the firewall for the local network, connecting the rest of the network to the wlan router. OpenVPN will use the port 1194. We could chose any other port, but let’s stick to the convention to keep things simple. By default, each firewall will block any incoming connections. In order to be able to access our vpn server, running in the pfSense firewall, we need to set up two firewall rules (one for the router and one for the pfSense) and two portforwardings (one from the router to the firewall, and one from one interface to the other within the firewall).

This is how we want to modify our network:

As mentioned previously, the pfSense firewall has two network interfaces. Let’s call the interface with the address 192.168.2.50 WAN interace, and the interface 10.0.0.50 LAN interface, which coincidentally is how these interfaces are called on the pfSense configuration.

  • Since pfSense is running on the LAN address 10.0.0.50, we can open the configuration page by typing that address in our web browser.

After logging in, in order to get the authentication to work, we first need to generate a certificate

  • To to create the certificate authority, navigate to System -> Cert. Manager -> CAs and click on Add
  • chose a descriptive name
    • Method: Create an internal Certificate Authority
    • Key length: 2048
    • Digest algorithm: sha256
    • Lifetime: 3650
    • and the rest is up to you
  • To create the actual certificate, clients will use to very your credibility, navigate to System -> Cert. Manager -> Certificates
  • click on Add
    • Method: Create an internal certificate
    • Certificate authority: [The authority you just created]
    • Key length: 2048
    • Digest Algorithm: sha256
    • Certificate type: Server Certificate
    • Lifetime: 3650
    • the rest is up to you
  • Now, you can switch to the VPN section and chose OpenVPN:
  • Now, you can click on Add, in the bottom right corner of the screen
  • Here are the settings I used:
    • Server mode: Remote Access (User Auth)
    • Backend for authentication: Local Database
    • Protocol: TCP
    • Device mode: tun
    • Interface: LAN
    • Local Port: 1194 (OpenVPN)
    • TLS authentication: Yes
    • Peer Certificate Authority: [The authority you created]
    • Server certificate: [The certificate you created]
    • DH Parameter length: 2048
    • Encryption Algorithm: AES-256-CBS (256 bit key, 128 bit block)
    • Auth digest algorithm: SHA1 (160-bit)
    • Hardware Crypto: No Hardware Crypto Acceleration
    • Certificate Depth: One (Client+Server)
    • IPv4 Tunnel Network: 10.0.0.8/24: This will create an addition subnet which is exclusive for devices accessing the network through VPN
    • Redirect Gateway: No
    • IPv4 Local network(s): 10.0.0.0/24. Like is, I will allow incoming connections to access other devices within the local network
    • DNS Server 1: 208.67.222.222

Now the OpenVPN Server is running. The next step is to check the firewall rules and the port forwarding:

  • Navigate to Firewall->Rules
  • In the WAN section, check/add the following rule:
    • Action: Pass
    • Interface: WAN
    • Address Family: IPv4
    • Protocol: TCP/UDP
    • Source: any
    • Destination Port Range: From 1194 (OpenVPN) To 1194 (OpenVPN)
  • Use the exact same settings for the LAN interface

Our pfSense firewall is set up. Now add a portforwarding rule:

  • Navigate to Firewall -> NAT -> Port Forward and check/add the rule:
    • Interface: OpenVPN
    • Protocol: TCP/UDP
    • Destination Port: From 1194 (OpenVPN) To 1194 (OpenVPN)
    • Redirect target IP: 10.0.0.50
    • Redirect target port: 1194 (OpenVPN)
  • Use the exact same settings for the WAN interface

On your router, I added a rule to forward any incoming connections to the WAN address of my firewall (192.168.2.50)

Leave a Reply

Your email address will not be published. Required fields are marked *