It is necessary to be able to offer remote access solutions to its travelling or teleworking users.
These accesses must be secure and reliable.

Good news, pfSense and OpenVPN are the ideal solution for this need! 🙂

OpenVPN = the perfect solution for home-office users

OpenVPN is easy to implement and is compatible with all types of platforms (Windows, Mac, Android, iOS, …)

Please note:
This article does not cover site-to-site mode configuration of OpenVPN (shared key or X.509).
If you are looking for a site-to-site OpenVPN tutorial, please go on [pfSense] Configuring a Site-to-Site OpenVPN Instance.

How it works

The goal is to offer a VPN solution for travelling or teleworking users allowing them to have secure access to the company’s LAN.
These users can use a computer or a smartphone to connect.
In all cases, they will use an OpenVPN client.

In our implementation example, we will use the following infrastructure:

  • LAN subnet: 192.168.1.0/24
  • OpenVPN subnet: 192.168.200.0/24
[pfSense] Remote OpenVPN access diagram

Configuring the OpenVPN server

On the OpenVPN server side, we have to follow these steps:

  1. create a Certificate Authority (C.A.)
  2. create a server certificate
  3. create the user accounts
  4. configure the OpenVPN server itself
  5. configure the appropriate firewall rules
  6. export configuration for each user

Let’s go!

1. Certificate Authority

Go to System > Cert Manager:

[pfSense] menu System > Cert Manager

In the “CAs” tab (the default tab), click on the “+ Add” button at the bottom right of the list of existing CAs.

The fields to be filled in are the following:

  • Descriptive name: the name we wish to give to our Certificate Authority
  • Method: 3 methods are available
  1. Import an existing Certificate Authority: allows to import the certificate (public key + private key) of an existing certificate authority ;
  2. Create an internal Certificate Authority: allows to create a new Certificate Authority ;
  3. Create an intermediate Certificate Authority: allows to create an intermediate Certificate Authority. This intermediate Certificate Authority must be attached to an existing Certificate Authority.

In our case, we choose Create an internal Certificate Authority.

  • Key length: the length of the certificate encryption key. The longer it is, the more secure it will be (but the impact on the CPU load will be higher too…). We keep the default value: 2048.
  • Digest Algorithm: the hash function that will be used. We keep the default value: SHA256.
  • Lifetime: the lifetime of the Certificate Authority. We keep the default value (3650 days, i.e. 10 years).
  • Country Code: your ISO country code. US, UK, FR, …

The last important field is the “Common name“: it must be unique.

The other fields are mainly cosmetic and should identify the organization.

[pfSense] Creation of a Certificate Authority

We click on the “Save” button. The C.A. is created.

2. Server Certificate

Go in the “Certificates” tab, then click on the “+ Add/Sign” button at the bottom right of the list of existing certificates.

The fields to be filled in are the following:

  • Method: like previously there are 3 available methods. We choose Create an internal Certificate.
  • Descriptive name: the name we want to give to our server certificate.
  • Certificate Authority: the CA that will sign the certificate we are creating. We choose the CA we just created, “CA Provya”.
  • Key length: the length of the certificate encryption key. The longer it is, the more secure it will be (but the impact on the CPU load will be higher too…). We keep the default value: 2048.
  • Digest Algorithm: the hash function that will be used. We keep the default value: SHA256.
  • Certificate Type: user or server certificate. We choose server certificate.
  • Lifetime: the lifetime of the Certificate. We keep the default value (3650 days, i.e. 10 years).

The last important field is the “Common name“: it must be unique.

The other fields are mainly cosmetic.

[pfSense] Creation of a Server Certificate

We click on the “Save” button. The server certificate is created.

3. User accounts

Go to System > User Manager:

[pfSense] menu System > User Manager

First, we create a new group.

Go on “Groups” tab, then click on the “+ Add” button at the bottom right.

Give the name you want to the group. In our case we choose “OpenVPN-users”. Then click on the “Save” button.

Once done, come back on the “Users” tab, then click on the “+ Add” button.

The fields to be filled in are the following:

  • Disabled : if you want to disable a user account.
  • Username : no space or special characters.
  • Password : a strong one!
  • Fullname: administrative information only.
  • Expiration date : Leave blank if the account shouldn’t expire, otherwise enter the expiration date as MM/DD/YYYY.
  • Group Memberships : choose your group. In our case, “OpenVPN-users”.
  • Certificate : check this case.
  • Descriptive name: a descriptive name for the certificate.
  • Lifetime: the lifetime of the certificate. We keep the default value (825 days).
[pfSense] Creation of an user account

We click on the “Save” button. The user and client certificate are created.

4. Configure the OpenVPN server

Go to VPN > OpenVPN:

[pfSense] menu VPN > OpenVPN

In the “Servers” tab (the default tab), click on the “+ Add” button at the bottom right of the page.

The fields to be filled in are the following:

  • Server Mode: choose Remote Access (SSL/TLS + User Auth).
  • Protocol: UDP on IPv4.
  • Device Mode: tun.
  • Interface: WAN, normally. More generally the interface on which the OpenVPN server should be reachable.
  • Local port: we keep the default value (1194).
  • TLS Configuration: keep the cases “Use a TLS Key” and “Automatically generate a TLS Key” checked.
  • Peer Certificate Authority: the CA previously created (CA Provya).
  • Server certificate: the server certificate previously created (provya-cert-server).
  • Encryption Algorithm: keep the default or choose a stronger one.
  • Enable NCP: check that case to enable the Negotiable Cryptographic Parameters.
  • NCP Algorithms: choose at least AES-128-CBC and AES-128-GCM (or stronger).
  • IPv4 Tunnel Network: the VPN network. In our case 192.168.200.0/24
  • IPv4 Local network(s): your local network(s). In our case 192.168.1.0/24

The other settings can keep their default configuration.

[pfSense] Configurer OpenVPN server for teleworking

We click on the “Save” button. The OpenVPN server is created.

5. Configure the firewall rules

Go to Firewall > Rules:

[pfSense] menu Firewall > Rules

Add a firewall rule on the WAN interface (or on the interface on which your OpenVPN is reachable) with the following settings:

  • Protocol: UDP
  • Source: any
  • Destination: this firewall
  • Destination port: 1194 (or the port you chose previously)
Firewall rule for OpenVPN access

Then, add a firewall rule on the OpenVPN interface with the following settings:

  • Protocol: *
  • Source: network – 192.168.200.0/24
  • Destination: LAN net
  • Destination port: any
Firewall rule for OpenVPN user access

Obviously, your firewall rules could be more restrictive or permissive.

6. Export configuration for each user

The more convenient way is to use the pfSense package “openvpn-client-export“.

Go to System > Package Manager

On Available Packages tab search and install openvpn-client-export.

Then, go to VPN > OpenVPN

You will find a new tab: Client Export.

Verify the option Host Name Resolution. If your WAN interface is configured with your public IP address, just keep the default value (i.e. Interface IP Adress). Otherwise choose Other and enter your public IP address.

That’s it, that’s all! You just have to download the right package for the right platform. All the different packages are available at the bottom of the page Client Export.

Did you like this article? Are you looking for professional equipment? Visit our shop.


More To Learn

[pfSense] Configuring a Site-to-Site OpenVPN Instance


Take a look at our SSD firewalls
For pfSense or OPNsense
Assembled in France
3 year warranty

provya.com

Leave a Reply