Setting up a Virtual Private Network (VPN) can seem daunting, but with pfSense and OpenVPN, it's totally achievable! This guide walks you through configuring OpenVPN on your pfSense firewall, providing secure remote access to your home or business network. Let's dive in and get you connected!

Why Use OpenVPN with pfSense?

Before we jump into the how-to, let's quickly cover why this setup is so beneficial. OpenVPN is a robust and highly configurable VPN protocol. When combined with the power of pfSense, an open-source firewall, you get a secure, flexible, and reliable VPN solution.

• Security: OpenVPN uses strong encryption to protect your data from prying eyes, especially important when using public Wi-Fi.
• Remote Access: Access your home or office network remotely as if you were physically there. This is great for accessing files, printers, or other resources.
• Flexibility: OpenVPN is highly customizable, allowing you to tailor the configuration to your specific needs.
• Cost-Effective: Both pfSense and OpenVPN are open-source, meaning they are free to use, saving you money on expensive VPN solutions.

Prerequisites

Before starting, make sure you have the following:

• A pfSense Firewall: You should have pfSense installed and configured on a dedicated device or virtual machine.
• A Public IP Address: Your pfSense firewall needs a public IP address to be accessible from the internet. This is usually provided by your internet service provider (ISP).
• Basic Networking Knowledge: A basic understanding of networking concepts like IP addresses, subnets, and DNS will be helpful.

Step-by-Step Configuration

Okay, guys, let's get down to business! Here's a detailed walkthrough of configuring OpenVPN on your pfSense firewall:

Step 1: Install the OpenVPN Client Export Package

First, we need to install a package that will help us easily create OpenVPN client configurations. This package simplifies the process of generating configuration files for your devices.

1. Log in to your pfSense web interface.
2. Navigate to System > Package Manager > Available Packages.
3. Search for openvpn-client-export.
4. Click Install and confirm the installation.

Step 2: Create a Certificate Authority (CA)

A Certificate Authority (CA) is essential for OpenVPN to ensure secure communication. The CA will issue certificates to both the server and the clients.

1. Go to System > Cert. Manager.
2. Click on the CAs tab.
3. Click the Add button.
4. Fill in the following details:
   • Descriptive name: Give your CA a meaningful name, such as MyOpenVPNCA.
   • Method: Choose Create an internal Certificate Authority.
   • Key length: Select 2048 or higher for better security.
   • Lifetime (days): Choose a reasonable lifetime, such as 3650 (10 years).
   • Country Code: Select your country code.
   • State or Province: Enter your state or province.
   • City: Enter your city.
   • Organization: Enter your organization name (or your name if it's for personal use).
   • Email Address: Enter your email address.
   • Common Name: This is the most important field. Enter a name for your CA, such as MyOpenVPNCA.
5. Click Save.

Step 3: Create a Server Certificate

Now, we need to create a certificate for the OpenVPN server itself. This certificate will identify the server to the clients.

1. Go to System > Cert. Manager.
2. Click on the Certificates tab.
3. Click the Add button.
4. Fill in the following details:
   • Method: Choose Create an internal Certificate.
   • Descriptive name: Give your certificate a meaningful name, such as OpenVPNDemoServer.
   • Certificate Authority: Select the CA you created in the previous step (MyOpenVPNCA).
   • Key length: Select 2048 or higher.
   • Lifetime (days): Choose a reasonable lifetime, such as 3650.
   • Country Code: Select your country code.
   • State or Province: Enter your state or province.
   • City: Enter your city.
   • Organization: Enter your organization name.
   • Email Address: Enter your email address.
   • Common Name: Enter the public IP address or hostname of your pfSense firewall.
5. Click Save.

Step 4: Configure the OpenVPN Server

This is where we actually configure the OpenVPN server settings.

1. Go to VPN > OpenVPN > Servers.
2. Click the Add button.
3. Configure the following settings:
   • Server Mode: Choose Remote Access (SSL/TLS).
   • Protocol: Choose UDP or TCP. UDP is generally faster, but TCP can be more reliable in some network environments.
   • Device Mode: Choose tun.
   • Interface: Choose WAN (or the interface connected to the internet).
   • Local Port: Choose a port for OpenVPN to listen on. The default is 1194, but you can choose another port if needed.
   • Description: Enter a description for your OpenVPN server, such as OpenVPN Server.
   • Certificate Authority: Select the CA you created (MyOpenVPNCA).
   • Server Certificate: Select the server certificate you created (OpenVPNDemoServer).
   • Encryption Algorithm: Choose an encryption algorithm, such as AES-256-CBC for strong encryption.
   • Hash Algorithm: Choose a hash algorithm, such as SHA256.
   • Tunnel Network: This is the IP address range that will be used for the VPN tunnel. Choose a private IP address range that does not conflict with your existing network. For example, 10.0.8.0/24.
   • Local Network(s): Enter the IP address range(s) of your local network(s) that you want the VPN clients to be able to access. For example, 192.168.1.0/24.
   • Concurrent Connections: Set the maximum number of concurrent VPN connections.
   • Compression: You can enable compression to improve performance, but it may also slightly reduce security. Compress with LZO is a common choice.
   • Custom Options: Add the following custom option push "redirect-gateway def1"; to redirect all client traffic through the VPN tunnel. Add push "dhcp-option DNS 192.168.1.1"; to push your local dns server to client.
4. Click Save.

Step 5: Configure Firewall Rules

We need to create firewall rules to allow OpenVPN traffic to pass through the firewall.

1. Go to Firewall > Rules.
2. Click on the WAN tab.
3. Click the Add button to add a new rule at the top.
4. Configure the following settings:
   • Action: Choose Pass.
   • Interface: Choose WAN.
   • Protocol: Choose UDP or TCP (depending on what you chose in Step 4).
   • Source: Choose Any.
   • Destination: Choose WAN address.
   • Destination port range: Choose Single port and enter the port you chose in Step 4 (e.g., 1194).
   • Description: Enter a description for the rule, such as Allow OpenVPN traffic.
5. Click Save.
6. Click Apply Changes.
7. Go to Firewall > Rules.
8. Click on the OpenVPN tab. If the tab doesn't exist, it will automatically be created.
9. Click the Add button to add a new rule at the top.
10. Configure the following settings:
    • Action: Choose Pass.
    • Interface: Choose OpenVPN.
    • Protocol: Choose Any.
    • Source: Choose OpenVPN net.
    • Destination: Choose Any.
    • Description: Enter a description for the rule, such as Allow OpenVPN to LAN.
11. Click Save.
12. Click Apply Changes.

Step 6: Configure Outbound NAT

If you want your OpenVPN clients to be able to access the internet through the VPN tunnel, you need to configure outbound NAT.

1. Go to Firewall > NAT > Outbound.
2. If the mode is set to Automatic, change it to Manual Outbound NAT rule generation and Save.
3. Click the Add button.
4. Configure the following settings:
   • Interface: Choose WAN.
   • Address Family: Choose IPv4.
   • Protocol: Choose Any.
   • Source: Choose OpenVPN net.
   • Destination: Choose Any.
   • Translation / target: Choose Interface address.
   • Description: Enter a description for the rule, such as OpenVPN Outbound NAT.
5. Click Save.
6. Click Apply Changes.

Step 7: Export OpenVPN Client Configuration

Now that the server is configured, we need to create configuration files for our clients.

1. Go to VPN > OpenVPN > Client Export.
2. Configure the following settings:
   • Remote Host(s): This should automatically be populated with the public IP address or hostname of your pfSense firewall. Verify it is correct.
   • Client Export Mode: Choose Inline Configurations.
3. Scroll down and find the user you want to create a configuration for. If no users exist, you can create one in System > User Manager.
4. Click the download icon next to the user to download the OpenVPN configuration file.

Step 8: Install and Configure the OpenVPN Client

Finally, install the OpenVPN client on your device and import the configuration file.

1. Download and install the OpenVPN client for your operating system (Windows, macOS, Linux, Android, iOS).
2. Import the configuration file you downloaded in Step 7 into the OpenVPN client.
3. Connect to the VPN.

Troubleshooting

If you encounter any issues, here are some things to check:

• Firewall Rules: Make sure your firewall rules are correctly configured to allow OpenVPN traffic.
• NAT Settings: Verify that your outbound NAT is configured correctly.
• DNS Settings: Ensure that your DNS settings are configured correctly on both the server and the client.
• Client Configuration: Double-check the client configuration file for any errors.
• Logs: Check the OpenVPN logs on both the server and the client for any error messages.

Conclusion

Congrats, guys! You've successfully configured OpenVPN on your pfSense firewall. You can now securely access your network remotely. Remember to keep your pfSense firewall and OpenVPN client software up to date to ensure the best security. Have fun and stay secure!