Hey guys! Today, we're diving deep into setting up OpenVPN on pfSense. Whether you're a seasoned network admin or just getting your feet wet, this guide will walk you through each step to ensure you have a secure and functional VPN server. Let's get started!

Why Use OpenVPN with pfSense?

Before we jump into the nitty-gritty, let's quickly cover why you might want to use OpenVPN with pfSense. OpenVPN is a robust and highly configurable VPN solution that allows you to create secure point-to-point or site-to-site connections. When integrated with pfSense, a powerful open-source firewall and routing platform, you get an unbeatable combination for network security.

• Security: OpenVPN uses strong encryption to protect your data from eavesdropping and tampering.
• Flexibility: It supports a wide range of configurations, allowing you to tailor it to your specific needs.
• Remote Access: Enables secure access to your home or office network from anywhere in the world.
• Site-to-Site Connectivity: Connect multiple networks securely as if they were on the same local network.

Prerequisites

Before we begin, make sure you have the following:

• A running pfSense installation. If you don't have one, you'll need to install pfSense first. Ensure it has a public IP address or is behind a NAT router with port forwarding configured.
• Basic networking knowledge.
• A computer to act as the OpenVPN client.

Step 1: Install the OpenVPN Client Export Package

First, we need to install the OpenVPN Client Export package on your pfSense firewall. This package simplifies the process of creating and managing OpenVPN client configurations.

1. Log in to your pfSense web interface.
2. Navigate to System > Package Manager > Available Packages.
3. Search for openvpn-client-export.
4. Click the Install button next to the openvpn-client-export package.
5. Confirm the installation.

Step 2: Create a Certificate Authority (CA)

Next, we need to create a Certificate Authority (CA). The CA is responsible for signing the certificates that will be used by the server and clients to authenticate each other. Without a CA, your OpenVPN setup won't be secure, so this step is crucial.

1. Go to System > Cert. Manager.
2. Click on the CAs tab.
3. Click the Add button.
4. Fill in the following information:
   • Descriptive name: Enter a name for your CA (e.g., MyOpenVPNCA).
   • Method: Select Create an internal Certificate Authority.
   • Lifetime (days): Enter the validity period for the CA certificate (e.g., 3650 for 10 years).
   • Country Code: Select your country.
   • State or Province: Enter your state or province.
   • City: Enter your city.
   • Organization: Enter your organization name (or your name if it's a personal setup).
   • Email Address: Enter your email address.
   • Common Name: Enter a common name for the CA (e.g., myvpn.example.com).
5. Click Save.

Step 3: Create a Server Certificate

Now that we have a CA, we need to create a server certificate. This certificate will be used by the OpenVPN server to identify itself to clients.

1. Go to System > Cert. Manager.
2. Click on the Certificates tab.
3. Click the Add button.
4. Fill in the following information:
   • Method: Select Create an internal Certificate.
   • Descriptive name: Enter a name for your server certificate (e.g., OpenVPNServerCert).
   • Certificate Authority: Select the CA you created in the previous step.
   • Lifetime (days): Enter the validity period for the certificate (e.g., 3650).
   • Certificate Type: Select Server Certificate.
   • Country Code: Select your country.
   • State or Province: Enter your state or province.
   • City: Enter your city.
   • Organization: Enter your organization name.
   • Email Address: Enter your email address.
   • Common Name: Enter the hostname or IP address that clients will use to connect to the VPN server (e.g., vpn.example.com or your public IP address).
5. Click Save.

Step 4: Configure the OpenVPN Server

With the CA and server certificate in place, we can now configure the OpenVPN server itself. This involves setting up the server's listening interface, protocol, encryption settings, and more.

1. Go to VPN > OpenVPN > Servers.
2. Click the Add button.
3. Configure the following settings:
   • Disable this server: Uncheck this box to enable the server.
   • Server mode: Select Remote Access (SSL/TLS).
   • Protocol: Choose between UDP and TCP. UDP is generally faster but less reliable, while TCP is more reliable but can be slower. For most use cases, UDP is a good choice.
   • Device mode: Select tun.
   • Interface: Select the interface that has your public IP address (usually WAN).
   • Local port: The port that the OpenVPN server will listen on (default is 1194).
   • Description: Enter a description for the server (e.g., MyOpenVPNServer).
   • TLS Configuration section:
     • Certificate Authority: Select the CA you created earlier.
     • Server Certificate: Select the server certificate you created.
   • Encryption Settings section:
     • Encryption algorithm: Choose an encryption algorithm (e.g., AES-256-CBC).
     • Auth digest algorithm: Choose an authentication digest algorithm (e.g., SHA256).
   • Tunnel Settings section:
     • IPv4 Tunnel Network: Enter a private IP network for the VPN tunnel (e.g., 10.0.8.0/24). This network should not overlap with any other networks in your infrastructure.
     • IPv4 Local Network(s): Enter the local networks that clients should be able to access through the VPN. These are the networks behind your pfSense firewall (e.g., 192.168.1.0/24).
   • Client Settings section:
     • Concurrent connections: Set the maximum number of concurrent VPN connections.
   • Advanced Configuration section:
     • Custom options: Add any custom OpenVPN options you need. A common option is `push