connecting pfsense as a client to external openvpn server- instructions?

lvsund

Hi

Are there step by step instructions for linking up pfsense as a client to an external openvpn server?

Here is my goal:

-I have pfsense as my router
-i have openvpn server on linux set up in the cloud and the normal mac and windows client software work with it without any issues.
-But instead of having each machine log into that cloud server for vpn, i would like my pfsense router to connect as an openvpn client to that cloud openvpn server. The intent would be to do the same as linking up pfsense to nordvpn, so that all traffic through pfsense goes through the openvpn server -ie that i dont have to signon with openvpn clients on each individual computer but rather have all computers/devices behing pfsense router enjoy vpn through pfsense.

I used to have pfsense set up with nordvpn that way, so I suspect there is a way to achieve the same thing with my own openvpn server in the cloud.

Sorry if this has been asked before- and there is a link somewhere on how to do this step by step- but google searches havent come up with instructions similar to something like nordvpn level of detail for private openvpn server in the cloud

Bob.Dig

@lvsund It is not different than connecting to nord. So what is your exact problem. Also look in the logs on both sides to get a clue.

lvsund

@bob-dig in setting up openvpn client edit following equivalent of nordvpn instructions- i am getting
The field 'TLS Key' does not appear to be valid

I have extracted a client openvpn .opvn file from my openvpn server to get CA,cert, and key information. from that opvn file it doesnt seem to accept the content of either the private key field or the
tls-crypt-v2 client key

as contents for the tls key in the pfsense client setup.

I am of course assuming the opvn file from my openvpn server is the place to look for the above delails to add to the pfsense openvpn client setup page.

Or maybe im not undertanding where to get the info from.
Thanks :)

viragomann

@lvsund
pfSense doesn't provide an option to import all the client settings, certificates and keys in a single step.
But certificates and keys can be imported via copy and paste.

On server and client go to System > Certificate Manager > CAs to import the CA.
On the server edit the respective CA. On the client click Add and select "import an existing CA" as method. Then copy the content of "Certificate data" from the server, state a proper name and save it.

Next go to the certificates tab and do the same with the client cert, but here also copy the "Private key data" to the client.

Then set up the client by using this CA and client cert.
The TLS key can be copied from the server in the same way as the certs. Check "Use a TLS Key" and remove the check from "Automatically generate a TLS Key" to get the key box. Then copy the TLS key from the server config into this field.

Set the other parameters according the server settings or take it out from the exported .ovpn file.

If you're using multiple OpenVPN instances on the client it might be useful to assign an interface to the client instance. But in normal circumstances this isn't necessary.

Last step is to add an Outbound NAT rule. Set the outbound into hybrid mode, save and add a rule:
interface: OpenVPN or this one you've manually assigned to the client
source: LAN net (or an alias for internal your networks or even any)
destination: any
translation: interface address

Bob.Dig

@viragomann said in connecting pfsense as a client to external openvpn server- instructions?:

pfSense doesn't provide an option to import all the client settings, certificates and keys in a single step.

I think it does now, at least on the plus-version with the openvpn-client-import package. But I ditched OpenVPN completely for WireGuard.

lvsund

@viragomann Hi,

Thanks much-
thats pretty much what i did. I am taking the TLS key from the
<tls-crypt-v2> section. ie everything in between that header and footer- straight copy and paste ( including the-----BEGIN OpenVPN tls-crypt-v2 client key----- and-----END OpenVPN tls-crypt-v2 client key-----)and it still comes up with ' the field 'TLS Key' does not appear to be valid message .

and therefore prevents saving the client setup info

lvsund

@bob-dig might try wireguard for same scenario if openvpn approach not able to work