Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense OpenVPN Road Warrior Setup Via HTTPS

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      computerkiller
      last edited by

      I made this Post to help people with OpenVPN road Warrior setup that were not working and to help people with the previous post that were left unanswered
      This a guide I modified with fixes for the issue I had which was routing all network Traffic Via the VPN I wanted everything to go thru the VPN for security purposes. Also I modified the guide to make this work Via HTTPS because most hotspots and schools now block VPN ports this will fully bypass there block.

      For Pfsense Version 1.2.3-RELEASE

      Setting Up An OpenVPN Client On Windows XP/Vista/Win7

      This Guide is on, how to connect a PC on the internet, to LAN behind a pfSense firewall using OpenVPN to work over HTTPS because most remote sites now block standard VPN ports(This is also known as a Road-Warrior setup). Also this will make your client fully route thru the VPN meaning you can get thru block site or hide network traffic from being seen  on unsecured public networks. Windows Vista/Windows 7 requires administrative priviledges to run and properly configure OpenVPN.

      1. Download and install the most recent software from OpenVPN Downloads. If you plan to connect from a PC with Windows Vista or 7 you should get version 2.2 or newer. Windows XP works well with 2.1 as well. Use the default options when installing.

      2. Start a command prompt with administrator-rights!
      This is done in Vista by clicking on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select ‘Run as Administrator’.
      If your account has administrative-rights, XP’s command prompt automatically runs with them.

      3. Change directory to c:\programfiles\openvpn\easy-rsa

      4. Run the “init-config.bat” file

      5. Edit ‘vars.bat’ file. ‘Worpad’ is suggested but Notepad will be fine. For Vista, you need to start Wordpad/Notepad with administrative-rights. (Click on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select ‘Run as Administrator’.) The following things need to be edited:
      "set KEY_COUNTRY=US"
      Your 2 Letter country ID Goes Here

      "set KEY_PROVINCE=NA"
      2 Letters Province ID - Or use NA as in 'Not Applicable'

      "set KEY_CITY=Copenhagen"
      Name of Your City

      "set KEY_ORG=pfSense"
      Name of your company

      "set KEY_EMAIL=youremail@address.com"
      Put a email-address here. Dont use your private address. since this is the common address for the Certificate Authority
      Save the file

      6. Run “vars.bat”

      7. Run “clean-all.bat”

      8. Run “build-ca.bat”. Then you are prompted for some different things; Leave them at default, except “Common Name” – put something like “pfSense-CA”

      9. Run “build-key-server.bat server”. Again you are prompted; leave them on default except “Common Name” – use “server”

      10. Run build-dh.bat
      Now its time to generate keys and certificates for the client(s)

      11. Run “build-key.bat ovpn_client1″. Again you are prompted; leave them on default except “Common Name” – here you should put in “ovpn_client1″ (or whatever you have called it). The ovpn_client1 will be the name of the keys, certificate and the name you identify the connection on later. You can use whatever name you like, and generate as many as you want (with different names).

      12. The following files should now be copied from c:\programfiles\openvpn\easy-rsa\keys to c:\programfiles\openvpn\config
      ca.crt
      ovpn_client1.key
      ovpn_client1.crt (if you don’t see a .crt file but only a .csr file, chances are that you don’t have admin privileges. Worst case generate the keys and certificates on a NON-Vista machine)

      13. Make a file in the “C:\programfiles\openvpn\config” called “ovpn_client1.ovpn” and the file should contain (leave out the hashes):
      client
      dev tun
      persist-tun
      persist-key
      proto tcp
      cipher AES-128-CBC
      remote xxx.xxx.xxx.xxx 443
      ping 10
      resolv-retry infinite
      nobind persist-key NOT persist-tun
      ca C:\keys\ca.crt
      cert C:\keys\client1.crt
      key C:\keys\client1.key
      ns-cert-type servercomp-lzo
      Replace the XXX’s in the “remote” line with the public IP address of your pfSense-box. If you don’t know what that is, check ithere. If you have chosen another name than ‘ovpn_client1′ then change it in the lines beginning with ‘cert’ and ‘key’ If you have more than one VPN client, you make one .ovpn-file per client (with the corresponding .key and .crt name) Also make sure you put your keys in the right directory in the client or the config file will not find them these keys are in C:\keys\ as shown in the example above
      Now its time to configure pfSense

      14. Log into the web-gui of pfSense

      15. Select VPN/OpenVPN and add an entry in the ‘server’ page. Use the following settings:
      Protocol: TCP
      Local port: 443
      Address pool: 192.168.200.0/24 (It should be an address range that you ''DONT'' currently use.)
      Local Network: 192.168.1.0/24 (Whatever the network is that you want the VPN client to connect to)
      Remote Network: blank
      Cryptography: AES-128 (128 bit) - or use what you want
      Authentication Method: PKI

      16. Now you need to have access to some of the files created in c:\programfiles\openvpn\easy-rsa\keys (mentioned in 12.)
      Copy the WHOLE content of ca.crt into the “CA certificate” window
      Copy the WHOLE content of server.crt into the “Server Certificate” window
      Copy the WHOLE content of server.key into the “Server Key” window
      Copy the WHOLE content of dh1024.pem into the “DH parameters” window

      17. DHCP-Opt.: WINS-Server: Put your DNS server Ip address

      18. Tick DHCP-Opt: Disable NetBIOS (I dont use it anyway)

      19. Tick LZO Compression

      20. In Custom Options  add the following with quotes. Also type your router ip address in the X’s if you want to use your router to be the DNS server if you have your own DNS server type the ip where the X’s are.
      push “redirect-gateway def1″;push “dhcp-option DNS xxx.xxx.xxx.xxx”;verb 1;mute-replay-warnings
      Now we need a few simple rules in the firewall

      21. On the WAN interface you should make a rule that;
      PASS
      WAN
      Protocol: TCP
      source: any
      OS type: any
      Destination: any
      Destination port range from: HTTPS
      Destination port range to: HTTPS
      Tick in the LOG
      Leave the rest at default.
      Remember to apply the new rules.

      22. Add another rule on the LAN interface (or whatever the name of the net defined in 15. ‘address pool’ is);
      PASS
      Any protocol
      Source: LAN (or whatever the name of the net defined in 15. 'address pool' is)
      Any destination
      Remember to apply the new rules.
      Now you should be able to connect from OpenVPN (right click on the icon in the try and select Connect). But remember to start OpenVPN with ADMIN RIGHTS!

      This Guide was original from http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN I have modified it with some more up to date knowledge.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.