Migrating OpenVPN from DD-WRT to PFSense

Guest

I am configuring a newly built PFSense router, having migrated from DD-WRT. Now, it's time to figure out OpenVPN.

On DD-WRT I had a connection that worked reliably and perfectly. It was tun on port 443 tcp. DNS was overridden. The purpose was to be able to travel and use my home router as a pass-through to surf safely on public wifi. It was tested and worked perfectly, but needed iptables to function properly.

On PFSense, things look both similar and different. My questions:

1. It looks like certificate management is different. Should I just import my existing files into pfsense? if so, the entire file or just the parts between beginning … end? Do all certificates migrate or must some be generated new?
2. Are iptables entries needed to successfully use the home network as a pass through?
3. Would it be easier to just build a new config and use the openvpn download package to migrate the config?
4. For others who have done this migration, is there a procedure written somewhere?

Thanks much. Hope to pay it back later with advice for other newbies when I get more experience.

divsys

1. It looks like certificate management is different. Should I just import my existing files into pfsense? if so, the entire file or just the parts between beginning … end? Do all certificates migrate or must some be generated new?
2. Are iptables entries needed to successfully use the home network as a pass through?
3. Would it be easier to just build a new config and use the openvpn download package to migrate the config?

IMHO #3 is the easiest to answer: Yes - and forget the migration, just build it  ;)

What you've learned from dd-wrt (an excellent package BTW) will serve you well in setting this up under pfSense.
pfSense will give you far better tools for managing the job.

Iptable entries are handled automatically under Firewall->Rules and the OpenVPN tab.
Certificates (you don't mention how many and what type(s) of clients you have) are handled very easily under Certificate Managment.
Create a new "Certificate of Authority" for yourself and the individual certificates for the OpenVPN server and each client.
It sounds daunting (especially knowing what you had to do under dd-wrt) but try it in pfSense - it's a breeze.

Add the "OpenVPN Client Export Utility" package and it's a snap to load the relevant client info

My advice is to try the OpenVPN install yourself (the "?" in the upper right of the OpenVPN page is useful) and let us know where you get stuck - we'll help

Welcome to pfSense  :)

Guest

Got it. Much easier than DD-WRT. Wizards did all the work. Even accounting for learning the PFSense way of doing it, the entire config took a little over an hour, and would take about 5 minutes to do it again.

I had a little issue with the certificate manager, as I am used to making my own certs with openssl. I had a hard time accepting it was so easy in PFSense. Then my AV wouldn't run the installer version of the download config. The inline .ovpn wouldn't run but the un-zipped files moved into OpenVpn/config worked great. The latter config is like my DD-WRT config. I even have user/password protection now. I didn't before.

divsys

I had a little issue with the certificate manager, as I am used to making my own certs with openssl. I had a hard time accepting it was so easy in PFSense.

I know what you mean about wondering why it's so easy?
I started a ways back with an alternate firewall install - IPCop.
It was good in it's day and I managed to get it working with a number of OpenVPN installs, but the certificate side had to be done "by hand" with openssl and it was royal pain.
I moved to pfSense (ver 1.2.x) and haven't looked back, especially with Certificate Manger in Ver 2.

The only issue I've run into with the client export is some android browsers don't want to allow an import from the WebGUI.  I usually can get Firefox to work in the end.  It's a once off problem since the client works fine once I get the import to work.

One small side note with certificates you may or may not be aware of.
Recent best practices suggest you use a key length of no less than 2048 for their creation.
I've been using 2K keys since I started all those years ago, but it may time to move up to 4K.

Good to hear you've moved to the light side w/pfSense  ;)
Dd-wrt is still a good package and I use it as an OpenVPN client for a number of tiny install sites that I need connectivity to maintain, but nothing beats a proper pfSense router (IMHO).

Guest

@divsys:

I had a little issue with the certificate manager, as I am used to making my own certs with openssl. I had a hard time accepting it was so easy in PFSense.

I know what you mean about wondering why it's so easy?
I started a ways back with an alternate firewall install - IPCop.
It was good in it's day and I managed to get it working with a number of OpenVPN installs, but the certificate side had to be done "by hand" with openssl and it was royal pain.
I moved to pfSense (ver 1.2.x) and haven't looked back, especially with Certificate Manger in Ver 2.

It was really slick with PfSense / OpenVPN.

It was a major project to figure out DD-WRT. Then I had to go back and research iptables to get the pass through right. Then securing a DNS server in addl config. Altogether, there was over a week's work in it. The connection was reliable, but on a Netgear router.

The PFSense wizard just rocked. The PFSense router could handle multiple connections if needed, easily.

divsys

The PFSense wizard just rocked. The PFSense router could handle multiple connections if needed, easily.

Definitely, I run many routers with 3-6 Server/Client connections each (Site2Site and RoadWarrior).
My main router is currently hosting 6 Servers and 35+ client connections.

The hardware is only a 64bit AMD Athlon dual core 4800 w/ 3GB RAM
It typically runs at ~ 15% RAM and 12% CPU.

Not much bandwidth requirement 50/5, but still a very capable setup.