OpenVPN tutorial for simple setup?



  • I'm looking for a simple tutorial that will guide me in setting up OpenVPN for client access into my home.  While encryption is good, I don't need anything fancy in regards to distributing client certificates.  In fact, I'd prefer not to have any.  A simple Server cert would be fine so that it works similar to Cisco's AnyConnect client.  Ideally it would be easy enough to setup without a client export so that in a pinch, I could download the OpenVPN client anywhere, set it up and log into my home.

    I DO like the idea of using a browser recognizable cert through ACME/LetsEncrypt though.  Anything that makes the client setup as easy and smooth as possible.  I have a DNS name through DYNDNS.org.

    Do such instructions exist?


  • Netgate

    The guide exists that way for a reason - because it is reasonably secure.

    You would do better to figure out a way to always have the client export file on you in a secure manner.

    You really don't want to be setting up your OpenVPN connection willy-nilly on strange systems.

    No, you want to use your own CA, not something like Let's Encrypt.

    Just do this:

    https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server



  • None of the tutorials explain why there ends up being two OpenVPN tabs (interfaces?) on the firewall tab, nor that I have to add and enable the new OPT1 (OpenVPN) interface first…even though no traffic and no counters flow through it.

    So it seems either they are outdated, or incomplete.  Is there a better tutorial around for 2.40RC?


  • Rebel Alliance Global Moderator

    Not sure what your doing but sorry 2 openvpn tabs do not show up.. Setting up openvpn server takes all of 30 seconds… You click the wizard answer the bouncing ball and your done.. If your having some issues with with that simple wizard that my 80 year old grandma could follow then your going to have to give some insight to what your seeing if you want help..

    What tutorials are you following?  Some idiots blog post from version 1.2?

    Did you look at the link that Derelict provide.. What part of that documentation do you feel is wrong and be happy to update it.



  • Well, I had to add/assign the new OPT1 interface that popped up (which I renamed OVPN), enable it, add a "push route" option for my LAN under the custom options in OpenVPN and then it started working.  This was after the Wizard, and I had to source that info from a few different places.  If all you need to do is the Wizard, then it doesn't work in 2.41.  Although admittedly I do need to go back to 2.40RC and try again.







  • Netgate

    For normal access into a server you don't need assigned interfaces or anything like that. Not sure what you did.



  • OK that's what I thought.  I don't know how to fix it.  I'll just start over from scratch and re-do it all.



  • I installed 2.40 release from scratch, did the OpenVPN Wizard and the same thing happened.  How does this not happen to everyone??!

    There was an OPT1 interface created in the Wizard and I cannot route a client to the inside of my home without first activating this interface.  Doing so also provides me with an OpenVPN firewall interface (already there from the Wizard) as well as this OPT1 interface.

    Is this normal?  If so, it should be added to the documentation as an extra step.  If not, then what I am I doing differently?



  • Netgate

    Since you decided to obfuscate your interfaces it's pretty much impossible to see what you have there for OPT1. It looks completely unrelated to the OpenVPN server process though since it is sitting there unassigned.



  • Not OPT1, I apologize.  I meant that ovpns1 available network port that popped up.  That is not in any various guide.


  • Netgate

    It is going to be there after the OpenVPN server or client is created. It is always there. You have to assign an interface to do things like outbound NAT to an OpenVPN server.

    When running a server you don't have to assign it at all for basic functionality.

    The guides would all be 1000 pages if they covered all the things you don't need to do.



  • @Derelict:

    No, you want to use your own CA, not something like Let's Encrypt.

    https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

    Derelict,

    Why not use Let's Encrypt? I don't want to have to export the server certificate to those needing it in order to bypass the warning for invalid certificate.

    ~Doug


  • Netgate

    What warning?

    The client is told what CA to use in the export file.

    It's not like an SSL connection to a web site. It is a VPN.

    If you could use a public CA for your OpenVPN server, then ANY certificate issued by that public CA would pass. And you wouldn't be in control of revocations, etc.

    Export the configuration for the client. That's how it works.