Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    connecting pfsense as a client to external openvpn server- instructions?

    Scheduled Pinned Locked Moved
    NAT
    3
    7
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lvsund
      last edited by

      Hi

      Are there step by step instructions for linking up pfsense as a client to an external openvpn server?

      Here is my goal:

      -I have pfsense as my router
      -i have openvpn server on linux set up in the cloud and the normal mac and windows client software work with it without any issues.
      -But instead of having each machine log into that cloud server for vpn, i would like my pfsense router to connect as an openvpn client to that cloud openvpn server. The intent would be to do the same as linking up pfsense to nordvpn, so that all traffic through pfsense goes through the openvpn server -ie that i dont have to signon with openvpn clients on each individual computer but rather have all computers/devices behing pfsense router enjoy vpn through pfsense.

      I used to have pfsense set up with nordvpn that way, so I suspect there is a way to achieve the same thing with my own openvpn server in the cloud.

      Sorry if this has been asked before- and there is a link somewhere on how to do this step by step- but google searches havent come up with instructions similar to something like nordvpn level of detail for private openvpn server in the cloud

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @lvsund
        last edited by

        @lvsund It is not different than connecting to nord. So what is your exact problem. Also look in the logs on both sides to get a clue.

        L 1 Reply Last reply Reply Quote 1
        • L
          lvsund @Bob.Dig
          last edited by

          @bob-dig in setting up openvpn client edit following equivalent of nordvpn instructions- i am getting
          The field 'TLS Key' does not appear to be valid

          I have extracted a client openvpn .opvn file from my openvpn server to get CA,cert, and key information. from that opvn file it doesnt seem to accept the content of either the private key field or the
          tls-crypt-v2 client key

          as contents for the tls key in the pfsense client setup.

          I am of course assuming the opvn file from my openvpn server is the place to look for the above delails to add to the pfsense openvpn client setup page.

          Or maybe im not undertanding where to get the info from.
          Thanks :)

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @lvsund
            last edited by

            @lvsund
            pfSense doesn't provide an option to import all the client settings, certificates and keys in a single step.
            But certificates and keys can be imported via copy and paste.

            On server and client go to System > Certificate Manager > CAs to import the CA.
            On the server edit the respective CA. On the client click Add and select "import an existing CA" as method. Then copy the content of "Certificate data" from the server, state a proper name and save it.

            Next go to the certificates tab and do the same with the client cert, but here also copy the "Private key data" to the client.

            Then set up the client by using this CA and client cert.
            The TLS key can be copied from the server in the same way as the certs. Check "Use a TLS Key" and remove the check from "Automatically generate a TLS Key" to get the key box. Then copy the TLS key from the server config into this field.

            Set the other parameters according the server settings or take it out from the exported .ovpn file.

            If you're using multiple OpenVPN instances on the client it might be useful to assign an interface to the client instance. But in normal circumstances this isn't necessary.

            Last step is to add an Outbound NAT rule. Set the outbound into hybrid mode, save and add a rule:
            interface: OpenVPN or this one you've manually assigned to the client
            source: LAN net (or an alias for internal your networks or even any)
            destination: any
            translation: interface address

            Bob.DigB L 2 Replies Last reply Reply Quote 1
            • Bob.DigB
              Bob.Dig LAYER 8 @viragomann
              last edited by Bob.Dig

              @viragomann said in connecting pfsense as a client to external openvpn server- instructions?:

              pfSense doesn't provide an option to import all the client settings, certificates and keys in a single step.

              I think it does now, at least on the plus-version with the openvpn-client-import package. But I ditched OpenVPN completely for WireGuard.

              L 1 Reply Last reply Reply Quote 0
              • L
                lvsund @viragomann
                last edited by

                @viragomann Hi,

                Thanks much-
                thats pretty much what i did. I am taking the TLS key from the
                <tls-crypt-v2> section. ie everything in between that header and footer- straight copy and paste ( including the-----BEGIN OpenVPN tls-crypt-v2 client key----- and-----END OpenVPN tls-crypt-v2 client key-----)and it still comes up with ' the field 'TLS Key' does not appear to be valid message .

                and therefore prevents saving the client setup info

                1 Reply Last reply Reply Quote 0
                • L
                  lvsund @Bob.Dig
                  last edited by

                  @bob-dig might try wireguard for same scenario if openvpn approach not able to work

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.