OpenVPN for Remote User : A How to



  • would like to give a How to Create a remote user VPN Tunnel on Pfsense 2.0 Beta

    1. Install pfsense2.0 Beta.I think getting into the detail is out of the scope of this tutorial

    2. First lets generate certificates.
    Section (A)
    Go to
    System-> Cert Manager ->on ca Tab  Click add

    Descriptive Name  ca
            Method =  Create an internal Certificate Authority
            Key Length = 2048 bits
    lifetime = 3650 days
    Distinguished Name 
    Country Code  US
    State or province Austin
    City Texas
    Organisation My Company
    email Address admin@mycompany.com
    common name internal-ca
    Click Save
    You can see a down arrow on the right side. click it and download the certificate

    Section (B)
    Now move to Certificate tab

    Descriptive name server
    Method Create an internal certificate
    Certificate authority select ca (which we created in step 2 Section (A))
    keylength 2048 bits
    lifetime 3650 Days
    Distinguished name
    Country Code  US
    State or province Austin
    City Texas
    Organisation My Company
    email Address admin@mycompany.com
    common name internal-ca (or whatever)

    Click Save
    You can see two down arrows one is the certificate and other is the key. download them both.

    3. Now lets create a VPN tunnel.
    On the VPN tab select OpenVPN.Click add botton on the right hand side.

    Server Mode Remote Access SSL/TSL
    Protocol UDP
    Interface WAN
    Local Port 1194 (THis is a default port for OpenVPN)
    Description Whatever u want

    TLS Authentication remove the check box
    Peer Certification authority ca(this is the same we created in step2 section (A))
    Server Certificate Server(Which we created in Step2 Section (B))
    DH Parameters 1024 Bits
    Enryption Algorithm BF-CBC (128 Bits) (Choosing this does not require it to mention in ovpn config file we create later on client)
    Tunnel Network 10.0.8.0/24 (These ip adddresses will be given to client connection this tunnel)
    Local Network the one you are using on LAN.
    Compression  Check ON Compress tunnelpackets using LZO algorithm
    Address Pool check on Provide a virtual adapter IP address to clients
    Rest unchecked

    click Save
    4. Now we need to add a rule on the WAN interface. So go to
    Firewall-> Rules->WAN tab
    Click the add button on the righthand side.
    Action Pass
    Interface WAN
    Protocol UDP
    Source any
    Destination any
    Destination Port Range Select From OpenVPN to OpenVPN(if you are using any other port than 1194 mention here)
    Description whatever you like

    Click Save
    5. Now we need to add a rule on the LAN interface. So go to
    Firewall-> Rules-> Lan tab
    Click the add button on the righthand side.
    Action Pass
    Interface LAN
    Protocol any
    Source any
    Destination any
    Destination Port Range
    Description whatever you like

    Click save
    Our Server is up now and ready to accept connections

    6. We are on the remote client machine now
    Download OpenVPN CLient(for windows ) from here http://openvpn.net/release/openvpn-2.1.1-install.exe
    Install it whatever default option

    Now Go to C:\Program Files\OpenVPN\config\

    Paste here all the certifcates and keys  we created in step 2 i.e. (ca.cert, server.cert, server.key)

    Now, (We are still in C:\Program Files\OpenVPN\config)

    create a file server.ovpn
    Open it in Notepad
    Paste the following from #### to ##### into it

    client
    dev tun
    proto udp
    remote x.x.x.x 1194  #(Where X.x.x.x is the public we configured on the WAN interface of Pfsense2.0)
    ping 10
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert server.crt
    key server.key
    comp-lzo
    pull
    verb 3

    7. Right Click the file Select Start OpenVPN on this config file.

    Now you should be able to connect to your Clients behind pfsense from anywhere in the world.(If you have an internet connection available)

    8. In case if you would like to add more users to connect to this tunnel.

    In Pfsense.Go to System->User Manager->Click on Add Button (remember we have logged in an admin right now)
    On User Tab

    Username rakesh(whatever you like)
    password whatever
    full name rakesh veduvar
    expiration date leave it blank
    group membership select admin move it to the right
    click save

    Again edit the same user settings, you will find two new options effective priviledges and User Certificates
    (Effective priviledges is used to restrict particular user to see or edit everything on pfsense)

    In User Certificates Click Add on the right hand side

    Descriptive Name rakesh
    Certificate Authority ca (The same we have created in Step 2)
    keylength 2048 Bits
    Lifetime 3650 Days

    Click Save
    Scroll Down to User Certificates. download the certificate and key.
    LOg out

    On donalf system install the same OpenVPN Client
    repeat the same steps
    but thsi time copy ca.crt, rakesh.cert, rakesh.key to C:\Program Files\OpenVPN\config
    Right Click the file Select Start OpenVPN on this config file.

    You are on.

    IN the same manner you came have many more remote user connecting to network behind pfsense.

    I think this will come handy to users new to OpenVPmN and PFsense. and Also those who has shifted from previous versions to Pfsense 2.0 beta

    Enjoy

    I am using pfsense is India from quite sometime now. I am big fan of it for all it is giving us for free.What I could do in return is help users by doing

    this.

    THanks PFsense Love you .



  • Thanks, I made this a sticky for the time being (though in the near future this is going to be streamlined, which is why I haven't put up a howto yet, it's going to change).

    You can skip the download, create config, etc. steps by installing the OpenVPN Client Export package, which adds an export tab to VPN > OpenVPN screen where you can download an installer with the config and certs built-in.



  • It was just because I was finding it difficult and then you need to add some lines in the advance section.
    I just tried to kept it as simple as possible.



  • Thanks for writing this Rudraansh! I was having difficulty figuring out what the steps were. Until the process has changed, I'll try this for now.



  • This didn't work for me as I was having many TLS authentication issues until I added a user in the System:User Manager on an embedded snapshot of the 2.0 beta. Then my OpenVPN: Client Export Utility became populated with the user I added and I was able to very easily export a Viscosity bundle that was plug-n-play.

    Very nicely done, it's getting a lot easier than it used to be!

    Much of what is mentioned here is not necessary as the OpenVPN:Wizard gets much of it accomplished.

    Separately, I am finding that the "Provide a virtual adapter IP address to clients" checkbox does not stay checked through a save on the OpenVPN:Server edit page.



  • @arriflex:

    Much of what is mentioned here is not necessary as the OpenVPN:Wizard gets much of it accomplished.

    Yeah this was written before that wizard existed.


Log in to reply