OpenVPN for Remote User : A How to

rudraansh

would like to give a How to Create a remote user VPN Tunnel on Pfsense 2.0 Beta

1. Install pfsense2.0 Beta.I think getting into the detail is out of the scope of this tutorial

2. First lets generate certificates.
Section (A)
Go to
System-> Cert Manager ->on ca Tab  Click add

Descriptive Name  ca
        Method =  Create an internal Certificate Authority
        Key Length = 2048 bits
lifetime = 3650 days
Distinguished Name 
Country Code  US
State or province Austin
City Texas
Organisation My Company
email Address admin@mycompany.com
common name internal-ca
Click Save
You can see a down arrow on the right side. click it and download the certificate

Section (B)
Now move to Certificate tab

Descriptive name server
Method Create an internal certificate
Certificate authority select ca (which we created in step 2 Section (A))
keylength 2048 bits
lifetime 3650 Days
Distinguished name
Country Code  US
State or province Austin
City Texas
Organisation My Company
email Address admin@mycompany.com
common name internal-ca (or whatever)

Click Save
You can see two down arrows one is the certificate and other is the key. download them both.

3. Now lets create a VPN tunnel.
On the VPN tab select OpenVPN.Click add botton on the right hand side.

Server Mode Remote Access SSL/TSL
Protocol UDP
Interface WAN
Local Port 1194 (THis is a default port for OpenVPN)
Description Whatever u want

TLS Authentication remove the check box
Peer Certification authority ca(this is the same we created in step2 section (A))
Server Certificate Server(Which we created in Step2 Section (B))
DH Parameters 1024 Bits
Enryption Algorithm BF-CBC (128 Bits) (Choosing this does not require it to mention in ovpn config file we create later on client)
Tunnel Network 10.0.8.0/24 (These ip adddresses will be given to client connection this tunnel)
Local Network the one you are using on LAN.
Compression  Check ON Compress tunnelpackets using LZO algorithm
Address Pool check on Provide a virtual adapter IP address to clients
Rest unchecked

click Save
4. Now we need to add a rule on the WAN interface. So go to
Firewall-> Rules->WAN tab
Click the add button on the righthand side.
Action Pass
Interface WAN
Protocol UDP
Source any
Destination any
Destination Port Range Select From OpenVPN to OpenVPN(if you are using any other port than 1194 mention here)
Description whatever you like

Click Save
5. Now we need to add a rule on the LAN interface. So go to
Firewall-> Rules-> Lan tab
Click the add button on the righthand side.
Action Pass
Interface LAN
Protocol any
Source any
Destination any
Destination Port Range
Description whatever you like

Click save
Our Server is up now and ready to accept connections

6. We are on the remote client machine now
Download OpenVPN CLient(for windows ) from here http://openvpn.net/release/openvpn-2.1.1-install.exe
Install it whatever default option

Now Go to C:\Program Files\OpenVPN\config\

Paste here all the certifcates and keys  we created in step 2 i.e. (ca.cert, server.cert, server.key)

Now, (We are still in C:\Program Files\OpenVPN\config)

create a file server.ovpn
Open it in Notepad
Paste the following from #### to ##### into it

client
dev tun
proto udp
remote x.x.x.x 1194  #(Where X.x.x.x is the public we configured on the WAN interface of Pfsense2.0)
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert server.crt
key server.key
comp-lzo
pull
verb 3

7. Right Click the file Select Start OpenVPN on this config file.

Now you should be able to connect to your Clients behind pfsense from anywhere in the world.(If you have an internet connection available)

8. In case if you would like to add more users to connect to this tunnel.

In Pfsense.Go to System->User Manager->Click on Add Button (remember we have logged in an admin right now)
On User Tab

Username rakesh(whatever you like)
password whatever
full name rakesh veduvar
expiration date leave it blank
group membership select admin move it to the right
click save

Again edit the same user settings, you will find two new options effective priviledges and User Certificates
(Effective priviledges is used to restrict particular user to see or edit everything on pfsense)

In User Certificates Click Add on the right hand side

Descriptive Name rakesh
Certificate Authority ca (The same we have created in Step 2)
keylength 2048 Bits
Lifetime 3650 Days

Click Save
Scroll Down to User Certificates. download the certificate and key.
LOg out

On donalf system install the same OpenVPN Client
repeat the same steps
but thsi time copy ca.crt, rakesh.cert, rakesh.key to C:\Program Files\OpenVPN\config
Right Click the file Select Start OpenVPN on this config file.

You are on.

IN the same manner you came have many more remote user connecting to network behind pfsense.

I think this will come handy to users new to OpenVPmN and PFsense. and Also those who has shifted from previous versions to Pfsense 2.0 beta

Enjoy

I am using pfsense is India from quite sometime now. I am big fan of it for all it is giving us for free.What I could do in return is help users by doing

this.

THanks PFsense Love you .

cmb

Thanks, I made this a sticky for the time being (though in the near future this is going to be streamlined, which is why I haven't put up a howto yet, it's going to change).

You can skip the download, create config, etc. steps by installing the OpenVPN Client Export package, which adds an export tab to VPN > OpenVPN screen where you can download an installer with the config and certs built-in.

rudraansh

It was just because I was finding it difficult and then you need to add some lines in the advance section.
I just tried to kept it as simple as possible.

focalguy

Thanks for writing this Rudraansh! I was having difficulty figuring out what the steps were. Until the process has changed, I'll try this for now.

arriflex

This didn't work for me as I was having many TLS authentication issues until I added a user in the System:User Manager on an embedded snapshot of the 2.0 beta. Then my OpenVPN: Client Export Utility became populated with the user I added and I was able to very easily export a Viscosity bundle that was plug-n-play.

Very nicely done, it's getting a lot easier than it used to be!

Much of what is mentioned here is not necessary as the OpenVPN:Wizard gets much of it accomplished.

Separately, I am finding that the "Provide a virtual adapter IP address to clients" checkbox does not stay checked through a save on the OpenVPN:Server edit page.

cmb

@arriflex:

Much of what is mentioned here is not necessary as the OpenVPN:Wizard gets much of it accomplished.

Yeah this was written before that wizard existed.