• I'm trying to get a VPN working on my Android device. Apparently, Google dropped the ball badly on this, as it seems many people (Myself included) cannot get PPTP or encrypted L2TP working. The other two options I see are OpenVPN (Looks like a NIGHTMARE to configure), and SSH. SSH looks like the better choice for me, and I've found a tutorial to set it up on Android. On the pfSense side, all I've been able to find for 2.0RC is a discussion a year ago that pfSense SHOULD have a GUI to configure. Does anyone know if this happened? If not, is the information for 1.2.3 applicable to 2.0RC2?

  • LAYER 8 Global Moderator

    Are you talking openvpn is a nightmare to configure on your device because from the pfsense side its a walk in the park, couple of clicks and up and running.

    As to ssh, are you wanting the endpoint to be your pfsense box.  I personally forward ssh traffic to an inside server which I normally just use for my shell access while away from my network, but now and then use as poormans vpn into my my network when can't use openvpn, ie don't want to install to box at or can not - all you need for ssh is putty and your key.

  • I've always heard OpenVPN was a nightmare, and the examples I've found seemed to support it. Do you know if there's a tutorial on setting up OpenVPN with pfSense and Android? I saw the one for Windows, but it seemed Windows generated the keys, and wasn't sure how that would work on Android.

    I came another tutorial for setting up SSH on Android, using a Windows or Linux SSH server. I thought it might be more elegant to use pfSense. Whatever works :)

  • Just FYI, CyanogenMod has the encryption for PPTP/L2TP and it works great.

  • Actually, I use CM 7.03 on my Nook. Since 7.00, PPTP would never connect to anything. I tried pfSense 1.2.3, pfSense 2.0, and a router running the latest DD-WRT. It wouldn't even connect. It seems to be hit or miss. Some people report it works, but there are a LOT of people reporting major problems since the past 2 years.

  • LAYER 8 Global Moderator

    How is it a nightmare - you follow a freaking wizard ;)

    You then export both the client already setup to connect to your pfsense box.  Nothing to do on the client side at all but click a button and put in your password ;)

    To be honest is very easy even with version 1 of pfsense without the wizard, for that matter its pretty freaking easy on its own.  How many clients you need at any one time?  There is vmware that you click go on if you want.

    I have been using openvpn for many years, are there a few steps to get it working - sure. But its not a nightmare, I wouldn't call it a wet dream either - but its not all that complicated.  I would be surprised if you spent more than 5 minutes on it with the wizard.

    I would think someone has put together a walk through using the wizard?  There is this - but like says in the thread, no longer needed since wizard.,22115.0.html

    btw if your looking for VM of openvpn here you go - click click and that is running to be honest.

    But might as well just let your pfsense box be your endpoint - try the wizard!!

  • Netgate Administrator

    If you are referring to using an SSH tunnel instead of a VPN it's very easy.
    Open a firewall hole to expose the ssh service on WAN (obviously some security implications). That's it!  ;D
    All the rest of the setup is done on Android but there's a handy app for that:


    Here are some instructions if you don't want to use the app.
    I don't have an android phone so I've never done this personally but I have using a Windows laptop and putty.

  • I got a quarter the way through the OpenVPN setup, and gave up. I figured that, even if I did go through all the steps, the odds of getting it working with the Android client in a reasonable time was slim, and there's a few hours I'll never get back. Since OpenVPN works for you, and you're obviously well-versed in it's usage, I suspect you'll have a different perspective than me. I'll stand by my assessment that OpenVPN is a nightmare, this time with more experience to back up that claim. As for the wizard, same thing. I'm not one to just randomly play with settings for hours until something works. I'd rather read some documentation and get things working quickly. If there's a walkthrough for the Wizard, I might give it another try.

    With SSH, what's the login credentials? Is it the username and password for the router? Other than using a weak password, are there any other security issues?

    Thanks again for the help!

  • Netgate Administrator


    With SSH, what's the login credentials? Is it the username and password for the router? Other than using a weak password, are there any other security issues?

    You are logging into the router directly. You can create a new user to do so.
    If you simply expose port 22 to the internet you'll find you get random login attempts all the time.
    You can change the port ssh is on to something non standard e.g. 20202 and switch to using keys for login instead of paswords.


  • LAYER 8 Global Moderator


    If there's a walkthrough for the Wizard, I might give it another try.

    Someone should prob put it in pfsense docs, maybe it is already - but found this on a quick search,34714.msg180818.html#msg180818

    Its a step by step walkthru.

    I personally use tcp 443 instead of the default udp 1194 port, since 443 is most likely always open anywhere you have internet while 1194 might not be.

  • Rebel Alliance Developer Netgate

    If your Android phone has or is getting a Gingerbread update, you can use IPsec+PSK+xauth. :-)

  • Thanks for the L2TP tip! I got SSH working easily enough, but doesn't actually do anything beyond being able to configure pfSense. The tunnel doesn't work, apparently because my version of Android (CM7.03) doesn't have iptables.

  • I wish I had better results. The new info in the docs (Wasn't there a day or so ago) didn't look anything like either my pfSense l2TP config, or my Android config. I tried to wing it, but it won't connect. Maybe I'll have to fight with OpenVPN some more.

  • Rebel Alliance Developer Netgate

    I just wrote the IPsec+PSK+xauth bits on that doc yesterday. My phone just pulled down the Gingerbread OTA update the day before last so I didn't know it was even possible before then.

    I haven't rooted my phone so I was working within what the base OS allows. If you have rooted your phone, OpenVPN is an option. I haven't heard of it being difficult before, but I also haven't heard any real details on what it takes to get going. I imagine the hard part would just be getting the certs onto the phone, but there are ways around that I'm sure (e-mail, ssh, etc)

  • Well, I tried the instructions at:,34714.msg180818.html#msg180818

    I'm stuck at the point of trying to download the certs. There doesn't seem to be the option to download them. Earlier, I downloaded them manually, so I'm not sure what extra the cert download plugin does. Brain needs a rest…

  • Rebel Alliance Developer Netgate

    There isn't much in that "guide" there really. That's just the basic OpenVPN setup. Some things are overcomplicated there.

    If you install the OpenVPN client export package, you can get a .zip with all of the files you need.

  • LAYER 8 Global Moderator

    You don't see these links?

    He was not looking at the guide in the stickies - he was looking at a step by step walk through that razzor put up back in march that I linked to on his question about a step by step.  He even reposted the link to the walk thru, so I have to believe that is what he is looking at, not the sticky.

  • That's correct. I don't see the option to download the certs. I'm guessing maybe it was because I skipped the first few steps, because I had already made the certs from a previous attempt. I actually downloaded those certs, before I even installed the export plugin. Is the plugin required?

  • Rebel Alliance Developer Netgate

    If you read the notes on the client export page, the clients will only show up there if things are setup properly.

    The most common error is to have one CA selected in the OpenVPN server and then the certificates you made are actually from another CA entirely. If the certificate CA doesn't match the server CA, they won't show up.

  • LAYER 8 Global Moderator

    "I'm guessing maybe it was because I skipped the first few steps"
    "Is the plugin required?"

    So you ask for a step by step – and then you just skip steps, yeah not following instructions then sure its a nightmare to setup ;)

Log in to reply