OpenVPN pfSense 2 - Installation guide for (Windows) Dummies :-) (road-warrior)

  • Hello, Here I’m trying to update OpenVPN on pfSense - Installation guide for (Windows) Dummies 🙂 (road-warrior)  to work with pfSense 2 Release

    I give no warranty that this will work for you or that it will not ruin your setup. So please BACKUP FIRST. Note that I tried to mark my updates in Green. I hope I didn’t break that guide. I think a wiki would be the best place to but it, if I had access to pfsense wiki


    A guide of how to connect a PC on the internet, to LAN behind a pfSense firewall using OpenVPN also known as a Road-Warrior setup

    This guide is NOT detailed regarding different configurations, and may not be the best security practices - so use it at your own risk…

    First of all you need to have keys and certificates generated in order to configure the pfSense OpenVPN service;

    1. Download and install the most recent software from
      If you plan to connect from a PC with Windows Vista you should get version 2.1 or newer.

    Use the default options

    1. Start a command prompt with administrator-rights!
      This is done in Vista & Seven by clicking on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select ‘Run as Administrator’

    2. Change directory to c:\programfiles\openvpn\easy-rsa

    3. run the “init-config.bat” file

    4. Edit ‘vars.bat’ file.
      I suggest using ‘Wordpad’ and to be able to save the file again, you need to start Wordpad in the same manner as the command-prompt (see #2)
      The following things need to be edited:

    "set KEY_COUNTRY=DK"
    2 Letters country ID - I use DK for Denmark

    "set KEY_PROVINCE=na"
    2 Letters Province ID - I use na as in ‘Not Applicable’

    "set KEY_CITY=Copenhagen"
    Name of city

    set KEY_ORG=Frewald
    Name of your company

    Put an email-address here. Dont use you private address, since this is the common address for the Certificate Authority (or something…)

    Save the file

    1. Run “vars.bat”

    2. Run “clean-all.bat”

    Cool Run "build-ca.bat"
    Then you are prompted for some different things; Leave them at default, except “Common Name” - put something like “pfSense-CA”

    1. Run "build-key-server.bat server"
      Again you are prompted; leave them on default except “Common Name” - use “server”  ,(Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”. you might also see that while creating client keys)

    2. Run build-dh.bat not required, see Importing OpenVPN DH Parameters - PFSenseDocs

    Now its time to generate keys and certificates for the client(s)

    1. Run "build-key.bat ovpn_client1"
      Again you are prompted; leave them on default except “Common Name” - here you should put in “ovpn_client1” (or whatever you have called it)
      The ovpn_client1 will be the name of the keys, certificate and the name you identify the connection on later. You can use whatever name you like, and generate as many as you want (with different names).

    2. The following files should now be copied from c:\programfiles\openvpn
      easy-rsa\keys to c:\programfiles\openvpn\config
      ovpn_client1.crt (if you dont see a .crt file but only a .csr file, chances are that you dont have admin priviligies. Worst case generate the keys and certificates on a NON-Vista machine)

    3. Make a file in the c:\programfiles\openvpn\config
      called “ovpn_client1.ovpn” and the file should contain (leave out the hashes):

    dev tun
    proto udp
    remote 1194
    ping 10
    resolv-retry infinite
    ca ca.crt
    cert ovpn_client1.crt
    key ovpn_client1.key
    ns-cert-type server
    verb 3

    Please put in your own public IP address of you pfSense-box in the ‘remote’ line
    If you have chosen another name than ‘ovpn_client1’ then change it in the lines beginning with ‘cert’ and 'key’
    If you have more than one VPN client, you make one .ovpn-file per client (with the corresponding .key and .crt name)

    Now its time to configure pfSense

    1. Log into the web-gui of pfSense

    2. Now you need to have access to some of the files created in c:\programfiles\openvpn\easy-rsa\keys (mentioned in #12) ,

    3. Log into the web-gui of pfSense then system >> cert manager

    4. add new certificate in CAs tab, name it (ex, CA), and Copy the WHOLE content of ca.crt into the “Certificate data” field

    5. add new certificate in Certificates tab, name it (ex, servercrt), and Copy the WHOLE content of server.crt into the “Certificate data” field and the WHOLE content of server.key into the “Private key data” field

    6. Copy the WHOLE content of dh1024.pem into the “DH parameters” window not required, see Importing OpenVPN DH Parameters - PFSenseDocs

    7. Select VPN/OpenVPN and add an entry in the ‘server’ page, Use the following settings:

    Server Mode: Peer to Peer (SSL/TLS)
    Protocol: UDP
    Device Mode: tun
    Interface: WAN
    Local port: 1194
    TLS Authentication: unchecked (maybe that is unsafe)
    Peer Certificate Authority: CA (or what ever you named it in step 23)
    Peer Certificate Revocation List: (not required)
    Server Certificate: servercrt (or what ever you named it in step 24)
    DH Parameters Length: 1024
    Encryption algorithm: BF-CBC (128-bit)
    Hardware Crypto: (I didn’t set any - No hardware crypto acceleration)
    Tunnel Network: the client will be on that subnet
    Redirect Gateway: unchecked
    Local Network: the network which the client should reach
    Remote Network: blank
    Concurrent connections: blank
    Compression: checked
    Type-of-Service: unchecked
    Duplicate Connections: unchecked
    Advanced: nothing

    Now we need a few simple rules in the firewall

    1. On the WAN interface you should make a rule that;
      Protocol: UDP
      source: any
      OS type: any
      Destination: any
      Destination port range from: OpenVPN
      Destination port range to: OpenVPN
      Tick in the LOG
      Leave the rest at default.

    2. and another rule on the interface called openvpn

    Any protocol
    Source: Any
    Any destination

    Remember to apply the new rules.

    Now you should be able to connect from OpenVPN (rightlick on the icon in the try and select Connect).
    But remember to start OpenVPN with ADMIN RIGHTS!

    A small trick; If you want a specific client to be able to access more than one subnet, you can add a ‘Client Specific Configuration’ in pfSense;
    Find it in the “WebGui/VPN/OpenVPN/Client-Specific configuration”, use the Common Name given in #11 (ovpn_client1) and in custom options add the following line
    push "route"
    if thats the subnet that you want to have connection to.

    Hope this small guide provides some help to those of us who isn’t much into *nix and OpenVPN.

    There is problably a bunch of typ’O’s - please write a comment when you see one that needs to be corrected…

    This setup is working on my current setup:
    pfSense 2 Release

    Please visit for much more indepth info Smiley

    Best regards,

    Small update:
    If you later would like to add new clients, run point 2,3,6, and continue from point 11! - dont run point 7-8-9-10!!!
    Also note you need to do this on the machine that was orignally used to issue the certificates.
    ![pfsense.localdomain - OpenVPN: Server_1324456085300.png](/public/imported_attachments/1/pfsense.localdomain - OpenVPN: Server_1324456085300.png)
    ![pfsense.localdomain - OpenVPN: Server_1324456085300.png_thumb](/public/imported_attachments/1/pfsense.localdomain - OpenVPN: Server_1324456085300.png_thumb)

  • Here is some additional infos:

    in CAs tab it will look like:

    Name 	Internal 	Issuer 		Certificates 	Distinguished Name 	
    CA	NO  		self-signed  	1  		name=ovpnca,, ST=RY, OU=Internet, O=Organization, L=Riyadh, CN=pfSense-CA, C=SA

    in Certificates page:

    Name 			Issuer 		Distinguished Name 																	In Use 	
    webConfigurator default	self-signed  	emailAddress=Email Address, ST=Somewhere, OU=Organizational Unit Name (eg, section), O=CompanyName, L=Somecity, CN=Common Name (eg, YOUR name), C=US	webConfigurator
    servercrt		CA  		name=ovpnserver,, ST=RY, OU=Internet, O=Organization, L=Riyadh, CN=server, C=SA  						OpenVPN Server

  • I followed these instructions, but the client wouldn’t connect.  Deleted the comp-lzo line in the .ovpn file and now the client connects.  I get an IP address of, and a DHCP server address of  No gateway is specified on my XP client machine when I do an ipconfig.

    I also cannot ping servers inside the protected subnet.

    I have re-checked the firewall rules and they are implemented as you specified.

    Can someone help with additional suggestions?  I am trying to allow an external client to run applications from both a Windows and a Linux server on my protected subnet.  If additional info or logs are required, please let me know.


  • Hi, I’m just a beginner here, but I’ll try to help.

    I’ve had similar problem that I was unable to ping inside. My problem was that ping can reach the target machine inside LAN behind pfSense but it was not able to respond because it needed to specify the route to the VPN gateway. I confirmed the ping reaching the target by using Wireshark on the target.

    the following link contain helpful information about fixing the issue:

    if your problem is different, it would be much helpful if you provided logs from client and openvpn server.

    Best wishes

  • I have finally been able to make XP clients connect and run an application from my Windows server.  I can also ping both the Windows and Linux servers from XP client machine.  I still have the following problem:

    I can’t map a network drive to a samba share from my Linux server.

    I installed the OpenVPN client on a Win 7 machine.  This client won’t ping anything.  I thought perhaps it was a Windows firewall issue, but turning the firewall off didn’t solve the problem.  Just for grins, I added the following route to my Windows server:  route -p MASK, but it appeared to make no difference.

    Again, can anyone provide suggestions on the next steps to solve both my samba issue and my Windows 7 connection problem?



  • Thank you for this guide; with your help I got things working on pfSense 2.0.1 with a few minor alterations, some of which are cryptodev/security/regulatory requirements based, some of which are specifically to require all OPT1 (wifi) traffic to flow over AES/SHA256 VPN (no exceptions), DNS included, and I deliberate use a ta_auth.key to increase security.

    Setting up your pfSense firewall - match the parms in the config files (*.ovpn)
      *** DO ENTER the interface for OpenVPN to LISTEN on
      *** DO NOT UNCHECK “Enable authentication of TLS packets.
      *** DO UNCHECK “Automatically generate a shared TLS authentication key” and instead paste in the contents of
            the file that build-ta.bat created
      *** DO CHECK “Redirect Gateway”
      *** DO LEAVE “Remote Network” blank - we’re not doing a site-to-site VPN
      *** DO ENTER the maximum number of Concurrent Connections, if known
      *** DO NOT CHECK “Compression” unless you know you’re going to be sending compressible data
              Note that remote desktop use is typically encrypted in and of itself, and is thus not compressible.
      *** ADD 'auth SHA256;push “redirect-gateway def1”;push “dhcp-option DNS <openvpn listening=”” ip="" addr="">"’ without the outer single quotes to the Advanced configuration, Advanced section at the bottom.
      ??? the redirect gateway may not be required if the checkbox is checked.

    Sample initial client1.ovpn (I’m still working on this - in particular, I’d like to get away from DHE entirely):

    dev tun
    proto udp
    remote YourListeningInterfaceIPAddr 1194
    #ns-cert-type is a pre-2.0 way of making sure we're not being spoofed by a client acting as a server
    keepalive 5 60
    resolv-retry infinite
    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build-key-server
    # script in the easy-rsa folder will do this.
    ns-cert-type server
    ca ca.crt
    cert client1.crt
    key client1.key
    cipher AES-128-CBC
    auth SHA256
    tls-cipher DHE-RSA-AES128-SHA
    tls-auth ta_auth.key 1
    verb 3
    # run "client.up" to add necessary
    # DNS entries to resolv.conf
    #;up /home/user/openvpnclient/sample-config-files/client.up
    # run "client.down" to remove
    # resolv.conf entries when VPN
    # is disconnected
    #;plugin "/usr/lib/openvpn/" "/home/user/openvpnclient/sample-config-files/client.down"

    CopyClientConfigs.bat (select the files each client needs):

    md keys\client1
    del /q keys\client1\*
    copy keys\ca.crt keys\client1
    copy keys\EyeWearHausta.key keys\client1
    copy keys\client1.crt keys\client1
    copy keys\client1.key keys\client1
    copy OpenVPNConfigFiles\client1.ovpn keys\client1


    openvpn --genkey --secret keys\ta_auth.key


    @echo off
    cd %HOME%
    rem build a request for a cert that will be valid for ten years
    openssl req -days 9000 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
    rem sign the cert request with our ca, creating a cert/key pair
    openssl ca -days 9000 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
    rem delete any .old files created in this process, to avoid future file creation errors
    del /q %KEY_DIR%\*.old

    And the simple RunAll.bat

    call vars.bat
    call build-ca.bat
    call build-key-server.bat server
    call build-key-pass.bat client1
    call build-ta.bat
    call CopyClientConfigs.bat


© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy