Things that work for me ( a noob) when setting up OpenVPN on PFSense



  • After setting up a basic PFSense config for my home network, I decided to use OpenVPN to allow access while traveling. I began by watching this video: http://youtu.be/VdAHVSTl1ys?list=PL6AEB0CCC302736BA  It got me 95% of where I wanted to be.
    When I started, my LAN was using the 192.168.0.0 subnet. If you are, change it now to something more obscure like 172.16.50.0  You have many choices. This is VERY important, especially for people like me who are using a Verizon MiFi device to connect. Verizon will assign you an IP from 192.168.0.0, which will conflict with your LAN.
    As you watch the video (and pause many times if you are like me), don't miss a step. If you do and you are 'new', it might be better to start all over, rather than try to figure out what you screwed up. That said, there are some really good guys on here that are very willing to help.
    In setting up your VPN SERVER, you must choose a different subnet for the tunnel to come into your LAN on. I used something from the 10.0.0.0 scheme, then provided the base range of my actual LAN. When you do, make the last octet a "0". (172.16.1.0; not: 172.16.1.1)
    Using the "Wizards" tab under VPN/OpenVPN/Wizards will make the creation of the client piece, easypeeze. (See video) It will also create the proper Firewall rules for UDP access.
    When you have completed everything the video shows you how to do, go to: "Services/DNS Forwarder/ and click the box to "Enable DNS forwarder". I also selected "Register DHCP leases in DNS forwarder, left everything else default, and clicked save.

    Now for me, I now enabled my MiFi device, logged on and verified I had an internet connection. (If you do an ipconfig you'll see what I was referring to earlier re the scheme Verizon uses.)  Fire off the OpenVPN GUI; right click the icon in your system tray and select: "Edit Config".  Look for a line that reads like this: remote xxx.xxx.xxx.xxx 1194 udp.  That's assuming you are using the default 1194 udp port. The IP you see is one from the range you chose earlier to use as your 'tunnel IP'. Now, on your LAN, if you don't have a static IP, open up a browser and do a search for something like "What's my public IP". Take THAT IP, insert it in the config, save the file. Or if you have a static (public) IP, enter it in the same place.

    Now, you might, or might not be able to connect to your LAN. For my setup, I have a ComCast router facing the Internet. As such, I had to go into the admin GUI and setup 'Port Forwarding' for 1194. It was easy; Google is your friend if you need to know how. Just type in your model number for directions. (Note, I used to have a static public IP, but got sick of paying Comcast for it. So, I put all of my network gear, and all of my servers on UPS's. Now it the power goes out, I am much less likely to get a 'new' public IP address from Comcast. Their DHCP lease appears to renew perpetually. If it does change, just change your OpenVPN config file and you're back in business. It's so simple, you can walk non techie family members through it if you are traveling.

    NOW, you should be able to successfully connect to your LAN. And depending upon many factors, you may or may not be able to connect to the very servers you started this whole process for! :(    You can have Windows firewall issues (or other firewalls); LAN's filled with broadcast storms; the list goes on. I had/have issues on my LAN that to date I have not been able to resolve. For instance from my laptop, after I've connected successfully over the VPN, I can only ping certain devices successfully; BUT NOT ALL. :(  ugh!  THAT issue has driven me nuts! I had to find a workaround…

    I managed to get around my issues by using a product called: Advanced IP Scanner. It's freeware, and once installed on my laptop, I found it quickly discovered my LAN devices. For devices with shared folders, it found those also. For devices with no shares, all you must do is Right-click the device; select "Explore"; and you'll receive a typical logon screen. (Like you are mapping a drive.) Enter your credentials, and you're in! (note, if you are using Windows Workgroups, in the user field, type:  the machine name\user name  or else it will default to the domain your remote machine is in.

    I hope this helps someone.