Thursday, November 21, 2013

pfsense - how to config OpenVPN server and client

In this guide, I will show you how to config/create OpenVPN server and generate client certificates. The version of pfsense I use is "2.1-RELEASE (i386)".

Install OpenVPN Client Export Utility

This package allows a pre-configured OpenVPN Windows Client or Mac OSX's Viscosity configuration bundle to be exported directly from pfSense.

In pfsense webconfigurator, go to "System" -> "Packages":

If you don't see "OpenVPN Client Export Utility" under "Installed Packages", go to "Available Packages" and install it from there.

Remove Legacy OpenVPN Server And Certificates:

Go to "System" -> "Cert Manager", remove any existing OpenVPN configurations under "CAs" and "Certificates". Do not remove the 'Webconfigurator default' certificate
Finally navigate to VPN > OpenVPN and remove your existing server configuration.

Create a new OpenVPN certificates:

Navigate to System > Cert Manager.  On the ‘CAs’ pane choose to create a new certificate. Make sure you choose "Create an internal Certificate Authority" in "Method"


Fill in all the infomation and choose a custom common name (Write down this common name and you will use it later when you create certificates). Once completed, click ‘Save’ to create the CA.

Go to the ‘Certificates’ tab and create a new certificate

Again, choose "Create an internal Certificate" in "Method" dropdown menu. Ensure you fill in any remaining details and ensure you specify the same common name as inputted in previous step. Once completed click ‘Save’ to create the certificate.

Create New OpenVPN User And Client Certificate:

First we create a new user. Go to "System" -> "User Manager".

The "Username" nad "Password" will be the username and password you type when you restart your OpenVPN client.

Once completed, click ‘Save’ to create the CA.

Once completed, go to "Systems" -> "User Manager" -> "Users" tab, edit the user you just created (little icon with e):

Go to "User Certificates", click the "+" icon and add a certificate for this user. Choose "Create an internal Certificate" as Method. Some information will be filled automatically. Save when complete.

Create New OpenVPN Server & Configure:

Finally we create our OpenVPN server. Go to "VPN" -> "OpenVPN" -> "Server". The navigate to the ‘Wizard’ pane to launch the configuration process.  Under ‘Type of Server’, choose ‘Local user access’ and click ‘Next’.






You have to give value for Tunnel Network. I use 10.8.5.0/24 for example.

Once completed ensure the automatic firewall and NAT rules are created before clicking ‘Finish’ (both boxes are should be checked).

Export Client Configuration:

Now we can export our OpenVPN client configuration. Go to VPN > OpenVPN. Click on the ‘Client Export’ tab and scroll down to "Client Install Packages".  You should see the user we created earlier. (If you don’t, this is usually down to a certificate mismatch somewhere along the line)

Download the configurations. For example, to setup openvpn client in CentOS, I download the Archive Standard Configurations, which contains tony.ovpn, tony-tls.key and tony.p12 three files.

Copy all three files into your OpenVPN folder (/etc/openvpn), rename tony.ovpn to tony.conf, restart openvpn process:
# service openvpn restart

You need to type username and password you set up earlier.

Once openvpn service is running, you can see your tun interface and you now you are connected!

# ifconfig tun2
tun2      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.5.6  P-t-P:10.8.5.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

3 comments:

Anonymous said...

Wow, thanks for this helpful Post. Works like a charm.

icocghsingles said...

thanks for the wonderfull tutotial but after i finish , client can ping pfsense lan ip but cannot access other resouces or anyother pc in the network. Kindly help please. Thanks

Tony Li Xu said...

Is the tun interface up and running? You might need to play with your NAT rules and iptables on the pfsense server. Also, if ipv4_forwarding enabled?