In this article I will go through the configuration of OpenVPN on the pfSense platform. I have talked about the initial configuration of pfSense in this previous article and if you are not familiar with the platform then you can check that out to get you up and running. Let’s go ahead and start by talking about VPNs first and then we will move to the configuration.

A VPN(virtual private network) allows us to connect directly to our home private network over the internet. This means that if we are in a remote location and want to have access to services hosted within our private network then we can use a VPN to do so. VPNs are used because private networks(10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are not routed in the public internet as these are reserved for private uses. A VPN gives us the ability to extend the private networks by creating a tunnel between the client in a remote location and the server in your private network. This means that once the session is up that the remote client will be able to access all the resources located within your private home network.

VPNs come in many flavors and you have different types. pfSense supports L2TP, PPTP, IPsec, and OpenVPN. You might be wondering why use OpenVPN and not the others. OpenVPN is open source and well maintained by the community which means that you can be safe in knowing that if there is a vulnerability found that it will get patched quickly. When it comes to performance OpenVPN works great on high latency connections and is capable of compression should you be limited on bandwidth on the client or server-side. With regards to authentication OpenVPN supports LDAP, Radius, and local database which makes it flexible in integrating with different types of environment. The authentication is solid because you can pair regular username and password with certificates for higher security. Encryption in OpenVPN is provided via OpenSSL which is an open source implementation of the SSL/TLS protocols and allows us to use some very strong cryptographic algorithms which can be hardware accelerated for better performance. When it comes to the networking side of things it can run over TCP or UDP depending if you want reliability or not but it will be slower should you decide on TCP. OpenVPN supports both IPv4 and IPv6 and is capable of creating a tunnel through a proxy, networks using NAT, and getting through firewalls. Overall OpenVPN is very solid compared to the other solutions which lack in many areas.

Let’s get started by configuring a certificate authority in pfSense. The certificate authority or CA will sign the certificates that we will be creating for the server and client side when we configure OpenVPN. You can access the certificate configuration by going over to System–>Cert Manager.

CERT-1

Under the CAs tab you might already have a CA created if you followed one of my previous articles as we needed to created one in order to sign an internal certificate to be used for securing the pfSense web interface.

CERT-2

If you do not have one here than you should create a CA and secure your pfSense web interface ASAP to prevent from snooping should you have it set to be accessible from the internet. Creating a CA is simple and is done by hitting the plus symbol on the right hand side. The form that you fill out should be self-explanatory.

CERT-3

After you finished setting up the CA the next step is to create some certificates that the recently created CA will sign for us. Since these are self-signed certificates most browsers will give you a warning if you try accessing a web site that is using them, e.g. the pfSense web GUI if you are creating a certificate to secure it. In a similar manner you want to hit the plus sign to create a certificate and go through the form. See below for the settings that I used for my OpenVPN server certificate.

CERT-4

Now that we have all the components in place we can configure OpenVPN. Head over to VPN–>OpenVPN.

OpenVPN-1

Go ahead and select “Wizards” from the tab at the top which will guide us step by step to configure OpenVPN.

OpenVPN-2

The step by step guide will first ask you the type of authentication backend that you are using. In our case we will select the local user access database provided by pfSense. Of course, if you do have an internal LDAP or Radius server that you want to use then you can select either of those options.

OpenVPN-3

In the next step we will be selecting the CA that we created at the beginning of this article.

OpenVPN-4

Following is the Server Certificate that we will be using which is the Certificate that we recently created.

OpenVPN-5

In the next page we will start selecting several different configuration options. The first three options involve the interface where we will listening for connections, the protocol, and port number. You should select the WAN interface where OpenVPN will bind to if you want to be able to access your network from the outside. The protocol should be UDP unless you have a specific reason for using TCP. The port can be changed or you can use the default OpenVPN port of 1194 where it listens on.

The next sections deals with the cryptographic settings. In here we will specify to use TLS authentication and have it generate a shared TLS authentication key which will give us another layer of security. See below for the explanation provided by the OpenVPN documentation.

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:

  • DoS attacks or port flooding on the OpenVPN UDP port.
  • Port scanning to determine which server UDP ports are in a listening state.
  • Buffer overflow vulnerabilities in the SSL/TLS implementation.
  • SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key.

The DH parameter length used for public key cryptography should NOT be set to 1024 or lower. There is a lot of research that shows that 1024 bit keys can be brute force relatively quickly and RSA is recommending that all websites upgrade to 2048 bit keys by the end of this year.

At the bottom you have the option of selecting an encryption algorithm and whether your hardware can do crypto acceleration.

OpenVPN-6

Moving onto the Tunnel settings we have the option of specifying the tunnel network which is the network that our clients connecting to the VPN will be assigned an address from. You can specify whether all traffic should be redirected through the tunnel and the local network that clients connecting from the outside can access. Near the middle we can specify the maximum number of concurrent sessions and whether we want to use compression for the data traversing the tunnel. At the bottom we have TOS fields used for QOS(quality of service), whether we want to allow communication between the clients tunneling in, and if duplicate connections should be allowed.

OpenVPN-7

In the client settings we can specify if we want to allow clients to retain their connection should their IP address change. The second option will assign the clients an IP address from the tunnel network we configured at the top. You can configure the other options below if you want to assign certain other parameters to connecting clients.

OpenVPN-8

After hitting next, we are presented with adding firewall rules. The rules are needed so that a connection can be established. Go ahead and check both boxes before finalizing.

OpenVPN-9

Once you are done you should see an entry under the server tab of OpenVPN.

OpenVPN-10

I actually did an edit on the previous entry above and configured the DNS server to point to my default gateway which is my pfSense box since it is configured as a DNS forwarder.

OpenVPN-11

The next step is to start creating user accounts that we will use during the authentication process. Creating user accounts is done over at System–>User Manager under the users tab.

USER-1

Go ahead and hit the plus sign to create a new user and fill out the form. Everything here should be self-explanatory.

USER-2;

Once the account has been created, we need to create a user certificate for the account. We will be going back to System–>Cert Manager and under the certificates tab create a new certificate.

CERT-5

Hit the plus sign to start the creation process. Make sure to select “User Certificate” from the dropdown as you are creating the certificate.

CERT-6

Once the certificate is created, we will go back to the user account that we made and modify it.

USER-3

We will assign the certificate that we just created to the user account.

USER-4

From the drop down list select the user certificate that we recently created.

CERT-7

We are almost done with the configuration and there are only a couple of small things left to do. Before we move onto the client configuration we need to export the keys and certificates from pfSense so that our clients can use them. This process is made easy by installing the OpenVPN Client Export Utility from System–>Packages.

CERT-8

We will be using this tool soon but before doing so we must setup Dynamic DNS. If you are familiar with IP addressing then you know that your ISP will assign you a public IP address via DHCP on your WAN port. This IP address is dynamic which means that it can change and unless you paid your ISP extra cash for a static address. When our clients connect to the OpenVPN server it will try to reach us on the public WAN address on port 1194. If the address changes then it won’t be able to reach us unless we somehow know the new address and we modify the configuration file. This becomes a huge pain to manage and Dynamic DNS will be able to solve this problem for us.

The way that dynamic DNS works is that it will map a hostname that we specify to the current WAN IP address. Dynamic DNS will check at a certain interval the WAN IP and maintain the hostname to IP address mapping current so that when we tried to reach the hostname over the internet then it will point to the correct WAN IP address of our router. In order to get a hostname we must register with a third-party and come up with a unique name that has not been taken yet. Here are a couple of different dynamic DNS provider where you can register a hostname from. Note that some of these are free.

http://dyn.com/

http://www.noip.com/

http://www.opendns.com/

Once you have register a hostname, head over to Services–>Dynamic DNS. In here under the DynDNS tab go ahead and add a new entry. From the service type menu select the provider that you registered with and make sure that you are monitoring the WAN interface. Under hostname type in your fully qualified domain name that you registered(I blacked mine out for privacy reasons). The last thing that you want to do is to type in your account information so that pfSense is capable of reaching your dynamic DNS provider and updating the hostname with your current WAN IP address.

DYNDNS-1

Here is the list of Service Type from pfSense.

DYNDNS-2

We will now go over to the VPN–>OpenVPN Section and go to the Client Export Tab.

OpenVPN-12

In the client export tab we will be exporting the certificates, keys, and configurations files that we will need for our VPN client. In here you will have different options to select from. The remote access server should have the port number that you specified for OpenVPN as well as the protocol whether it’s TCP or UDP. For the hostname resolution we will be using Dynamic DNS which means that you will be selecting the hostname that you configured above. Everything else can be left at their default settings unless you have a reason for selecting the other options.

OpenVPN-13

At the bottom you will have options to export the configuration and files. The standard configuration is what you will need and it is a good idea to get the archive as this will include the certificates and keys needed. Note that you can also download the windows installer from here depending on which platform you are using.

OpenVPN-14

Alternatively you can also get the installer directly from the website:

http://openvpn.net/index.php/open-source/downloads.html

The official website might have a more up to date version.

OpenVPN-15

The installation process should be simple and you can leave the options at their default settings.

OpenVPN-16

Make sure to install the network adapter when prompted to do so.

OpenVPN-17

The next thing that you want to do is to transfer the archive downloaded from pfSense to the client securely(SFTP, FTPS, SCP, encrypted archived, or any other secure transfer method) . The files will have to be extracted and placed under the config directory of OpenVPN.

OpenVPN-18

After placing the files in the config directory you can open the application

OpenVPN-19

Note: If you experience any issues then try right clicking the OpenVPN GUI and running it as an administrator.

And right-click the OpenVPN icon on the bottom right and hit connect.

OpenVPN-20

You will be prompted for your username and password.

OpenVPN-21

In my case it failed with a cipher algorithm not found error.

OpenVPN-22

I opened a command prompt and did an “openvpn –show-ciphers” to see what ciphers the client supported and noted that the cipher that I had chosen was not listed.

OpenVPN-23

I went back into pfSense and changed the cipher to something supported by the client. This time it worked fine.

OpenVPN-24

Going back into pfSense and selecting Status–>OpenVPN we can see that there is currently an active connection.

OpenVPN-25

This concludes the OpenVPN server configuration on pfSense. I hope that this was useful for those out there trying to figure out how to configure OpenVPN. Thank you for taking your time to read this article. Happy new year and see you here next time.

101 Responses to “Configuring OpenVPN on pfSense”

  1. Your setup appears to lack keepalive options

    • I don’t think that you can set the keepalive server option via the pfSense GUI for OpenVPN as it does not appear to be there. I did look around the file system and found that pfSense keeps the configuration file for OpenVPN on “/var/etc/openvpn/server1.conf”. Upon looking at the configuration file it looks like pfSense uses the default value of “keepalive 10 60” for pinging every 10 seconds and assumes that the other side is dead if there is no response after 60 seconds. You should be able to modify that file to your needs although I haven’t tried it on my end yet.

  2. Matteo Cappelli says:

    Great post! I’m trying to restrict the access to only 1 internal IP address for 1 OpenVPN user, but I don’t know how… Do you have any idea?

    Many thanks in advance

    • Matteo,

      If you are trying to restrict access from the outside e.g. only OpenVPN clients from this IP address can connect to my OpenVPN server then you can go under Firewall–>Rules –>WAN and modify the existing OpenVPN rule here to set the source IP address to be the public IP address where your clients will be connecting from. If you want to restrict OpenVPN clients to only have access to certain internal resources on your network then you can go under Firewall–>Rules –>OpenVPN and create a rule here. Your action can be pass/block/reject and interface would be OpenVPN. Choose the TCP/IP version and protocol that you want it to apply to. The Source IP network in the rule will be your OpenVPN tunnel network which can be found by going over to VPN–>OpenVPN–>Server and the destination can be the resource that you want to block access to. E.g. assuming that your OpenVPN tunnel network is 192.168.10.0/24 and you want to block access to a host with IP address 192.168.1.31 then you would create a new rule with Block Action, interface OpenVPN, TCP/IP IPv4/IPv6, protocol any, source network 192.168.10.0/24, and destination host 192.168.1.31. Once you are done click save and make sure that the rule is at the top since pfSense evaluates on a first match basis. I hope this helps.

      Regards,

      Glenn

      • Hi Glenn and thanks a lot for your quick answer!
        As you said, I need to deny access to some IPs or better I have to allow access to only 1 IP.
        So, I have to create a new specific VPN user and a new OpenVPN server in order to have a dedicated tunnel network (e.g. 192.168.10.0/24). As the second step I have to define a rule in the OpenVPN tab:
        – pass
        – from source 192.168.10.0/24
        – to destination 192.168.10.10 (for example)

        and everything else has to be blocked.
        Therefore, that VPN user will able to only connect to that specific 192.168.10.10 IP.
        I will try this solution…
        Thanks again for your time!

        Matteo

  3. Pedro Sousa says:

    Outstanding article Glenn. Thank you for putting out your time and effort into it. I’ve just configured our pfsense’s OpenVPN service and everything went smooth at first.

    Keep up the good work.
    Pedro

  4. Really nice guide here… However after done with this – I am still not able to connect my internal servers? It creates nicely openvpn connection but no…

    Do I have to do something more f.e to allow my android phone to connect inside lan private address f.e 192.168.1.77:81 with mobile chrome?

    • My typo in conf… sorry….

      • Glad you got it working. Let me know if you have any problems and I can try to help.

        • I’m actually stuck on the same problem. Strange this is, before the weekend i’ve got it to work, could just access my servers fine but now after the weekend I can’t access the internal side. It connects to the OpenVPN network fine but then when I try to connect to like the PFsense it doesn’t make any connection. Can’t ping the internet side either.

          • When you connect with a client from the outside do you get an IP address from the OpenVPN tunnel network? If you check the status–>openvpn do you see an active session? I would look at the firewall–>rules and go to the openvpn tab and make sure that you have a rule in place that allows clients from the openvpn network to communicate with your other internal subnets.

          • Yes there is an active session and I do get an IP Adress. In the firewall rules there is the standard rule the wizard made allowing all traffic.

          • That’s very odd that it was working fine and not anymore. When you connect via VPN are you able to ping the pfSense internal IP address? Are you sure that it isn’t a firewall setting on your internal servers that could be causing you to not be able to reach them? Lastly, I have seen some weird behavior with pfSense every now and again when I make changes and things not applying properly unless I reboot the box. You might want to give it a shot to see if it does anything.

          • No, I’m not able to ping to the PFSense internal address. All the internal firewalls are set off.
            I’m currently clueless haha. I’ve even tried completely reinstalling the PFSense server because it did work before. Even that didn’t fix the problem. Exact same thing.

          • So… I feel really stupid right now!
            I’ve found the solution to the problem…
            It wasn’t anything in the firewall or in the servers..
            It was actually the problem that OpenVPN on my workstation needed more rights, therefore needed to run OpenVPN Gui as administrator… You’ve put that in your guide and i’ve read over that…
            Kinda wasted your time sorry.

          • Lol, that’s great. It is always the small things that get you. No need to apologize, I will emphasize it in the guide.

  5. a more direct example of setting openvpn with pfsense , visit http://blogrenz.weebly.com

    • Nice, good to see that this guide helped with the configuration. You should consider upgrading from Windows XP as it went EOL on April 8th 2014.

  6. Superb, thanks for a great guide!

  7. Thanks a lot for your guide… very very usefull.

  8. Hi Glenn,

    Thank you for this great tuto. I have a question regarding internal network access. Let’s say I want to be able to reach both the LAN(192.168.1.0/24) and the DMZ (192.168.2.0/24) from the tunnel (192.168.10.0/24). Is that possible ? What should I need to modify ?

    Thanks a lot. Kind regards.

    Jean-Marc

    • Jean-Marc,

      Yup, this is possible as I have multiple VLANs that my pfSense firewall is routing for and I can reach them all from the tunnel. All you have to do is modify the firewal–>rules and go under each interface to add a rule for the tunnel network. You are looking to do something along the lines of
      Action: pass
      TCP/IP: IPv4
      Protocol: any
      Source: type-Network Address-192.168.10.0/24

      Additionally, don’t forget to create a rule under firewall–>rules–>OpenVPN to allow communications from the other networks in your pfSense box to the openVPN tunnel network.

  9. Dude! This is the bomb… Thanks for such a thorough and complete article. Just used it and it saved me lots of time 😉

  10. Awesome! glad it helped you out.

  11. I have OpenVPN up and working on pfsense. I created a server that allows client access to the LAN subnet. That is working fine. However, I am using the OPT1 interface for a second network. So far, I have not found a way to allow OpenVPN traffic to access both networks. I can create a second server that is allowed to OPT1, but I want the first one to have access. I have tried setting firewall rules and routes, but it seems I am missing something. Any suggestions?

  12. Ben,

    So you have multiple networks in your pfSense firewall and you want to be able to access them from the VPN network? Are you creating rules in both directions? i.e. Are you creating a firewall rule in your OpenVPN network that allows those networks and another firewall rule in the other networks that allow the OpenVPN network? Additionally, when you connect using OpenVPN can you ping the pfSense address on the other networks? e.g. if your networks are 192.168.1.1/24 and 192.168.2.1/24 and your VPN subnet is 10.7.1.0/24 can you ping 192.168.1.1 or 192.168.2.1?

    • I am not creating a rule that *specifically* allows the networks. There is an allow all rule that should apply under both OVPN and OPT1. The OPT1 network has a block rule to the LAN that is prioritized above the allow all rule. I cannot ping the OPT1 network, only the LAN from the OpenVPN client. There is a setting in the OpenVPN server config that asks for the local network that the tunnel can access. There is only the option to put one network there. (e.g. 192.168.10.0/24–subnet on the LAN interface), but I also want access to 192.168.15.0/24 (subnet on the OPT1 interface) from the OpenVPN tunnel.
      If you think it should work just based on firewall rules, not OpenVPN config settings, then I will take a closer look at my firewall rules or set some specific allow rules in there.

      • The tunnel setting–>local network that you are referring to In the server config I think is initially asked to create the firewall rule when you go through the auto configuration process. With that said, from the OVPN network you should be able to access all the networks in your pfSense box as long as the firewall rules are in place. I can access all my networks which are different VLANs when I connect from the outside using OpenVPN due to the firewall rules in place.

        In your OPT1 network have you tried creating a catch all rule that grants access to the OVPN network? I think that the block rule that you have prioritized above all in that network might be the reason why you can’t hit the network from the OVPN. Also, don’t forget to create a rule in the OVPN network that allows communication from OPT1.

        • Thanks, Glenn. I will try those things and get back on my results.

        • I got it figured out. It wasn’t a firewall issue at all. I had to add push “route 192.168.15.0 255.255.255.0” to the adv config on the OpenVPN server. The issue was routing as implied by the “local network” explanation under tunnel settings on the openvpn server.
          I do, however, have another issue: DNS doesn’t appear to function across the tunnel to the OPT1 network, but it does to the LAN. Thoughts?
          Thanks for your help so far.

          • Ben,

            Did you have to go through the setup wizard again to modify the tunnel settings–>Local network? I am looking at my configuration for the server side and don’t see it there. I do remember the setting though since I took a screenshot of it. I am trying to figure out where it is located so that I can highlight it in the article should you wish to modify it after you have already configure the OpenVPN server portion. It is very odd though that I didn’t have to do modify that portion for it work when I created my other networks after I had done the initial setup.

            As to DNS, in the OpenVPN server config you can specify your DNS servers for your clients that connect via OpenVPN. Are you using the DNS forwarder with OpenVPN? If you are then you can have your DNS server for your clients that connect via OpenVPN be the IP address of the pfSense box either 192.168.15.1 or 192.168.10.1(assuming this is the ip address of your pfsense box in these two networks) since you can now reach either of these networks from the OVPN network. Don’t forget to head over to services–>DNS forwarder and enable it on both of those interfaces(OPT1 and LAN). Additionally you should add public DNS servers over at system–>general setup so that you can resolve outside hostnames.

          • Ben,

            I see where you added “push route” option under the advanced configuration settings of openVPN. I guess it is not allowed to be modified via the GUI. Thanks for pointing this out.

  13. Hi Glenn, I wanted this is a very good article in creating a VPN through openVPN. Have a quick question. Once I set up the server side of openVPN, would I be able to access my LAN from the outside….say I would like to access another computer from the outside of my home network.

    For example I would like to work on my media files away from home, or like transfer a file to my home network and vice versa. As I saw mentioned in the other comments, would a rule need to be created on the LAN side to where it can be accessed through the VPN tunnel?

    I’m not entirely new to VPN, but having tried with Windows Server 2012 R2 and having too many issues, I’d figure to roll my own and try to do one with openVPN since I have pfSense running as a VM on my ESXi host.

    • Chris,

      Absolutely, once you have setup the OpenVPN server to run on pfSense and you connect from the outside creating a VPN tunnel to your home network then assuming that you have allowed clients in the OpenVPN network to access clients in your LAN network then you can talk across those networks. When going through the OpenVPN setup you will get asked under the tunnel settings to type in the address of the LAN network that you want to be able to access from the OpenVPN tunnel.

      • Thanks for the info. I was successfully able to log into my openVPN server, but can’t seen to access anything on the LAN. I wonder if I am missing a rule or something. I did a ping to my LAN’s IP and it gave a different address and said ‘Destination net unreachable’. Any idea what this means?

        • When you originally went through the setup there should have been an option for “local network” which is the network that you want to make accessible from the remote endpoint. This is normally set to be your LAN network so that you can access it when you connect via the OpenVPN server. You an add it by going to VPN–> OpenVPN–>Server–>edit and going to the bottom under advanced configuration and adding a rule like the following:

          push “route 192.168.1.0 255.255.255.0”

          where the route is your LAN subnet. Additionally, you might want to try to put a check on the “Inter-client communication” box which will “Allow communication between clients connected to this server”. See “http://openvpn.net/index.php/open-source/documentation/howto.html” for more information.

          • Thanks for the help! Some good news, after having rebooted pfSense I can now successfully ping the pfSense box and can connect to the webConfigurator. Only thing left is I still can’t access my other computers and servers that’s on the same subnet so once I have that figured out i’ll be golden.

          • I’ve got same problem as Chis. Client can connect to vpn server and ping/access to pfsense host only. No access to the other hosts in local network.

          • Fresco,

            Under the tunnel settings have you tried checking the “Inter-client communication” box which will “Allow communication between clients connected to this server”?

          • Of course simple thing 🙂 All my clients (servers, desktops) have different gateway because I’m buiding pfsense host next to my main UTM. Of course when I changed gateways IP address I can get now that server. And of course pinging is not working in some servers because host interprets vpn client as they coming from privat network. Some firewall rules must be changed.

  14. Good Morning,
    I’ve a problem that you’ve just discussed, but I can’t solved it…
    I have a cloud appliance of OpenVpn pfSense, I create the Ovpn serve and the client correctly connect and get IP; but i can’t ping or connect with never other client/server in the same LAN. I create a * to * rules in the firewall without succes.
    Please could you help me?

    Another little question that in windows platform i solved but here no.
    2- How I can deploy only the IP from the 192.168.30.200 to 192.168.30.220 ?

    CONF:
    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 185.56.11.41
    tls-server
    server 192.168.30.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 5800
    management /var/etc/openvpn/server1.sock unix
    max-clients 15
    push “dhcp-option DOMAIN PANZERI.local”
    push “dhcp-option DNS 192.168.30.10”
    push “redirect-gateway def1”
    client-to-client
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float

    MANY THANKS and congratulation for the guide!
    Marco

    • Sorry i’ve posted e old server config.
      The correct is:

      dev ovpns1
      dev-type tap
      dev-node /dev/tap1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local xxx.xxx.xxx.xxx
      tls-server
      server-bridge 192.168.30.160 255.255.255.0 192.168.30.200 192.168.30.220
      client-config-dir /var/etc/openvpn-csc
      tls-verify /var/etc/openvpn/server1.tls-verify.php
      lport 5800
      management /var/etc/openvpn/server1.sock unix
      max-clients 20
      push “dhcp-option DOMAIN PANZERI.local”
      push “dhcp-option DNS 192.168.30.10”
      push “redirect-gateway def1”
      client-to-client
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      comp-lzo
      persist-remote-ip
      float

      • Marco,

        You might want to try to put a check on the “Inter-client communication” box which will “Allow communication between clients connected to this server”. See “http://openvpn.net/index.php/open-source/documentation/howto.html” for more information and look for the following section:

        # Uncomment this directive to allow different
        # clients to be able to “see” each other.
        # By default, clients will only see the server.
        # To force clients to only see the server, you
        # will also need to appropriately firewall the
        # server’s TUN/TAP interface.
        ;client-to-client

  15. Emil Dabrowski says:

    So I’m getting this error and I have no idea what’s causing it…
    —–
    Tue Dec 30 09:35:32 2014 ERROR: Windows route add command failed: returned error code 1
    Tue Dec 30 09:35:32 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    —–

    I’ve tried running the OpenVPN GUI as administrator and added the following to the .ovpn file:
    —–
    route-method exe
    route-delay 2
    —–
    … as the internet suggested that…

    Also, my OpenVPN GUI doesn’t look like yours. When I right click the icon down the right, I can just choose settings.

    My config looks like this:
    —–
    route-method exe
    route-delay 2
    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.xxx.xxx 1194 udp
    lport 0
    verify-x509-name “pfsense-openvpn” name
    auth-user-pass
    pkcs12 hephaestus-udp-1194-openvpnusr.p12
    tls-auth hephaestus-udp-1194-openvpnusr-tls.key 1
    ns-cert-type server
    comp-lzo
    —–

    • What version of windows are you running? Are you on 32 bit or 64 bit. Additionally, what version of the OpenVPN client do you have?

      • Emil Dabrowski says:

        Hi Glenn. Thank you for your reply.

        OS: Windows 8.1 Professional N 64-bit

        I first tried the “openvpn-install-2.3.6-I601-x86_64.exe” installer. It didn’t work so I tried all the other versions as well, without any luck.

        For your notice, both my home network as well as the network that I’m trying to tunnel in to is on 192.168.1.0/24.

        • So the “openvpn-install-2.3.6-I601-x86_64.exe” installer didn’t work for you? What errors did you get? Did you try running the installation as an administrator? I would start by removing what you have now and reinstalling the latest version. Before running the client try right clicking on it and going to properties–>compatibility–>check run as administrator. Additionally I would disable User Account Control to test if that is causing any issue. The errors that you posted seem to be related to permissions.

          • Emil Dabrowski says:

            The installation worked fine, but what I meant was that I was getting the same error (see screenshot) with all different versions of OpenVPN. I’ve tried installing it as an administrator and running the OpenVPN GUI as an administrator. UAC is disabled as well. By the way, I’ve tried running it inside two different Windows virtual machines and I have been getting the same error.

            Screenshot:
            http://i.imgur.com/lnM0xDC.png

          • Emil Dabrowski says:

            For your notice:
            My OpenVPN GUI looks nothing like yours. I start the OpenVPN GUI (“OpenVPN\bin\openvpn-gui.exe”) as an administrator. However, when I connect, I right click on my .ovpn file and choose “Start OpenVPN on this config file”. I am not 100% sure if it runs as an administrator when I do that.

          • Emil Dabrowski says:

            Crap. I did never place my config files under “OpenVPN\config”. I’m in great shame right now. Now my GUI looks like yours, too!

            My TAP-adapter shows “Unidentified Network” right now, but it’s working anyways. Thank you for your help!

          • OK, great! I was about to spin up an 8.1 VM as that was very strange behavior. Happy new year!

  16. Glenn,

    Our company just bought another space for one of our groups to move into, about 7 employees. We use VOiP phones that are assigned Static IP addresses in pfSense and a Digium Switchvox PBX. Will OpenVPN through pfSense allow me to set up those users that are moving to be able to use their current extensions and configuration and use their phones as if they were in this building?

    Thank you for the very detailed post. Greatly appreciated!

  17. thx a lot, the first and only guide that helped me out to configure an OpenVPN configuration. Youre the one and thx again. (thumbs up)

  18. hi plz anyone help to how to find working host to make openvpn config file for free internet.thanks

  19. thank you for your help.
    The VPN worked the first time.

  20. hi glenn,
    nice post and very detailed .
    But i have a problem when i connect with my windows 7 64bit client .
    i dont get a gateway how can i solve it ?

Trackbacks/Pingbacks

  1. OpenVPN pfSense android | Weblog - Jan Wagemakers - - […] Because I have not enough knowledge to setup it by myself, I was googling for information and found a…
  2. Build Your Own VPN. Browse Securely from Anywhere | Living With Diabetes - […] https://www.highlnk.com/2013/12/confi…https://openvpn.net/https://www.pfsense.org/https://www.gargoyle-router.com/ […]
  3. PfSense: Setup OpenVPN - KLB || InfoSec - […] This concludes the OpenVPN server configuration on pfSense. I hope that this was useful for those out there trying…
  4. Adam De Laine – Project Home Lab: Stage 2 ESXI Server Build - […] next step is to enable remote administration of the network by setting up a VPN end point. This tutorial is a…

Leave a Reply