In this article I will go through the configuration of OpenVPN on the pfSense platform. I have talked about the initial configuration of pfSense in this previous article and if you are not familiar with the platform then you can check that out to get you up and running. Let’s go ahead and start by talking about VPNs first and then we will move to the configuration.
A VPN(virtual private network) allows us to connect directly to our home private network over the internet. This means that if we are in a remote location and want to have access to services hosted within our private network then we can use a VPN to do so. VPNs are used because private networks(10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are not routed in the public internet as these are reserved for private uses. A VPN gives us the ability to extend the private networks by creating a tunnel between the client in a remote location and the server in your private network. This means that once the session is up that the remote client will be able to access all the resources located within your private home network.
VPNs come in many flavors and you have different types. pfSense supports L2TP, PPTP, IPsec, and OpenVPN. You might be wondering why use OpenVPN and not the others. OpenVPN is open source and well maintained by the community which means that you can be safe in knowing that if there is a vulnerability found that it will get patched quickly. When it comes to performance OpenVPN works great on high latency connections and is capable of compression should you be limited on bandwidth on the client or server-side. With regards to authentication OpenVPN supports LDAP, Radius, and local database which makes it flexible in integrating with different types of environment. The authentication is solid because you can pair regular username and password with certificates for higher security. Encryption in OpenVPN is provided via OpenSSL which is an open source implementation of the SSL/TLS protocols and allows us to use some very strong cryptographic algorithms which can be hardware accelerated for better performance. When it comes to the networking side of things it can run over TCP or UDP depending if you want reliability or not but it will be slower should you decide on TCP. OpenVPN supports both IPv4 and IPv6 and is capable of creating a tunnel through a proxy, networks using NAT, and getting through firewalls. Overall OpenVPN is very solid compared to the other solutions which lack in many areas.
Let’s get started by configuring a certificate authority in pfSense. The certificate authority or CA will sign the certificates that we will be creating for the server and client side when we configure OpenVPN. You can access the certificate configuration by going over to System–>Cert Manager.
Under the CAs tab you might already have a CA created if you followed one of my previous articles as we needed to created one in order to sign an internal certificate to be used for securing the pfSense web interface.
If you do not have one here than you should create a CA and secure your pfSense web interface ASAP to prevent from snooping should you have it set to be accessible from the internet. Creating a CA is simple and is done by hitting the plus symbol on the right hand side. The form that you fill out should be self-explanatory.
After you finished setting up the CA the next step is to create some certificates that the recently created CA will sign for us. Since these are self-signed certificates most browsers will give you a warning if you try accessing a web site that is using them, e.g. the pfSense web GUI if you are creating a certificate to secure it. In a similar manner you want to hit the plus sign to create a certificate and go through the form. See below for the settings that I used for my OpenVPN server certificate.
Now that we have all the components in place we can configure OpenVPN. Head over to VPN–>OpenVPN.
Go ahead and select “Wizards” from the tab at the top which will guide us step by step to configure OpenVPN.
The step by step guide will first ask you the type of authentication backend that you are using. In our case we will select the local user access database provided by pfSense. Of course, if you do have an internal LDAP or Radius server that you want to use then you can select either of those options.
In the next step we will be selecting the CA that we created at the beginning of this article.
Following is the Server Certificate that we will be using which is the Certificate that we recently created.
In the next page we will start selecting several different configuration options. The first three options involve the interface where we will listening for connections, the protocol, and port number. You should select the WAN interface where OpenVPN will bind to if you want to be able to access your network from the outside. The protocol should be UDP unless you have a specific reason for using TCP. The port can be changed or you can use the default OpenVPN port of 1194 where it listens on.
The next sections deals with the cryptographic settings. In here we will specify to use TLS authentication and have it generate a shared TLS authentication key which will give us another layer of security. See below for the explanation provided by the OpenVPN documentation.
The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:
- DoS attacks or port flooding on the OpenVPN UDP port.
- Port scanning to determine which server UDP ports are in a listening state.
- Buffer overflow vulnerabilities in the SSL/TLS implementation.
- SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key.
The DH parameter length used for public key cryptography should NOT be set to 1024 or lower. There is a lot of research that shows that 1024 bit keys can be brute force relatively quickly and RSA is recommending that all websites upgrade to 2048 bit keys by the end of this year.
At the bottom you have the option of selecting an encryption algorithm and whether your hardware can do crypto acceleration.
Moving onto the Tunnel settings we have the option of specifying the tunnel network which is the network that our clients connecting to the VPN will be assigned an address from. You can specify whether all traffic should be redirected through the tunnel and the local network that clients connecting from the outside can access. Near the middle we can specify the maximum number of concurrent sessions and whether we want to use compression for the data traversing the tunnel. At the bottom we have TOS fields used for QOS(quality of service), whether we want to allow communication between the clients tunneling in, and if duplicate connections should be allowed.
In the client settings we can specify if we want to allow clients to retain their connection should their IP address change. The second option will assign the clients an IP address from the tunnel network we configured at the top. You can configure the other options below if you want to assign certain other parameters to connecting clients.
After hitting next, we are presented with adding firewall rules. The rules are needed so that a connection can be established. Go ahead and check both boxes before finalizing.
Once you are done you should see an entry under the server tab of OpenVPN.
I actually did an edit on the previous entry above and configured the DNS server to point to my default gateway which is my pfSense box since it is configured as a DNS forwarder.
The next step is to start creating user accounts that we will use during the authentication process. Creating user accounts is done over at System–>User Manager under the users tab.
Go ahead and hit the plus sign to create a new user and fill out the form. Everything here should be self-explanatory.
Once the account has been created, we need to create a user certificate for the account. We will be going back to System–>Cert Manager and under the certificates tab create a new certificate.
Hit the plus sign to start the creation process. Make sure to select “User Certificate” from the dropdown as you are creating the certificate.
Once the certificate is created, we will go back to the user account that we made and modify it.
We will assign the certificate that we just created to the user account.
From the drop down list select the user certificate that we recently created.
We are almost done with the configuration and there are only a couple of small things left to do. Before we move onto the client configuration we need to export the keys and certificates from pfSense so that our clients can use them. This process is made easy by installing the OpenVPN Client Export Utility from System–>Packages.
We will be using this tool soon but before doing so we must setup Dynamic DNS. If you are familiar with IP addressing then you know that your ISP will assign you a public IP address via DHCP on your WAN port. This IP address is dynamic which means that it can change and unless you paid your ISP extra cash for a static address. When our clients connect to the OpenVPN server it will try to reach us on the public WAN address on port 1194. If the address changes then it won’t be able to reach us unless we somehow know the new address and we modify the configuration file. This becomes a huge pain to manage and Dynamic DNS will be able to solve this problem for us.
The way that dynamic DNS works is that it will map a hostname that we specify to the current WAN IP address. Dynamic DNS will check at a certain interval the WAN IP and maintain the hostname to IP address mapping current so that when we tried to reach the hostname over the internet then it will point to the correct WAN IP address of our router. In order to get a hostname we must register with a third-party and come up with a unique name that has not been taken yet. Here are a couple of different dynamic DNS provider where you can register a hostname from. Note that some of these are free.
Once you have register a hostname, head over to Services–>Dynamic DNS. In here under the DynDNS tab go ahead and add a new entry. From the service type menu select the provider that you registered with and make sure that you are monitoring the WAN interface. Under hostname type in your fully qualified domain name that you registered(I blacked mine out for privacy reasons). The last thing that you want to do is to type in your account information so that pfSense is capable of reaching your dynamic DNS provider and updating the hostname with your current WAN IP address.
Here is the list of Service Type from pfSense.
We will now go over to the VPN–>OpenVPN Section and go to the Client Export Tab.
In the client export tab we will be exporting the certificates, keys, and configurations files that we will need for our VPN client. In here you will have different options to select from. The remote access server should have the port number that you specified for OpenVPN as well as the protocol whether it’s TCP or UDP. For the hostname resolution we will be using Dynamic DNS which means that you will be selecting the hostname that you configured above. Everything else can be left at their default settings unless you have a reason for selecting the other options.
At the bottom you will have options to export the configuration and files. The standard configuration is what you will need and it is a good idea to get the archive as this will include the certificates and keys needed. Note that you can also download the windows installer from here depending on which platform you are using.
Alternatively you can also get the installer directly from the website:
The official website might have a more up to date version.
The installation process should be simple and you can leave the options at their default settings.
Make sure to install the network adapter when prompted to do so.
The next thing that you want to do is to transfer the archive downloaded from pfSense to the client securely(SFTP, FTPS, SCP, encrypted archived, or any other secure transfer method) . The files will have to be extracted and placed under the config directory of OpenVPN.
After placing the files in the config directory you can open the application
Note: If you experience any issues then try right clicking the OpenVPN GUI and running it as an administrator.
And right-click the OpenVPN icon on the bottom right and hit connect.
You will be prompted for your username and password.
In my case it failed with a cipher algorithm not found error.
I opened a command prompt and did an “openvpn –show-ciphers” to see what ciphers the client supported and noted that the cipher that I had chosen was not listed.
I went back into pfSense and changed the cipher to something supported by the client. This time it worked fine.
Going back into pfSense and selecting Status–>OpenVPN we can see that there is currently an active connection.
This concludes the OpenVPN server configuration on pfSense. I hope that this was useful for those out there trying to figure out how to configure OpenVPN. Thank you for taking your time to read this article. Happy new year and see you here next time.