How to Set up Remote VPN Access Using pfSense and OpenVPN
Secure Remote Network Access Using OpenVPN
In this article you will learn how to set up remote access to your network using OpenVPN on pfSense.
Using a VPN, or virtual private network, is the most secure way to remotely access your home or business network. VPNs provide strong security by encrypting all of the traffic sent between the network and the remote client.
Since pfSense is open source and available for free this project won't cost you anything to complete.
This guide assumes you already have a functional pfSense firewall running. If you don't have one yet you can easily build one using an old computer, or even run a virtual one using VirtualBox.
OpenVPN Configuration Wizard
The simplest way to configure OpenVPN on pfSense is to use the the built in VPN configuration wizard. The wizard will guide you through the process of creating a certificate authority, issuing a server certificate, and configuring the OpenVPN server settings.
To start the configuration open the VPN menu in the web interface and select OpenVPN, then click on the wizards tab.
For the first step of the configuration wizard you will need to choose the authentication backend type. OpenVPN provides three different authentication methods.
Local user access is the simplest method since it does not require an external authentication server.
OpenVPN Authentication Backends
Local User Access
Manage VPN users using the pfSense local user manager.
Manage user access using Windows active directory services.
Manage users on an external RADIUS authentication server.
Creating a Certificate Autority
The next configuration step is to create a certificate authority for issuing certificates. If there is already an existing CA configured in pfSense you can choose to use it for OpenVPN instead of creating a new one.
If you are creating a new CA then you will need to fill out all of the fields in the wizard in order to continue.
The default key length of 2048 bits is sufficient but you can use a longer length key if more security is required. Larger key sizes are more secure but they will require more CPU resources.
Creating a Server Certificate
After creating the certificate authority a server certificate must be issued for OpenVPN. Again you will need to select a key size that meets your security needs and CPU resources.
The default certificate lifetime is 3650 days (10 years). For higher security environments you should consider reducing the certificate lifetime. For home users the default lifetime is fine.
OpenVPN General Settings
In the general settings you will need to select the interface OpenVPN will listen for connection on. In most cases this will be the external facing interface (WAN) which is connected to the internet.
The recommended protocol for most users is UDP on IPV4. UDP is faster than TCP but can be less reliable since packet delivery is not guaranteed. TCP will provide higher reliability but can be slower since there is more protocol overhead.
Use the default listening port of 1194 unless you have a specific need to use a different port.
The cryptographic settings can all be left on default, advanced users may want to tweak these settings as needed for their specific security needs.
If you are using a hardware cryptographic accelerator be sure to select it in this section.
OpenVPN Tunnel Settings
The two most important settings in the tunnel settings section are the tunnel network and the local network.
The tunnel network should be a new network that does not currently exist on the network or the pfSense firewall routing table. When clients connect to the VPN they will receive an address in this network. For example you could enter 10.0.0.0/24 as long as this does not already exist on your network.
Enter the address of the network that clients will connect to in the local network box. By default pfSense uses 192.168.1.0/24 as the local network so most users will enter that as the network address unless they specified a different network.
The rest of the settings in the tunnel section can be left on their default settings.
OpenVPN Client Settings
The settings in the client settings section will be assigned to OpenVPN clients when they connect to the network.
Most users will only need to worry about entering a DNS server in the client settings section. If you are also using pfSense as your local DNS server you would enter the local address of the pfSense firewall (usually 192.168.1.254). If you are using separate DNS servers you can enter them here as well.
Optionally a default DNS domain and NTP servers can be provided to clients as well.
Once nice feature of the OpenVPN wizard is its ability to automatically generate the necessary firewall rules in pfSense to permit connections to the VPN server. In most basic setups you should enable both of these options. If you do not use the automatic rules then you must manually create rules to allow clients to connect to the VPN.
Traffic from Clients to Server
Enabling this option will automatically generate firewall rules to permit incoming connections to the OpenVPN server from clients anywhere on the internet.
Traffic from Clients Through VPN
This option will create an automatic firewall rule which allows traffic from clients connected to the VPN to anywhere on the local network.
After entering all of the required settings the setup wizard is complete. Click finish to apply all of the settings to pfSense.
Creating VPN Users With Certificates
After the OpenVPN configuration has been completed you are ready to start adding VPN users. If selected the local user access option during the configuration wizard then users can be added using the pfSense user manager (System Menu \ User Manager).
Enter a username, password, and click the certificate checkbox to generate a user certificate. Click the save button to complete the process of adding the user.
Installing the OpenVPN Client Export Package
I recommend installing the OpenVPN client export package available in pfSense to make the process of setting up clients much easier.
Install the package using the pfSense package manager found under the system menu. Enter openvpn-client-export in the search term box of the package manager and click on install.
After the package has been installed there will be a new tab called client export in the OpenVPN menu.
Client Connection Behavior
In the client export settings you can adjust several settings that will effect client connection behavior. The main setting you may want to modify here is the host name resolution field. By default this field is set to the IP address of the interface running OpenVPN. You can select the option 'other' if you want to enter a DNS name such as a dynamic DNS hostname.
After making any changes click the save as default button to store the settings.
Downloading OpenVPN Client Packages
After the client export settings have been configured you can export client configuration files and bundled clients using the utility.
The client export tool supports several different operating systems and clients including Windows, Mac, Android, and iOS.
Testing VPN Connectivity
After you've exported a client package you are ready to begin testing connectivity. To test connectivity from Windows simpy install the client package and run through the installation wizard.
The best part of using the OpenVPN client export utility is that the client will automatically be configured to connect to your VPN. You will only need to enter your username and password in order to connect.
OpenVPN Connect Mobile Client
Android or iOS users can easily connect by installing the OpenVPN connect package through the app store. After installing the app generate a client export settings file and transfer it to your mobile device. Opening the settings file will automatically open the OpenVPN app and import the profile.
Two Factor Authentication
For additional security I strongly recommend implementing two factor authentication. Two factor authentication (2fa) requires logging in using a password and a second code which usually expires after a short period of time or is a one time use password.
Setting up 2fa is a complicated topic that is outside the scope of this article but I will offer a couple of suggestions below.
Which platform do you normally run your VPN client on?
Questions & Answers
© 2018 Sam Kear