How to Setup your own OpenVPN Server in pfSense (2024)

Table of Contents
Why should I install OpenVPN on pfSense? Thinking about authentication Generating the Certificate Authority (CA) Generating the server certificate Create your OpenVPN user and your user certificate Creating the OpenVPN server General Information Cryptographic Settings Tunnel Settings Advanced Configuration Verifying the OpenVPN server configuration Create firewall rules OpenVPN rule WAN rule Install the OpenVPN Client Export Utility Export the OpenVPN client configuration Wrap-Up

pfSense is a powerful, open-source firewall/router that’s based on FreeBSD. Using pfSense instead of a typical consumer router has many benefits. Frequent OS updates to patch vulnerabilities is a big one. Most consumer routers never get firmware updates, and most people use their router for more than five years. But beyond better security, pfSense includes many tools that make it easy to configure pretty much any network configuration quite easily thanks to its comprehensive GUI.

One thing that’s easy to set up on pfSense is your own OpenVPN server. When you have a VPN server running on your router, you can connect to your home network securely and, from anywhere, access your local machine, and even use your home internet connection from your remote device. And that’s what we’re going to look at in this article. We’re going to guide you through all of the steps you need to go through to configure your own OpenVPN server on pfSense.

To learn how to configure an OpenVPN client connection to a commercial VPN provider in pfSense, you can read our dedicated guide.

Why should I install OpenVPN on pfSense?

Installing OpenVPN on pfSense provides several advantages. It allows secure remote access to your home network from anywhere, enabling you to use your home internet connection remotely. It also supports multiple connections, meaning you can connect several devices to a VPN service using a single session, which is more efficient than running individual VPN clients on each machine.

Managing firewall rules within pfSense becomes easier when running multiple tunnels with different policies. You can also configure content filtering on your pfSense box to block ads and malicious sites, benefiting all OpenVPN clients.

See Also
How to set up OpenVPN on pfSense 2.4.4OpenVPN Client Import Package | pfSense DocumentationpfSense setup with NordVPNVPN firewall definition – Glossary

OpenVPN is compatible with many devices and operating systems, and supports various features and options, enhancing its flexibility. It’s also privacy-friendly and widely supported by many VPNs.

Having the VPN server on your router keeps your physical setup neat, without the need for additional boxes for different tasks. However, running more services on your pfSense router can increase the load and potential exposure to vulnerabilities, so keeping your software up-to-date is essential.

See also: Best VPN for pfSense

This guide assumes you’ve already got pfSense setup with working WAN and LAN interfaces.

Settings that are ignored in the instructions should be left at their default values (i.e., untouched).

Thinking about authentication

Before we configure our OpenVPN server, we need to choose an authentication method. Both OpenVPN and pfSense support password-based authentication, certificate-based authentication, or both. In this guide, we’ll be using both so that we cover all the bases. But you’re free to select one or the other. If you choose to use password-based authentication only, you can skip the steps of generating user certificates. But you still need to generate a Certificate Authority as well as a server certificate.

See Also
How Add New OpenVPN User in Pfsense – Dade2

Generating the Certificate Authority (CA)

The first thing we need to do is generate our Certificate Authority (CA), which will validate the OpenVPN server’s identity and authenticate user certificates (if enabled).

  1. From the menus at the top of the screen, select System > Cert. Manager.
  2. Click the Add button at the bottom right.
  3. Enter a name for your CA.
  4. Make sure Method is set to Create an internal Certificate Authority.
  5. Select your Key type. I will be using RSA for this example, but you can also use ECDSA.
  6. Set your Key length to at least 2048. I will be using 4096 for this example.
  7. Set your Digest Algorithm to at least sha256. I will be using sha512 for this example.
  8. Choose a Common Name for your certificate or leave the default of internal-ca.
  9. Click Save at the bottom. You’ve created your Certificate Authority.

Generating the server certificate

  1. If you’re not already there, from the menus at the top of the screen, select System > Cert. Manager.
  2. Select the Certificates sub-menu.
  3. From the Certificates sub-menu, click the Add/Sign button at the bottom right.
  4. Make sure Method is set to Create an internal Certificate.
  5. Enter a Descriptive name for your certificate.
  6. Use the same values you set for the Certificate Authority for the Key type and length, as well as for the Digest Algorithm.
  7. Set the Lifetime to 365 days.
  8. Select Server Certificate as the Certificate Type.
  9. Click Save. You’ve created your server certificate.

Create your OpenVPN user and your user certificate

We now need to create a user to access the OpenVPN server.

I will be creating a single user for this guide, but you can create as many users as you need. Simply repeat these steps.

  1. From the menus at the top of the screen, select System > User Manager. You are taken to the User Manager.
  2. Click the Add button at the bottom right.
  3. Enter a Username and Password for your user.
  4. Click Save. You’ve created your OpenVPN user and are taken back to the User Manager.
  5. If you chose to set up your server for certificate-based authentication or for certificate and password-based authentication, click the pencil icon to the right of your new user. You’re taken back to the Edit User window.
  6. Click the Add button under User Certificates. You’re taken to the Certificate Manager, and you’re prompted to input the parameters for your user certificate.
  7. Make sure Method is set to Create an internal Certificate.
  8. Enter a Descriptive name for your certificate.
  9. Set the same values you set for the Certificate Authority for the Key type and length, as well as for the Digest Algorithm.
  10. Set the Lifetime to 365 days.
  11. Make sure Certificate Type is set to User Certificate.
  12. Click Save. You’re taken back to the User Manager, and you can see that your newly created user certificate is now associated with your OpenVPN user.
  13. Click Save.

Creating the OpenVPN server

We’re now ready to create our OpenVPN server.

  1. From the menus at the top of the screen, select VPN > OpenVPN. You are taken to the OpenVPN Servers sub-menu.
  2. Click the Add button on the bottom right.

General Information

  1. Set the Server mode to either Remote Access (SSL/TLS), Remote Access (User Auth), or Remote Access (SSL/TLS + User Auth). As mentioned above, I will be using Remote Access (SSL/TLS + User Auth) for this example.
  2. Change the Local port to a different port if required by your network topology or leave it at the default (1194).
  3. Enter a name for your server in the Description field.

Cryptographic Settings

  1. Make sure Use a TLS Key and Automatically generate a TLS Key are enabled.
  2. Make sure your Peer Certificate Authority is set to the CA we created earlier.
  3. Set the Server certificate field to the server certificate we created earlier.
  4. Select 4096 for theDH Parameter Lengthsetting.
  5. Set the Auth digest algorithm to RSA-SHA512 (512-bit).

Tunnel Settings

  1. In the IPv4 Tunnel Network field, enter a subnet that is not present on your network to be used as the OpenVPN network’s internal subnet. In my case, I’m using 192.168.2.0/24.
  2. If your network also supports IPv6 and you want your OpenVPN tunnel to support IPv6 as well, enter an unused IPv6 subnet in the IPv6 Tunnel Network field. In this example, I am configuring my server for IPv4 only.
  3. Enable Redirect IPv4 Gateway in order to route all IPv4 traffic over the VPN tunnel.
  4. Enable Redirect IPv6 Gateway in order to route all IPv6 traffic over the VPN tunnel, if needed.

Advanced Configuration

  1. Enable UDP Fast I/O.
  2. If you’re only using IPv4, select IPv4 only in the Gateway creation field. If you’re using both IPv4 and IPv6, leave it set to Both.
  3. Click Save. You’ve created your OpenVPN server.

Verifying the OpenVPN server configuration

  1. To make sure our server is set up correctly, select Status > System Logs from the top menus.
  2. Select the OpenVPN sub-menu. The OpenVPN logs are displayed.
  3. If everything is set up correctly, you should see Initialization Sequence Completed in the logs.

Create firewall rules

Now that our OpenVPN server is configured, we need to create a firewall rule to allow traffic to and from our server.

OpenVPN rule

This rule will allow traffic from the OpenVPN subnet out to the internet.

  1. From the menus at the top of the screen, select Firewall > Rules.
  2. Select the OpenVPN sub-menu.
  3. Click the Add button to create a new rule at the top of the list.
  4. Set the Address Family to IPv4 + IPv6 if your system is using both IPv4 and IPv6. If not, leave it at the default value of IPv4.
  5. Set the Protocol field to Any.
  6. Set the Source to Network.
  7. Enter the OpenVPN subnet you specified earlier in the Source Address field but without the /24. For example: 192.168.2.0.
  8. Select 24 from the drop-down menu to the right of the Source Address field.
  9. Enter a description for this rule in the Description field.
  10. Click Save. And click Apply Changes. Traffic will now be allowed out the firewall from the OpenVPN subnet.

WAN rule

In order to connect to your OpenVPN server from the outside world (i.e., the internet), you’re going to need to open the port your server runs on (1194, in this example) on your WAN interface. This rule will allow your client to connect to your OpenVPN server from the internet.

  1. From the menus at the top of the screen, select Firewall > Rules.
  2. Select the WAN sub-menu (the default).
  3. Click the Add button to create a new rule at the top of the list.
  4. Set the Address Family to IPv4 + IPv6 if your system is using both IPv4 and IPv6. If not, leave it at the default value of IPv4.
  5. Make sure Source is set to Any.
  6. Set the Protocol field to UDP.
  7. Set the Destination Port Range to 1194.
  8. Enter a description for this rule in the Description field.
  9. Click Save. And click Apply Changes. Traffic will now be allowed from the internet to the OpenVPN server.

Install the OpenVPN Client Export Utility

In order to easily configure our OpenVPN client, pfSense provides an automated configuration generator for OpenVPN. However, it’s not installed by default. We need to install the package from the pfSense Package Manager manually.

  1. From the menus at the top of the screen, select System > Package Manager. You are taken to the Package Manager.
  2. Select the Available Packages sub-menu.
  3. Scroll down until you see openvpn-client-export and click the Install button to its right. You’re taken to the Package Installer page.
  4. Click Confirm. The installation begins.
  5. Once the installation is finished, the progress bar turns green, and you should see Success displayed in the Package Installation window.

Export the OpenVPN client configuration

  1. From the menus at the top of the screen, select VPN > OpenVPN.
  2. Select the Client Export sub-menu.
  3. Make sure the correct OpenVPN server is selected next to Remote Access Server.
  4. If you’re using Dynamic DNS to access your pfSense WAN, select Other from the Host Name Resolution drop-down menu. Then enter the hostname in the Host Name box that appears below. This allows you to access your pfSense WAN by hostname rather than IP address, which means that you won’t lose access to your OpenVPN server if your ISP changes your WAN IP address. If you’re not using Dynamic DNS, leave Host Name Resolution set to Interface IP Address.
  5. Scroll down to the bottom of the page, and you’ll find generated configurations for various systems and apps. Click on the appropriate configuration for your device(s) to download it to your computer.

I’m going to be connecting a Linux laptop, so I downloaded the Most Clients inline configuration.

Upon importing my configuration in Linux’s Network Manager, I simply need to input my username and password (they’re not included in the configuration file), and I can connect to my OpenVPN server.

I can then check to make sure that my public IP address has been changed to the WAN address of my home internet, using Comparitech’s IP Address Check tool.

Wrap-Up

So that’s how you set up a basic OpenVPN server in pfSense for remote access. There are a lot of places to go from here to accommodate more complex setups. You could also configure content filtering on your pfSense box to block ads and malicious sites. Your OpenVPN clients would benefit from this as well. But for now, you have a fully functional OpenVPN server configured on your home router (pfSense), enabling you to use your home internet connection from any device, wherever you are.

VPN on, friends.

How to Setup your own OpenVPN Server in pfSense (2024)
Top Articles
How To Offer Free Shipping as a Small Business in 2023
What Is the Average Return of an Angel Investor?
Whas Golf Card
Walgreens Boots Alliance, Inc. (WBA) Stock Price, News, Quote & History - Yahoo Finance
Elleypoint
4-Hour Private ATV Riding Experience in Adirondacks 2024 on Cool Destinations
Farepay Login
Quick Pickling 101
OSRS Fishing Training Guide: Quick Methods To Reach Level 99 - Rune Fanatics
Puretalkusa.com/Amac
Nikki Catsouras Head Cut In Half
Moviesda Dubbed Tamil Movies
Craigslist In Fredericksburg
Mlifeinsider Okta
Ucf Event Calendar
Red Heeler Dog Breed Info, Pictures, Facts, Puppy Price & FAQs
Slag bij Plataeae tussen de Grieken en de Perzen
Wordscape 5832
Best Suv In 2010
Morgan And Nay Funeral Home Obituaries
Chastity Brainwash
Mikayla Campinos Laek: The Rising Star Of Social Media
Gayla Glenn Harris County Texas Update
Japanese Mushrooms: 10 Popular Varieties and Simple Recipes - Japan Travel Guide MATCHA
Jermiyah Pryear
Paris Immobilier - craigslist
Healthy Kaiserpermanente Org Sign On
Craigslist Auburn Al
1964 Impala For Sale Craigslist
Southtown 101 Menu
APUSH Unit 6 Practice DBQ Prompt Answers & Feedback | AP US History Class Notes | Fiveable
Spy School Secrets - Canada's History
Baldur's Gate 3 Dislocated Shoulder
What Is Xfinity and How Is It Different from Comcast?
Matlab Kruskal Wallis
Plato's Closet Mansfield Ohio
Mta Bus Forums
Mohave County Jobs Craigslist
M Life Insider
Gfs Ordering Online
Tedit Calamity
Sound Of Freedom Showtimes Near Lewisburg Cinema 8
Watch Chainsaw Man English Sub/Dub online Free on HiAnime.to
The Great Brian Last
8 4 Study Guide And Intervention Trigonometry
Adams-Buggs Funeral Services Obituaries
Bonecrusher Upgrade Rs3
Craigslist Sarasota Free Stuff
53 Atms Near Me
Unpleasant Realities Nyt
Game Like Tales Of Androgyny
Edt National Board
Latest Posts
Different types of Worms
Why Did Zillow Split Its Stock?
Article information

Author: Kerri Lueilwitz

Last Updated:

Views: 6257

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Kerri Lueilwitz

Birthday: 1992-10-31

Address: Suite 878 3699 Chantelle Roads, Colebury, NC 68599

Phone: +6111989609516

Job: Chief Farming Manager

Hobby: Mycology, Stone skipping, Dowsing, Whittling, Taxidermy, Sand art, Roller skating

Introduction: My name is Kerri Lueilwitz, I am a courageous, gentle, quaint, thankful, outstanding, brave, vast person who loves writing and wants to share my knowledge and understanding with you.