pfSense – OpenVPN

Last Updated: June 21st, 2023Published On: February 19th, 2015By

How to setup OpenVPN on a pfSense

Prerequisites

  • Upgrade to 23.x, there are much better options with this firmware

Setup using Active Directory

Setup without Active Directory

Security

Best – Require Unique Certificate and User Auth

  1. OpenVPN>Servers: be sure to use Remote Access (SSL/TLS + User Auth) rather than User Auth.  This is true two factor authentication since it requires a certificate as well as AD credentials.
  2. Create a separate certificate for each username and lock down OpenVPN>Servers.  This requires a unique certificate setup on the pfSense for each AD user.  If an employee leaves but knows someone else’s password – they still couldn’t get in:
  3. Also make sure when you export (OpenVPN>Client Export) that you add a password to the file:
  4. On the client itself, edit the configuration and add change the line SUBJ: to reflect the common name.  For example SUBJ:Superman – this helps OpenVPN know which certificate to grab and can ensure the proper certificate is used.

Better – User non-unique Cert + User Auth

Same as above, except don’t check Strict User-CN Matching

Good (ish)

Just choose Remote Access (User Auth) from the drop down.  This is just single factor authentication since it doesn’t require a cert as well

Client Setup

Windows

  • Make sure client export package is installed. If not:
    • Install the OpenVPN Client Export Utility package as follows:
      • Navigate to System > PackagesAvailable Packages tab
      • Locate the OpenVPN Client Export package in the list
      • Click fa-plus Install next to that package listing to install
      • Click fa-check Confirm to confirm the installation
  • Using the Export Package:
    • Once installed, the package is located at VPN > OpenVPN, on the Client Export tab. That page presents several options which control the behavior of exported clients. The firewall can optionally save selections on this page as new defaults for future use.
    • For clients without OpenVPN installed:
      • Export the current Windows installer package associated with the user and run on their computer. This will automatically import the config files.
    • For clients with the OpenVPN client already installed:
      • Export the ‘Most Clients’ inline config file and import into the client’s OpenVPN software.

Mac

  • Download TunnelBlick and install the software
  • Navigate to the OpenVPN Client Export section
  • Download the inline configuration and drag it into the configurations folder for Tunnelblick.
  • Type in Mac user’s administrative password
  • Connect to the VPN and rejoice!

Alternatively you can use Viscocity but this is a paid version.  Just export the and install the same way as Tunnelblick.

Troubleshooting

Firewall Rules

Having trouble communicating with remote resources over the VPN?  Make sure this rule is in the pfsense:

and

If using pfSense 2.3 or lower

  • You probably need to need to enable unencrypted authentication in the NPS Policy:
  • 2.4+ uses MS-CHAPv2 and doesn’t require Unencrypted Authentication

Testing RADIUS connection to server

Go to Diagnostics>Authentication, enter AD credentials to test to make sure the pfSense can query AD correctly

 

If client is able to connect to the vpn but is not getting an ip address try this https://community.openvpn.net/openvpn/wiki/259-tap-win32-adapter-is-not-coming-up-initialization-sequence-completed-with-errors

 

Categories: Blog, Product SpecificTags: , Views: 6035