pfSense – OpenVPN
How to setup OpenVPN on a pfSense
Prerequisites
- Upgrade to 23.x, there are much better options with this firmware
Setup using Active Directory
- Follow this: https://vorkbaard.nl/set-up-openvpn-on-pfsense-with-user-certificates-and-active-directory-authentication/
- For authentication, follow option B for LDAP unless you need something specific to RADIUS.
- Or use the OpenVPN Wizard (which sets up Better configuration)
Setup without Active Directory
Security
Best – Require Unique Certificate and User Auth
- OpenVPN>Servers: be sure to use Remote Access (SSL/TLS + User Auth) rather than User Auth. This is true two factor authentication since it requires a certificate as well as AD credentials.
- Create a separate certificate for each username and lock down OpenVPN>Servers. This requires a unique certificate setup on the pfSense for each AD user. If an employee leaves but knows someone else’s password – they still couldn’t get in:
- Also make sure when you export (OpenVPN>Client Export) that you add a password to the file:
- On the client itself, edit the configuration and add change the line SUBJ: to reflect the common name. For example SUBJ:Superman – this helps OpenVPN know which certificate to grab and can ensure the proper certificate is used.
Better – User non-unique Cert + User Auth
Same as above, except don’t check Strict User-CN Matching
Good (ish)
Just choose Remote Access (User Auth) from the drop down. This is just single factor authentication since it doesn’t require a cert as well
Client Setup
Windows
- Make sure client export package is installed. If not:
- Install the OpenVPN Client Export Utility package as follows:
- Navigate to System > Packages, Available Packages tab
- Locate the OpenVPN Client Export package in the list
- Click
Install next to that package listing to install
- Click
Confirm to confirm the installation
- Install the OpenVPN Client Export Utility package as follows:
- Using the Export Package:
- Once installed, the package is located at VPN > OpenVPN, on the Client Export tab. That page presents several options which control the behavior of exported clients. The firewall can optionally save selections on this page as new defaults for future use.
- For clients without OpenVPN installed:
- Export the current Windows installer package associated with the user and run on their computer. This will automatically import the config files.
- For clients with the OpenVPN client already installed:
- Export the ‘Most Clients’ inline config file and import into the client’s OpenVPN software.
Mac
- Download TunnelBlick and install the software
- Navigate to the OpenVPN Client Export section
- Download the inline configuration and drag it into the configurations folder for Tunnelblick.
- Type in Mac user’s administrative password
- Connect to the VPN and rejoice!
Alternatively you can use Viscocity but this is a paid version. Just export the and install the same way as Tunnelblick.
Troubleshooting
Firewall Rules
Having trouble communicating with remote resources over the VPN? Make sure this rule is in the pfsense:
and
If using pfSense 2.3 or lower
- You probably need to need to enable unencrypted authentication in the NPS Policy:
- 2.4+ uses MS-CHAPv2 and doesn’t require Unencrypted Authentication
Testing RADIUS connection to server
Go to Diagnostics>Authentication, enter AD credentials to test to make sure the pfSense can query AD correctly
If client is able to connect to the vpn but is not getting an ip address try this https://community.openvpn.net/openvpn/wiki/259-tap-win32-adapter-is-not-coming-up-initialization-sequence-completed-with-errors