How to setup OpenVPN on a pfSense

Prerequistes

• Upgrade to 2.4.X, there are much better options with this firmware

Setup using Active Directory

• Follow this:  https://vorkbaard.nl/set-up-openvpn-on-pfsense-with-user-certificates-and-active-directory-authentication/
• Or use the OpenVPN Wizard (which sets up Better configuration)

Setup without Active Directory

• https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html

Security

Best – Require Unique Certificate and User Auth

1. OpenVPN>Servers: be sure to use Remote Access (SSL/TLS + User Auth) rather than User Auth.  This is true two factor authentication since it requires a certificate as well as AD credentials.
   1. 
2. Create a separate certificate for each username and lock down OpenVPN>Servers.  This requires a unique certificate setup on the pfSense for each AD user.  If an employee leaves but knows someone else’s password – they still couldn’t get in:
   1. 
3. Also make sure when you export (OpenVPN>Client Export) that you add a password to the file:
4. On the client itself, edit the configuration and add change the line SUBJ: to reflect the common name.  For example SUBJ:Superman – this helps OpenVPN know which certificate to grab and can ensure the proper certificate is used.

Better – User non-unique Cert + User Auth

Same as above, except don’t check Strict User-CN Matching

Good (ish)

Just choose Remote Access (User Auth) from the drop down.  This is just single factor authentication since it doesn’t require a cert as well

Client Setup

Mac

• Download TunnelBlick and install the software
• Navigate to the OpenVPN Client Export section
• Download the Archive under the Standard configuration
  • 
• Extract the archive to the users desktop
• Drag the .ovpn file to the Tunnelblick icon
• Choose to install configuration for all users (All Users or Only Me)
• Type in Mac user’s administrative password
• Connect to the VPN and rejoice!

Alternatively you can use Viscocity but this is a paid version.  Just export the and install the same way as Tunnelblick.

Troubleshooting

Firewall Rules

Having trouble communicating with remote resources over the VPN?  Make sure this rule is in the pfsense:

and

If using pfSense 2.3 or lower

• You probably need to need to enable unencrypted authentication in the NPS Policy:
• 
• 2.4+ uses MS-CHAPv2 and doesn’t require Unencrypted Authentication

Testing RADIUS connection to server

Go to Diagnostics>Authentication, enter AD credentials to test to make sure the pfSense can query AD correctly

 

If client is able to connect to the vpn but is not getting an ip address try this https://community.openvpn.net/openvpn/wiki/259-tap-win32-adapter-is-not-coming-up-initialization-sequence-completed-with-errors