How to setup OpenVPN on a pfSense
Prerequistes
- Upgrade to 2.4.X, there are much better options with this firmware
Setup using Active Directory
- Follow this: https://vorkbaard.nl/set-up-openvpn-on-pfsense-with-user-certificates-and-active-directory-authentication/
- Or use the OpenVPN Wizard (which sets up Better configuration)
Setup without Active Directory
Security
Best – Require Unique Certificate and User Auth
- OpenVPN>Servers: be sure to use Remote Access (SSL/TLS + User Auth) rather than User Auth. This is true two factor authentication since it requires a certificate as well as AD credentials.
- Create a separate certificate for each username and lock down OpenVPN>Servers. This requires a unique certificate setup on the pfSense for each AD user. If an employee leaves but knows someone else’s password – they still couldn’t get in:
- Also make sure when you export (OpenVPN>Client Export) that you add a password to the file:
- On the client itself, edit the configuration and add change the line SUBJ: to reflect the common name. For example SUBJ:Superman – this helps OpenVPN know which certificate to grab and can ensure the proper certificate is used.
Better – User non-unique Cert + User Auth
Same as above, except don’t check Strict User-CN Matching
Good (ish)
Just choose Remote Access (User Auth) from the drop down. This is just single factor authentication since it doesn’t require a cert as well
Client Setup
Mac
- Download TunnelBlick and install the software
- Navigate to the OpenVPN Client Export section
- Download the Archive under the Standard configuration
- Extract the archive to the users desktop
- Drag the .ovpn file to the Tunnelblick icon
- Choose to install configuration for all users (All Users or Only Me)
- Type in Mac user’s administrative password
- Connect to the VPN and rejoice!
Alternatively you can use Viscocity but this is a paid version. Just export the and install the same way as Tunnelblick.
Troubleshooting
Firewall Rules
Having trouble communicating with remote resources over the VPN? Make sure this rule is in the pfsense:
and
If using pfSense 2.3 or lower
- You probably need to need to enable unencrypted authentication in the NPS Policy:
- 2.4+ uses MS-CHAPv2 and doesn’t require Unencrypted Authentication
Testing RADIUS connection to server
Go to Diagnostics>Authentication, enter AD credentials to test to make sure the pfSense can query AD correctly
If client is able to connect to the vpn but is not getting an ip address try this https://community.openvpn.net/openvpn/wiki/259-tap-win32-adapter-is-not-coming-up-initialization-sequence-completed-with-errors