Packetwatch.net

OpenVPN Remote Access (TLS + User Auth) in pfSense



Last modified: Sept. 11, 2012

Contents
1 - Summary
2 - Dependencies
3 - Service configuration
4 - Client configuration


1 - Summary

This guide will show you how to enable OpenVPN Remote Access (TLS + User Auth)
in pfSense. OpenVPN is VPN software that connects remote networks utilizing
SSL/TLS. This has been tested in pfSense 2.0.1 i386.


2 - Dependencies

Log into the pfSense website. Navigate to the System menu, then click on
Packages. Click on Available Packages. Find the package named OpenVPN Client
Export Utility and install it by clicking on  the plus box on the right of it.
Click OK to install the package.

Available Packages
Navigate to the System menu, then click on Cert Manager. On the CA tab, click the plus box on the right side to add a new one. Change the Method to Create an internal Certificate Authority. Enter the details. The Descriptive name and the Common Name will be needed later. It's important not to have spaces in the Descriptive name and Common Name. Click on Save.
Creating Internal Certificate Authority
Navigate to the System menu, then click on User Manager. Click on the Groups tab. Click on the plus box to add a new group. Click on Save.
Create new user group
Click on the Users tab. Click on the plus box to add a new user. Type in the user information and put the user in the new group named users and also make sure to check the box next to Click to create a user certificate. Under the Certificate area, select the Certificate authority named Road_Warrior_CA that we created earlier. It's important not to have spaces in the Descriptive name. Click on Save.
Create new user
3 - Service configuration Navigate to the VPN menu, then click on OpenVPN. Click on the Wizards tab. Select Local User Access for the Type of Servers. Click on Next.
Authentication Backend Type
Select the Certificate Authority named Road_Warrior_CA that we created earlier. Click on Next.
Certificate Authority
For Server Certificate, click on Add new Certificate.
Server Certificate
Type in the information for the new Server Certificate. In this example, the Descriptive name will be Road_Warrior_Server_Certificate. It's important not to have spaces in the Descriptive name. Click on Create new Certificate.
New Server Certificate
Set the Cryptographic Settings.
Cryptographic Settings
Set the Tunnel Settings. In this example, the tunnel (VPN) network is set to use the 192.168.201.0 network, while the local network is set to use 10.1.1.0. It's set to have five concurrent connections using compression. Also, in this example the option for duplicate connections has been set.
Tunnel Settings
Set the Client Settings. For this example, the default settings are fine. Click on Next at the bottom.
Client Settings
Check each of the two boxes for the firewall rules. Click on Next.
Firewall Rule Configuration
The Wizard has completed. Click on Finish.
Configuration Complete
Click on the Client Export tab. Click on Configuration archive on the right hand side of the area for the user name vpnuser.
Client Export Utility
4 - Client configuration Download and install the OpenVPN software available at http://www.openvpn.net/ on the client machine. Copy the configuration archive that was generated to the client machine and extract the files to the config sub-directory under the main OpenVPN directory. When trying to connect to the OpenVPN server, you will be asked for the username and password. That's it, now you OpenVPN Remote Access (TLS + User Auth) configured in pfSense.

Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2014.