====== PFSense - VPN - OpenVPN - Configure an OpenVPN Server - Using a Wizard ======

Navigate to **VPN -> OpenVPN -> Servers**.

Click on **Wizard**.

<WRAP info>
**NOTE:**  This Wizard will easily create the CA (Certification Authority), the Server Certificate and the configuration of the VPN Server; 

These components can also be created manually if required.
</WRAP>

  * Select **Local User Access**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_wizard_-_local_user_access.png?800|}}

  * Click **Next**.

----

===== Create the CA =====

  * Descriptive Name:  **<some name to make it easy to identify**.
  * Key length: **2048 bit**.
  * Lifetime:  **3650**.  (10 years).

<WRAP info>
**NOTE:**  All the other parameters can be left by default.
</WRAP>


{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_wizard_-_ca.png?800|}}

  * Click **Add New CA**.

----

===== Create the Server Certificate =====

  * Descriptive Name:  **<some name to make it easy to identify**.
  * Key length: **2048 bit**.
  * Lifetime:  **365**.  (1 year).

<WRAP info>
**NOTE:**  The Lifetime can only be set for a short timeframe.  See the comment against that fields.

All other default parameters can be left as default.
</WRAP>

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_wizard_-_server_certificate.png?800|}}

  * Click **Next**.

----

===== Configure the VPN Server =====

In **General OpenVPN Server Information**:

  * Interface:  **WAN**.  Or select the interface on which we want our service to listen.  If we have more than one WAN interface choose the one you want to dedicate to the service.  Later we can select multiple interfaces for greater redundancy.
  * Protocol:  **UDP on IPv4 only**.
  * Local Port:  **1194**.  Remember the port that is used for the VPN must be open on the listening interface.  Therefore it will be necessary to configure the Firewall to open this port.
  * Description:  Choose the name to identify the server.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_wizard_-_server_setup_-_general_openvpn_server_information.png?800|}}

----

In **Cryptographic Settings**:

  * TLS Authentication:  **Checked**.
  * Generate TLS Key:  **Checked**,
  * DH Parameters Length: **2048**.
  * Encryption Algorithm:  **AES-128-CBC (128 bit key, 128 bit block)**.
  * Auth Digest Algorithm:  **SHA256 (256-bit)**.
  * Hardware Crypto:  **Intel RDRAND engine - RAND**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_wizard_-_server_setup_-_cryptographic_settings.png?800|}}

----

In **Tunnel Settings**:

  * Tunnel Network:  **10.20.30.0/24**.
  * Redirect Gateway:  **Not Checked**.
  * Local Network:  **192.168.1.0/24**.  If there are multiple LAN networks to which we want to give access, you can enter them by separating them with a comma.
  * Concurrent Connections:  **<blank>**.  Can set this to the maximum number of client to allow access in.
  * Compression:  **Omit Preferences (Use OpenVPN Default)**.
  * Type-of-Service:  **Not Checked**.
  * Inter-Client-Communication:  **Not Checked**.
  * Duplicate Connections:  **Not Checked**.

<WRAP info>
**NOTE:**  The Tunnel Network acts as an intermediary.

Any local address, could be used here.  i.e. RFC1918 Compliant.

  * **RFC1918 Compliant**:  (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

Take care not to choose 10.10.10.1 as this could conflict with pfBlockerNG

</WRAP>

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_wizard_-_server_setup_-_tunnel_settings.png?800|}}

----

In **Client Settings**:

  * Dynamic IP:  **Checked**.
  * Topology:  **Subnet - One IP address per client in a common subnet**.
  * Netbios Node Type:  **None**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_wizard_-_server_setup_-_client_settings.png?800|}}

  * Click **Next**.

----

===== Firewall Rules =====

Wizard Firewall Rule Setup

  * Firewall Rule:  **Checked**.
  * OpenVPN Rule:  **Checked**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_wizard_-_firewall_rule_configuration.png?800|}}

  * Click **Next**.

----

===== Success =====

==== OpenVPN Server ====

Navigate to **VPN -> OpenVPN -> Servers**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_servers.png?800|}}

----

==== Firewall Rules - WAN ====

Navigate to **Firewall -> Rules -> WAN**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_firewall_-_rules_-_wan_-_openvpn.png?800|}}

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_firewall_-_rules_-_wan_-_openvpn_-_edit.png?800|}}


----

==== Firewall Rules - OpenVPN ====

Navigate to **Firewall -> Rules -> OpenVPN**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_firewall_-_rules_-_openvpn.png?800|}}

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_firewall_-_rules_-_openvpn_-_edit.png?800|}}

----

==== Cert Manager - CAs ====

Navigate to **System - Cert Manager - CAs**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_cert_manager_-_cas.png?600|}}

----

==== Cert Manager - Certificates ====

Navigate to **System - Cert Manager - Certificates**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_cert_manager_-_certificates.png?800|}}

----

===== Create the OpenVPN Users =====

Create the users we want to connect in to the VPN.

Navigate to **System -> User Manager -> Users**.

  * Username:  **Peter**.
  * Password:  **Password**.
  * Certificate:  **Checked**.  Click to create a user certificate.
  * Descriptive name:  **Peter-cert**.  
  * Certificate authority:  **Internal_CA**.
  * Key length:  **2048 bits**.
  * Lifetime:  **3650**.

<WRAP info>
**NOTE:**  This creates both the user and the associated certificate in a single operation
</WRAP>

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_user_manager_-_users_-_peter_roux.png?800|}}

----

<WRAP info>
**NOTE:**  At this point we can export the configuration files and certificates for individual users who will use the VPN clients to connect.

In the **System -> Certificate Manager** section we will see the certificate associated with the VPN server and all those associated with the users created.
</WRAP>

----

===== Install the package openvpn-client-export =====

Navigate to **System -> Package Manager -> Available Packages**.

Search for **openvpn-client-export**.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_package_manager_-_available_packages_-_openvpn_client_export.png?800|}}

Install the Package.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_system_-_package_manager_-_available_packages_-_openvpn_client_export_-_installed.png?800|}}

<WRAP info>
**NOTE:**  Once installed we will see the option added under **VPN -> OpenVPN -> Client Export**.
</WRAP>

----

===== Configure the Client Certificate =====

Navigate to **VPN -> OpenVPN -> Client Export**

In **OpenVPN Server**:

  * Remote Access Server:  **Select the VPN server created earlier**.

In **Client Connection Behavior**:

  * Host Name Resolution:  **Other**.
  * Host Name:  **Enter the Public IP address of the network**.
  * Verify Server CN:  **Automatic - Use verify-x509-name where possible**.  If there are problems set it to **Do not verify the CN server**.

<WRAP info>
**NOTE:**  These parameters will be written to the .ovpn configuration file which will be generated for the user.

There is no need to click on the **Save as default** button, but if you do it is easy to update and save as a new default.
</WRAP>

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_client_export_-_configuration.png?800|}}

----

===== Export the Client Certificate =====

Export the user configuration file which is to be installed on the clients.

There are many choices.To do this we have various choices, the most recommended below:

  * **Most Clients**: Generates an .ovpn file containing both the configuration and the certificates and the easily imported keys, compatible with clients: OpenVPN for Windows, Tunnelblick for OS X.
  * **OpenVPN Connect**:  Generates an .ovpn file compatible with OpenVPN Connect Apps for Android and iOS.
  * **Archive**:  Compatible with Windows, generates an archive containing, 3 separate files, the configuration (.ovpn), certificates (.p12) and the key (.key).
  * **Current Windows Installer**:  Generate self-installing and pre-configured files for Windows clients.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_vpn_-_openvpn_-_client_export_-_export_options.png?800|}}

----

===== Install the Client Certificate on an actual Client =====

Copy the Client Certificate (the .ovpn file) to the specific client.

Connect to the OpenVPN Server using this Client Certificate.

For example on an Android phone, the OpenVPN app is used and shows successful connection.

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:openvpn_-_android_-_connected.jpg?400|}}

----

===== Show OpenVPN Widget on the pfSense Dashboard =====

Navigate to the pfSense Dashboard.

Click on the **+** at the top of the dashboard and select **OpenVPN**.

When a client connects via the VPN this will show:

{{:pfsense:vpn:openvpn:configure_an_openvpn_server:pfsense_-_openvpn_-_connected_client.png?800|}}

----

===== References =====

https://www.firewallhardware.it/en/pfsense-and-openvpn-guide-to-creating-and-configuring-a-road-warrior-vpn-server/