OpenVPN in pfSense 2.1

This tutorial covers how to set up an OpenVPN server in pfSense 2.1.

In pfSense 2.1 go to VPN > OpenVPN. Click on the Wizards tab to set up a new OpenVPN server.

Choose your preferred method of user authentication. Choose LDAP or RADIUS for existing user accounts. Then click on Next Fill out the necessary information for your selected authentication method.

You will need to create a new certificate authority if you haven't created one already. At the following screen, click on Add new CA.

Fill in the appropriate information for your organization.

After creating a new CA, a new server certificate is needed. Click on Add new Certificate.

Next will be the settings for the VPN server. In the General OpenVPN Server Information section, choose the interface which will receive VPN connections (usually WAN), set the protocol to UDP, choose the port you want to run VPN on, and give a brief description for your VPN server.

In the Cryptographic Settings section, you can leave the default settings or configure them for your specific environment.

The Tunnel Settings are necessary for routing information. The Tunnel Network must be a private network that is not part of your existing network. You can specify the size of the tunnel network using CIDR notation. The Local Network is your local network in CIDR notation, assuming you want VPN clients to have access to your local network. You can leave this blank if you only want to use the VPN server for web browsing in public networks. The Concurrent Connections setting allows you to specify how many users (or connections) can connect to the server at the same time. To save bandwidth, check the box for Compression.

For the Client Settings section, check the boxes for Dynamic IP and Address Pool. You may opt to fill out additional information for your network settings. At the bottom, in the Advanced section, you will need to specify a route for the VPN clients if you want them to access your local network. To give VPN clients access to the local network, you need to push a route to the clients. The syntax is: push "route [your local network in CIDR] [tunnel gateway]". For example, if your Tunnel Network is set to 10.0.8.0/24, then your tunnel gateway is 10.0.8.1 and your local network is 192.168.0.0/24, your push command will be: push "route 192.168.0.0 255.255.255.0 10.0.8.1"

The firewall must allow for VPN connections. At the following screen, be sure to check both boxes to add the necessary firewall rules.

Before finishing the VPN server, the wizard tells you to install the OpenVPN Client Export package. This package allows you to quickly create VPN client configurations for various platforms. Install the package as instructed after clicking Finish.

After installing the Client Export package, go to VPN > OpenVPN and you will see a Client Export tab. Click on the Client Export tab to continue.

In the Client Install Packages section, choose the installer for your platform. Download the installer to your device and run the installer. For Windows VPN clients, be sure to always run the installer and the resulting OpenVPN GUI as administrator so that the appropriate routes can be created in Windows, if required. Upon running the OpenVPN GUI as administrator in a Windows system, a small, red OpenVPN GUI icon will appear near the clock. Right-click and choose Connect.