Packetwatch.net
Home Contact Research Papers Guides Pen-Testing Resources Site Map

OpenVPN Remote Access (TLS + User Auth) in pfSense



Last modified: Sept. 11, 2012

Contents
1 - Summary
2 - Dependencies
3 - Service configuration
4 - Client configuration


1 - Summary

This guide will show you how to enable OpenVPN Remote Access (TLS + User Auth)
in pfSense. OpenVPN is VPN software that connects remote networks utilizing
SSL/TLS. This has been tested in pfSense 2.0.1 i386.


2 - Dependencies

Log into the pfSense website. Navigate to the System menu, then click on
Packages. Click on Available Packages. Find the package named OpenVPN Client
Export Utility and install it by clicking on  the plus box on the right of it.
Click OK to install the package.


Available Packages


Navigate to the System menu, then click on Cert Manager. On the CA tab, click
the plus box on the right side to add a new one. Change the Method to Create an
internal Certificate Authority. Enter the details. The Descriptive name and the
Common Name will be needed later. It's important not to have spaces in the
Descriptive name and Common Name. Click on Save.


Creating Internal Certificate Authority


Navigate to the System menu, then click on User Manager. Click on the Groups
tab. Click on the plus box to add a new group. Click on Save.


Create new user group


Click on the Users tab. Click on the plus box to add a new user. Type in the
user information and put the user in the new group named users and also make
sure to check the box next to Click to create a user certificate. Under the
Certificate area, select the Certificate authority named Road_Warrior_CA that
we created earlier. It's important not to have spaces in the Descriptive name.
Click on Save.


Create new user



3 - Service configuration

Navigate to the VPN menu, then click on OpenVPN. Click on the Wizards tab.
Select Local User Access for the Type of Servers. Click on Next.


Authentication Backend Type


Select the Certificate Authority named Road_Warrior_CA that we created earlier.
Click on Next.


Certificate Authority


For Server Certificate, click on Add new Certificate.


Server Certificate


Type in the information for the new Server Certificate. In this example, the
Descriptive name will be Road_Warrior_Server_Certificate. It's important not to
have spaces in the Descriptive name. Click on Create new Certificate.


New Server Certificate


Set the Cryptographic Settings.


Cryptographic Settings


Set the Tunnel Settings. In this example, the tunnel (VPN) network is set to
use the 192.168.201.0 network, while the local network is set to use 10.1.1.0.
It's set to have five concurrent connections using compression. Also, in this
example the option for duplicate connections has been set.


Tunnel Settings


Set the Client Settings. For this example, the default settings are fine. Click
on Next at the bottom.


Client Settings


Check each of the two boxes for the firewall rules. Click on Next.


Firewall Rule Configuration


The Wizard has completed. Click on Finish.


Configuration Complete


Click on the Client Export tab. Click on Configuration archive on the right
hand side of the area for the user name vpnuser.


Client Export Utility



4 - Client configuration

Download and install the OpenVPN software available at http://www.openvpn.net/
on the client machine. Copy the configuration archive that was generated to the
client machine and extract the files to the config sub-directory under the
main OpenVPN directory. When trying to connect to the OpenVPN server, you will
be asked for the username and password. That's it, now you OpenVPN Remote
Access (TLS + User Auth) configured in pfSense.

Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2024.