OpenVPN setup

The easiest to configure VPN server is the OpenVPN server included in pfSense. However the does require an OpenVPN client to be installed on any client machine. The VPN will allow connections once the certificate and configuration is transferred to the client.

Certificate setup

In order to create a VPN a certificate chain must exist in pfSense, this will be achieved by creating a CA and server certificate in the pfSense GUI.

To create a CA go to System -> Cert. Manager -> CAs and select Add. Set a descriptive name and select 'Create an internal Certificate Authority'. From there fill in the remaining fields and create the CA.

To create the server certificate go to System -> Cert. Manager -> Certificates and select Add/Sign. Set a descriptive name and select 'Create an Internal Certificate', make sure the CA is set to the CA previously created. Fill in the common name and alternate name fields, set certificate type to Server Certificate.

VPN wizard

Once the certificates are setup go to VPN -> OpenVPN -> Wizard, select 'Local User Access' and press Next.

  • Select the CA and certificate
  • Set interface to WAN and UDP on IPv4
  • Select a port and set a description
  • Disable TLS Authentication
  • Use DH parameter 2048 bits and AES-256-CBC encryption
  • Set auth digest to SHA256
  • Configure the tunnel network for the subnet that the VPN clients will be given addresses from
  • Set the concurrent connections to the maximum number of parallel VPN connections
  • Configure the local networks for all the subnets that you wish to be pushed as routes to connecting clients
  • Enable Inter-Client Communications to allow VPN clients to connect to each other
  • Select Dynamic IP and topology Subnet to place all VPN clients into the common subnet set earlier
  • Set the DNS options

In the final tab enable auto-generation of both firewall rules.

FInal steps

Next go to VPN -> OpenVPN -> Servers and select Edit on the created server. Set server mode to 'Remote Access (User Auth)'.

In order to simplify the process of downloading the certificate and configuration needed for the client go to System -> Package Manager -> Available Packages and install 'Client Exporter Plugin'.

Once the package is installed go to VPN -> OpenVPN -> Client Export. Select the Remote Access server, set Host Name Resolution to Other and enter the external hostname used to connect. Enable Use Random Source Port. Once the configuration is complete select Inline Configurations -> Most Clients to download a configuration file with an embedded certificate.

LDAP integration

In order to use an LDAP server for authentication instead of pfSense's user go to System -> User Manager -> Authentication Servers and select Add.

  • Set a descriptive name and type to LDAP
  • Enter the LDAP server address and port 389 with transport TCP - Standard
  • Set protocol level 3

To use with FreeIPA a system account needs to be created on the server. For FreeIPA set:

  • Search scope One Level and base DN: dc=ipa,dc=willb,dc=tech
  • Authentication Container: cn=users,cn=accounts
  • Enable extended query
  • Query: memberOf=cn=vpn_users,cn=groups,cn=accounts,dc=ipa,dc=willb,dc=tech
  • Bind Credentials: uid=pfsense,cn=sysaccounts,cn=etc,dc=ipa,dc=willb,dc=tech
  • User naming attribute: uid
  • Group naming attribute: cn
  • Group member attribute: memberOf
  • Group Object Class: posixGroup