In this article, we will teach you how to configure pfSense to use OpenVPN. The goal of this VPN is to connect to our Clouding servers using the private IP. This is interesting because, for example, we can block access to our servers via SSH or RDP so that it can only be accessed from the private range 10.20.10.0/24. If you have trouble accessing pfSense, check that the pfSense firewall rules are correctly configured.
Configure Clouding Firewall
To connect to the OpenVPN server, we need to open UDP port 1194 in our firewall. It should look like the following image:
Add LAN Interface
We will go to the Interfaces > Assignments section and add the vtnet1 network by clicking the Add button:
After activating it, we edit it in Interfaces > LAN, activate it, and configure DHCP, as shown in the image:
OpenVPN Configuration Exporter
Now we will install the OpenVPN configuration exporter. To do this, we will go to the top menu in System> Package Manager>Available Packages, search for “openvpn-client-export” and install it.
OpenVPN Configuration Wizard
We are now ready to configure OpenVPN. To do this, we will go to the top menu in VPN > OpenVPN and enter Wizard. In server type, we will indicate “Local User Access” and click on “Next“. In this step, we will create a Certificate Authority. To do this, we will fill in all the required fields and click on “Add new CA” -at the end of the article, we will leave screenshots of the entire process-. Now we will create a Certificate, filling in all the required fields and clicking on “Create a new Certificate“. We will now proceed to configure the OpenVPN service, leaving all values by default and filling in “Tunnel Network” with 10.0.8.0/24 and “Local Network” with 10.20.10.0/24, and click on “Next“. Now we will check the boxes for “Firewall Rule” and “OpenVPN rule” to automatically configure the firewall rules and finish the setup.
Certificate Configuration
Since we have used the wizard, our certificate and CA will already be configured. We will just need to configure Certificate Revocation. To do this, we will go to the top menu in System > Certificate Manager > Certificate Revocation and click on “Add or Import CRL“. We will leave all fields filled in as they appear, the important thing is that “Certificate Authority” shows the one we created in the wizard in the previous step. To save the changes, we will click on “Save”.
Create Users for OpenVPN
Now we will proceed to create users so that they can enter our VPN. To do this, we will go to the top menu in System > User Manager and click on the green button “+ add“. We will fill in all fields, activating the option “Click to create a user certificate“.
OpenVPN Configuration
Finally, we will configure our OpenVPN server to allow authentication via certificate and user. To do this, we will go to the top menu in VPN > OpenVPN and edit the server that appears. In the “Server mode” section, we will choose Remote Access (SSL/TLS + User Auth) and save the changes. We now have our OpenVPN server configured.
Export OpenVPN Users
Now we will go to the top menu in VPN > OpenVPN and then to Client Export. There we will be able to download the corresponding files to configure the OpenVPN client.
Configure OpenVPN Client
We will open our OpenVPN client and import the ovpn configuration file we downloaded in the previous step. Once imported, we can connect by specifying the username and password we set in previous steps.
By default, the "default" profile of the Clouding firewall allows traffic from the networks involved in this article and it is not necessary to modify it. If you have configured other networks or a different profile, check the rules.
Also, remember to add the VPN network route on the servers you want to access from it:
For Windows:
route add -p 10.0.8.0 mask 255.255.255.0 internal_ip_pfsense
For Linux:
ip route add 10.0.8.0/24 gw internal_ip_pfsense
Have you tried it? Let us know your comments! If you have any questions, feel free to contact us via email at soporte@clouding.io or by phone at 932 80 12 06 🙂