- Step 1: For the first step, you need to create a Certificate Authority that will be used to sign future user certificates. So whenever you create a new user certificate, this Certificate Authority shall be in charge in signing those newly created certificates. To do this, you must login to pfSense webConfigurator or admin web page, by accessing its IP address using a browser. So type in
192.168.0.250
and pressEnter
key. Login by supplying the correct data for theadmin
user and user-password. Upon logging in, navigate to Main Menu ->System
->Cert Manager
. Make sure you’re on theCAs
tab, to add a new CA (Certificate Authority), click on plus+
button. A new page should open, now fill up the necessary fields.This is how I did:- Method – Create an internal Certificate
- Descriptive name – matrixCA
- Method – Create an internal Certificate Authority
- Key length – 2048 bits
- Digest Algorithm – SHA256
- Lifetime – 3650
- Common Name – Internal-CA
Those are the most important fields to fill up on this page. But don’t miss to fill up the Country Code, State or Province, City, Organization and Email Address. Enter what’s applicable to you. Save your settings by clicking the
Save
button.
Step 2: While still on the
Certificates
tab, add another certificate by clicking the plus button. This process is similar to the steps you took under Step 1. But this time, you’ll be creating a Server Certificate
for OpenVPN Server. Click the add button again and fill up the necessary fields like so:- Method – Create an internal Certificate
- Descriptive name – matrix-VPN-Server-Cert
- Certificate authority – MyCA
- Key length – 2048 bits
- Digest Algorithm – SHA256
- Certificate Type – Server Certificate
- Lifetime – 3650
- Common Name – vpn.matrix.com
Note: Substitute the values with your own data. Fill up the other fields; Country Code, State or Province, City, Organization and Email Address. Then to save your settings.
Step 3: The third step you should take is to create a new user account for the VPN client to use. While still on
Certificate Manager
page, do the next step below. Navigate to Main Menu -> System
-> User Manager
.
You should be now at the
User Manager
page. On this page, create a new user by clicking plus +
button, you should be taken to a new page where you should enter the details of the new user account. Fill up the Username
field, Password
fields twice, Full name, Expiration date (blank = no expiration). In my case, I named my first user account as username
.Note: Remember to create a corresponding certificate for this user.
Tick the check-box next to
Click to create a user certificate
dialog. It should expand and let’s you fill the necessary fields to create a new user certificate.
Fill up the
Descriptive Name
field. Make it similar with your user account name. In my case, I named my first VPN user account as username
, while I put username-cert
as my certificate Descriptive Name
. Fill up Certificate Authority
, but this should be automatically filled showing an entry that you’ve previously made from step 1, the Certificate Authority (CA). So in this case, matrixCA
should show up here. Select a Key Length
for the certificate, in my case I chose 2048
.
Finally, save your settings by clicking the
Save
button.
Step 4: Next you should install the
OpenVPN Client Export Utility
from the package manager page. Take the next steps below. Navigate to main menu -> System
-> Packages
-> Available Packages
. You should see a list of available packages. Now scroll further down below and look for the package name OpenVPN Client Export Utility
. To install the package, click the add +
button and you should be taken to a new sub-page. Click the Confirm
button to start the installation.
You’ll have a hint about the progress of the install process by watching your screen. Upon successful installation, you should see a message
Installation completed
.
Step 5: While still logged in, navigate to main menu then
VPN
-> OpenVPN
.
You should be now on the OpenVPN Server page, now click the
Wizards
tab, to start a wizard-assisted configuration. A new page should open, entitled OpenVPN Remote Access Server Setup Wizard
. On this page, select Local User Access
for Type of Server:
, then click Next
.
On the next page, choose a Certificate Authority (CA). Select the CA you’ve previously created from step 1 of this guide. In this case, it’s the
matrixCA
. Click Next to continue. The next page should ask you to choose a Server Certificate. You had created this already from step 2 above, and in this case it’s the matrix-VPN-Server-Cert
. In case you named it like you wished, then choose that entry as your server certificate. Then click Next when done.
The next page contains a long list of field set. The first field set that you should see is the
General OpenVPN Server Information
field set. This is how I filled those up. General OpenVPN Server Information:- Interface = WAN
- Protocol = UDP
- Local Port = 1194
- Description = matrix-VPN-Server-LAN
For a site-to-site implementation of OpenVPN, Interface should be set to WAN. Cryptographic Settings:
- Cryptographic Settings = Enable authentication of TLS packets – CHECKED
- Generate TLS Key = Automatically generate a shared TLS authentication key = CHECKED
- DH Parameters Length = 2048
- Encryption Algorithm = AES-256-CBC (256-bit)
- Hardware Crypto = No Hardware…
Tunnel Settings:
- Tunnel Network = 192.168.30.1/24
- Redirect Gateway = Force all client generated traffic through the tunnel = CHECKED
- Local Network = 192.168.1.0/24 > Note: Leave Local Network blank if you don’t want to add a route to your LAN, using this VPN tunnel.
- Concurrent Connections = 10
- Compression = CHECKED
Client Settings:
- Dynamic IP = CHECKED
- Address Pool = CHECKED
Note: Other fields that were not mentioned here, were left blank. After filling those necessary fields, click next to advance to the next page. The next page should be theFirewall Rule Configuration Page
. This is what I did to this page.
- Firewall Rule = CHECKED
- OpenVPN Rule = CHECKED
After doing the above step, click NEXT and then finally, click FINISH. You should be taken back to the Server` tab.
At this point, you’ve already configured a working OpenVPN Server in pfSense. Next step will be to export your user config files for your chosen VPN client. A client could be a Windows machines, Android Devices, Mac or Linux machines. You need to export the client configuration file by downloading the file from pfSense’s webConfigurator page, using OpenVPN Client Export utility.
No comments:
Post a Comment