Setting up a secure Virtual Private Network (VPN) is crucial for protecting your online activities, especially when using public Wi-Fi or accessing sensitive data remotely. pfSense, a powerful open-source firewall and router software, provides robust OpenVPN server capabilities. This article guides you through a step-by-step pfSense OpenVPN setup, ensuring a secure and encrypted connection for your devices. So, let's dive in and get your VPN up and running!

Prerequisites

Before we get started, make sure you have the following:

• A running pfSense firewall. It should be properly installed and configured with a WAN (Wide Area Network) connection to the internet and a LAN (Local Area Network) for your internal network.
• Administrative access to the pfSense web interface.
• A basic understanding of networking concepts like IP addresses, subnets, and DNS.
• A computer or device to act as the OpenVPN client. This could be your laptop, smartphone, or tablet.

Step 1: Configure Certificate Authority (CA)

The first step in setting up OpenVPN is to create a Certificate Authority (CA). The CA is responsible for issuing and managing certificates, which are used to authenticate both the server and the clients. Here’s how to configure it:

1. Navigate to System > Cert. Manager: Log in to your pfSense web interface and go to System > Cert. Manager.
2. Add a New CA: Click on the Add button to create a new Certificate Authority.
3. Fill in the Details:
   • Descriptive name: Give your CA a descriptive name, like MyOpenVPN_CA. Make it something you’ll easily recognize.
   • Method: Choose Create an internal Certificate Authority.
   • Key length: Select 2048 or 4096. A higher key length provides stronger security but may slightly impact performance. 2048 is generally sufficient.
   • Lifetime: Set the lifetime for the CA certificate (e.g., 3650 days, which is 10 years). Consider the security implications of longer lifetimes.
   • Country Code: Select your country code.
   • State or Province: Enter your state or province.
   • City: Enter your city.
   • Organization: Enter your organization name (can be your name if it’s for personal use).
   • Email Address: Enter your email address.
   • Common Name: This is the most important field. Enter a name for your CA. This should be a descriptive name, like MyOpenVPN_CA.
4. Save the CA: Click Save to create the Certificate Authority.

The Certificate Authority (CA) you've just created acts as the root of trust for your OpenVPN setup. Think of it as the master key that validates all other keys (certificates) involved in the VPN connection. By configuring the CA with appropriate details, you're establishing a secure foundation for your VPN. The descriptive name helps you easily identify this CA among others you might create in the future. The key length determines the strength of the encryption, and while longer keys are more secure, they can also be more resource-intensive. Setting a reasonable lifetime for the CA certificate balances security with practicality. Accurate country, state, city, and organization information can be useful for auditing and identification purposes. The common name is essentially the CA's identity, and it should be unique and recognizable. Once you save the CA, pfSense generates the necessary cryptographic keys and stores them securely. This CA will now be used to sign the server and client certificates, ensuring that only authorized devices can connect to your VPN.

Step 2: Create Server Certificate

Next, you need to create a server certificate, which will be used by the pfSense OpenVPN server to identify itself to clients. Here’s how:

1. Navigate to System > Cert. Manager: Go back to System > Cert. Manager in the pfSense web interface.
2. Add a New Certificate: Click on the Add button to create a new certificate.
3. Fill in the Details:
   • Method: Choose Create an internal Certificate.
   • Descriptive name: Give your server certificate a descriptive name, like OpenVPN_Server_Cert.
   • Certificate authority: Select the CA you created in Step 1.
   • Key length: Choose 2048 or 4096 (same as the CA).
   • Lifetime: Set the lifetime for the server certificate (e.g., 3650 days).
   • Certificate Type: Select Server Certificate.
   • Country Code: Select your country code.
   • State or Province: Enter your state or province.
   • City: Enter your city.
   • Organization: Enter your organization name.
   • Email Address: Enter your email address.
   • Common Name: Enter the hostname or IP address of your pfSense firewall. If you have a dynamic IP, you can use a dynamic DNS service and enter that hostname.
4. Save the Certificate: Click Save to create the server certificate.

Creating the server certificate is a critical step in setting up your pfSense OpenVPN server. This certificate acts as the server's digital identity, allowing clients to verify that they are connecting to the correct server and not an impostor. When filling in the details, the descriptive name should clearly indicate that this certificate is for the OpenVPN server. Selecting the CA you created earlier ensures that this certificate is trusted by your CA. The key length should match the CA's key length for consistency and security. Choosing the "Server Certificate" type is essential, as it tells pfSense that this certificate is intended for server authentication. The common name is particularly important because it must match the hostname or IP address that clients will use to connect to the VPN server. If you have a dynamic IP address, using a dynamic DNS service ensures that the common name remains valid even if your IP address changes. Once you save the certificate, pfSense generates the necessary cryptographic keys and signs the certificate with your CA, creating a trusted server identity. This certificate will be used during the OpenVPN server configuration to secure the VPN connection.

Step 3: Configure the OpenVPN Server

Now that you have the CA and server certificate, you can configure the OpenVPN server itself. Follow these steps:

1. Navigate to VPN > OpenVPN > Servers: Go to VPN > OpenVPN > Servers in the pfSense web interface.
2. Add a New Server: Click on the Add button to create a new OpenVPN server.
3. Configure the Server:
   • Server Mode: Select Remote Access (SSL/TLS).
   • Protocol: Choose either UDP or TCP. UDP is generally faster, but TCP may be more reliable in some network environments.
   • Interface: Select the WAN interface on your pfSense firewall.
   • Local Port: Choose a port for the OpenVPN server. The default is 1194, but you can use another port if needed. Make sure the port is not already in use.
   • Description: Add a description for your server, like My OpenVPN Server.
   • TLS Configuration Section:
     • Certificate authority: Select the CA you created in Step 1.
     • Server certificate: Select the server certificate you created in Step 2.
   • Cryptographic Settings:
     • Encryption Algorithm: Choose an encryption algorithm like AES-256-CBC. This is a strong encryption algorithm.
     • Hash Algorithm: Select a hash algorithm like SHA256. This is used for data integrity.
   • Tunnel Settings:
     • IPv4 Tunnel Network: Enter a private IP network for the VPN tunnel (e.g., 10.0.8.0/24). This should be a network that is not already in use on your LAN or any other network.
     • IPv4 Local Network(s): Enter the IP network(s) that you want clients to be able to access through the VPN (e.g., your LAN network, like 192.168.1.0/24).
   • Client Settings:
     • DNS Server(s): Enter the IP addresses of your DNS servers. You can use your LAN IP or public DNS servers like Google's (8.8.8.8 and 8.8.4.4).
     • Force all client generated traffic through the tunnel: Check this box if you want all client traffic to go through the VPN.
   • Advanced Configuration:
     • Custom options: Add `push