Training: OpenVPN
Training Module: OpenVPN (Section 6)
This page covers the fundamentals of OpenVPN in pfSense — intro, site-to-site, remote access, and the Client Export Utility.
Introduction
OpenVPN is an SSL/TLS open source VPN solution.
- Not a browser-based SSL VPN
- Supports site-to-site and remote access
- Uses client and server roles
- Runs over TCP or UDP (UDP is preferable)
- Built on a client/server relationship
Remote Access
The OpenVPN Wizard in pfSense takes all the guess-work out of configuration.
- Install the Client Export Utility
- Users will need a user certificate
- Simple status screen
- Log files for troubleshooting
Site-to-Site
Server-Side Requirements
- Must have a publicly-reachable TCP or UDP port
- Static IP is preferred (dynamic DNS is possible)
Client-Side Requirements
- Only needs outbound Internet access
- Works behind NAT or firewall with no issue
- Setup is initiated by Client → Server
- Remarkably simple configuration
Important Changes
- Peer-to-Peer (Shared Key) mode is deprecated
- Peer-to-Peer (SSL/TLS) is the only supported mode moving forward
- This opens the door to new capabilities like DCO (Data Channel Offload)
Configuration Checklist
| Server Information Needed | |
|---|---|
| CA and Certificate Infrastructure | Required for trust |
| Server and Client Certificates | Authenticate both ends |
| Server Mode | Peer to Peer (SSL/TLS) |
| TLS Key | Automatically created |
| Tunnel Network | Subnet for the VPN tunnel |
| Local Network | Networks on the server side |
| Remote Network | Networks on the client side |
| Client-Specific Overrides | Tie client subnets to certificates |
| Firewall Rules | Don’t forget to allow traffic! |
| Client Information Needed | |
|---|---|
| CA and Certificate/Keys from server | Import the server's CA |
| Server Mode | Peer to Peer (SSL/TLS) |
| TLS Key | Copy from the server side |
| Server IP Address | Public address of the server |
| Peer CA | Same CA as server |
| Client Certificate/Key | Generated for this client |
| Firewall Rules | Don’t forget to allow traffic! |
Section Summary
- Pay attention to crypto settings — they must agree on both sides
- Very simple setup
- Very tenacious — comes up and recovers quickly
- Routed VPN instead of policy-based
- Can co-exist with IPsec
- Cannot route the same networks! (Policy > Routed)
- Still need firewall rules to allow traffic to pass
Next Module
→ Continue to Lab 6: OpenVPN
Source Attribution
Source: Netgate pfSense Training Material — FUND001-LIVE-SLIDE-SEG6-OVPN.pdf © 2017 Rubicon Communications dba Netgate