https://mediawiki.comfac.net/index.php?action=history&feed=atom&title=Training%3A_OpenVPN
Training: OpenVPN - Revision history
2026-06-05T11:00:17Z
Revision history for this page on the wiki
MediaWiki 1.45.1
https://mediawiki.comfac.net/index.php?title=Training:_OpenVPN&diff=239&oldid=prev
Justinaquino: Automated upload of Netgate pfSense training content
2026-04-23T07:08:32Z
<p>Automated upload of Netgate pfSense training content</p>
<p><b>New page</b></p><div>__NOTOC__<br />
<br />
<div style="background:#e7f3ff; border-left:6px solid #2196F3; padding:10px; margin-bottom:15px;"><br />
'''Training Module: OpenVPN (Section 6)'''<br/><br />
This page covers the fundamentals of OpenVPN in pfSense — intro, site-to-site, remote access, and the Client Export Utility.<br />
</div><br />
<br />
== Introduction ==<br />
<br />
OpenVPN is an SSL/TLS open source VPN solution.<br />
<br />
* '''Not''' a browser-based SSL VPN<br />
* Supports site-to-site and remote access<br />
* Uses client and server roles<br />
* Runs over TCP or UDP (UDP is preferable)<br />
* Built on a client/server relationship<br />
<br />
== Remote Access ==<br />
<br />
The OpenVPN Wizard in pfSense takes all the guess-work out of configuration.<br />
<br />
* Install the '''Client Export Utility'''<br />
* Users will need a '''user certificate'''<br />
* Simple status screen<br />
* Log files for troubleshooting<br />
<br />
== Site-to-Site ==<br />
<br />
=== Server-Side Requirements ===<br />
<br />
* Must have a publicly-reachable TCP or UDP port<br />
* Static IP is preferred (dynamic DNS is possible)<br />
<br />
=== Client-Side Requirements ===<br />
<br />
* Only needs outbound Internet access<br />
* Works behind NAT or firewall with no issue<br />
* Setup is initiated by Client → Server<br />
* Remarkably simple configuration<br />
<br />
=== Important Changes ===<br />
<br />
* Peer-to-Peer (Shared Key) mode is '''deprecated'''<br />
* Peer-to-Peer (SSL/TLS) is the only supported mode moving forward<br />
* This opens the door to new capabilities like '''DCO''' (Data Channel Offload)<br />
<br />
=== Configuration Checklist ===<br />
<br />
{| class="wikitable"<br />
! colspan="2" | Server Information Needed<br />
|-<br />
| CA and Certificate Infrastructure || Required for trust<br />
|-<br />
| Server and Client Certificates || Authenticate both ends<br />
|-<br />
| Server Mode || Peer to Peer (SSL/TLS)<br />
|-<br />
| TLS Key || Automatically created<br />
|-<br />
| Tunnel Network || Subnet for the VPN tunnel<br />
|-<br />
| Local Network || Networks on the server side<br />
|-<br />
| Remote Network || Networks on the client side<br />
|-<br />
| Client-Specific Overrides || Tie client subnets to certificates<br />
|-<br />
| Firewall Rules || Don’t forget to allow traffic!<br />
|}<br />
<br />
{| class="wikitable"<br />
! colspan="2" | Client Information Needed<br />
|-<br />
| CA and Certificate/Keys from server || Import the server's CA<br />
|-<br />
| Server Mode || Peer to Peer (SSL/TLS)<br />
|-<br />
| TLS Key || Copy from the server side<br />
|-<br />
| Server IP Address || Public address of the server<br />
|-<br />
| Peer CA || Same CA as server<br />
|-<br />
| Client Certificate/Key || Generated for this client<br />
|-<br />
| Firewall Rules || Don’t forget to allow traffic!<br />
|}<br />
<br />
== Section Summary ==<br />
<br />
* Pay attention to crypto settings — they '''must agree''' on both sides<br />
* Very simple setup<br />
* Very tenacious — comes up and recovers quickly<br />
* Routed VPN instead of policy-based<br />
* Can co-exist with IPsec<br />
* '''Cannot''' route the same networks! (Policy > Routed)<br />
* Still need firewall rules to allow traffic to pass<br />
<br />
== Next Module ==<br />
<br />
→ Continue to '''[[Training_Lab_6:_OpenVPN|Lab 6: OpenVPN]]'''<br />
<br />
== Source Attribution ==<br />
<br />
''Source: Netgate pfSense Training Material — FUND001-LIVE-SLIDE-SEG6-OVPN.pdf © 2017 Rubicon Communications dba Netgate''</div>
Justinaquino