Justinaquino: Automated upload of Netgate pfSense training content

2026-04-23T07:08:32Z

Automated upload of Netgate pfSense training content

New page

__NOTOC__

<div style="background:#e7f3ff; border-left:6px solid #2196F3; padding:10px; margin-bottom:15px;">
'''Training Lab 6: OpenVPN'''<br/>
Hands-on lab covering site-to-site SSL/TLS VPN, remote access VPN, certificate infrastructure, and testing in pfSense.
</div>

== Overview ==

This lab goes through example configurations of OpenVPN for site-to-site and remote access.

== OpenVPN SSL/TLS Site-to-Site VPN ==

We’re going to configure OpenVPN to connect the HQ and branch networks. HQ will run the server, and the branch will be the client.

There is no functional difference in whether HQ or branch runs the server side. Most often people put the server instances on the main location’s end. If one end has a dynamic IP and one static, run the server on the static IP side. If one end is behind NAT, that end should be the client. In this case, the server side will be on the fw1-hq firewall.

=== Delete IPsec ===

First, since we have an IPsec VPN configured here already, IPsec needs to be disabled. On both fw1-HQ and fw1-branch, browse to '''VPN > IPsec'''. Put a check mark by each IPsec tunnel and click '''Delete P1s'''. Click '''Save''', then '''Apply Changes'''.

=== Create the Certificate Infrastructure ===

OpenVPN makes use of a certificate infrastructure in authenticating the session as well as routing traffic to and from member sites. On the server we must create a new Certificate Authority (CA), as well as server and client certificate/key pairs. This will be done on fw1-hq.

==== Create the Certificate Authority (CA) ====

Navigate to '''System > Cert Manager''' and click the green '''+Add''' button to add a new CA.

{| class="wikitable"
! Field !! Value
|-
| Descriptive Name || S2SCA
|-
| Method || Create an Internal Certificate Authority
|-
| Randomize Serial || (checked)
|-
| Key Type || RSA 2048
|-
| Digest Algorithm || sha256
|-
| Lifetime || 3650
|-
| Common Name || S2SCA
|}

(Leave the rest blank and click '''Save'''.)

==== Create the Server Certificate ====

Next, click on the '''Certificates''' tab, and click the green '''+Add/Sign''' button near the bottom.

{| class="wikitable"
! Field !! Value
|-
| Method || Create an internal server certificate
|-
| Descriptive Name || VPNserver
|-
| Certificate Authority || S2SCA
|-
| Key Type || RSA 2048
|-
| Digest Algorithm || sha256
|-
| Lifetime || 398
|-
| Common Name || VPNserver
|-
| Certificate Type || Server Certificate
|}

Scroll down and click '''Save'''.

==== Create the Client Certificate ====

While still on the '''Certificates''' tab, click the green '''+Add/Sign''' button near the bottom to create the client certificate.

{| class="wikitable"
! Field !! Value
|-
| Method || Create an internal certificate
|-
| Descriptive Name || VPNclient
|-
| Certificate Authority || S2SCA
|-
| Key Type || RSA 2048
|-
| Digest Algorithm || sha256
|-
| Lifetime || 3650
|-
| Common Name || VPNclient
|-
| Certificate Type || User Certificate
|}

Scroll down and click '''Save'''.

==== Export Certificates and Keys ====

The next task is to export the certificates and keys which the client requires when connecting to the OpenVPN server.

# Navigate to '''System > Cert Manager > CAs''' and find the S2SCA. Click the export button to save the CA certificate to the downloads folder on HQ-Client.
# Next, click on the '''Certificates''' tab and scroll down until you see the VPNclient certificate entry. Click the export button to save the certificate data and the key data to the Downloads folder on HQ-Client.

=== Configure Server on fw1-HQ ===

Browse to '''VPN > OpenVPN''' on fw1-HQ. On the '''Server''' tab, click '''+Add''' to add a new server instance.

{| class="wikitable"
! Field !! Value
|-
| Server Mode || Peer to Peer (SSL/TLS)
|-
| Description || HQ to Branch VPN
|-
| TLS Configuration || (checked)
|-
| Automatically generate TLS key || (checked)
|-
| Peer Certificate Authority || S2SCA
|-
| Server Certificate || VPNserver
|-
| IPv4 Tunnel Network || 172.17.6.0/24
|-
| IPv4 Local Network(s) || 172.17.1.0/24, 172.17.2.0/24, 172.18.1.0/24
|-
| IPv4 Remote Network(s) || 172.18.1.0/24
|-
| Inactive || 0 (connections can stay up indefinitely)
|}

Click '''Save''' at the bottom, then click the edit icon to edit the server you just created. Highlight and copy the entire contents of the '''TLS Key''' box. Paste it into a file called '''TLS.key'''.

This TLS key will be needed on the client side of the connection.

=== Create Client-Specific Overrides ===

The purpose of the Client-Specific Override (CSO) is to tie a client’s subnet to their certificate. Navigate to '''VPN > OpenVPN''' and click the '''Client Specific Overrides''' tab. Click the green '''+Add''' button.

{| class="wikitable"
! Field !! Value
|-
| Server List || HQ to Branch VPN
|-
| Common Name || VPNclient
|-
| IPv4 Remote Network || 172.18.1.0/24
|}

Leave everything else blank or default, scroll down and click '''Save'''.

=== Permit Traffic to Server ===

Now we need to add a firewall rule to permit the outside portion of the VPN, from the client to the server. On fw1-HQ, browse to '''Firewall > Rules > WAN'''. Click '''Add'''.

{| class="wikitable"
! Field !! Value
|-
| Action || Pass
|-
| Interface || WAN
|-
| Protocol || UDP
|-
| Source || 203.0.113.10
|-
| Source port || any
|-
| Destination || WAN address
|-
| Destination port || 1194
|-
| Description || allow branch OpenVPN site to site
|}

Then click '''Save''' and '''Apply Changes'''.

=== Permit Traffic within VPN ===

Traffic within OpenVPN connections is filtered by the firewall rules on the OpenVPN tab. Browse to '''Firewall > Rules > OpenVPN'''. Click '''Add'''.

{| class="wikitable"
! Field !! Value
|-
| Interface || OpenVPN
|-
| Protocol || Any
|-
| Source || Network, 172.18.0.0/16
|-
| Destination || any
|-
| Description || allow branch network
|}

Click '''Save''' and '''Apply Changes'''.

The server-side configuration is now complete.

=== Configure Client on fw1-branch ===

Before we can create the client side of the VPN, we must first import the CA and Client Certificate and Keys into the fw1-branch firewall.

==== Import the CA Certificate ====

Click on '''System > Cert Manager''' and click the green '''+Add''' button.

{| class="wikitable"
! Field !! Value
|-
| Descriptive Name || S2SCA
|-
| Method || Import an existing Certificate Authority
|-
| Certificate Data || Paste contents of S2SCA.crt
|}

Highlight all the contents of the '''S2SCA.crt''' file, and paste it into the '''Certificate Data''' field on fw1-branch, and click '''Save'''.

==== Import the Client Certificate and Key ====

Click on the '''Certificates''' tab and click the green '''+Add/Sign''' button near the bottom to import your Client Certificate.

{| class="wikitable"
! Field !! Value
|-
| Method || Import an existing certificate
|-
| Descriptive Name || VPNclient
|-
| Certificate Data || Paste contents of VPNclient.crt
|-
| Certificate Key || Paste contents of VPNclient.key
|}

Click '''Save'''.

==== Create the OpenVPN Client ====

Navigate to '''VPN > OpenVPN''' and click on the '''Clients''' tab. Click the green '''+Add''' button.

{| class="wikitable"
! Field !! Value
|-
| Server Mode || Peer to Peer (SSL/TLS)
|-
| Device Mode || tun
|-
| Server host or address || 192.0.2.2
|-
| Description || Branch to HQ VPN
|-
| Automatically generate a TLS key || UNCHECKED
|-
| Peer Certificate Authority || S2SCA
|-
| Client Certificate || VPNclient
|}

(Here, you will edit the OpenVPN server configuration on fw1-hq, and copy the TLS key data from that server configuration into this client’s TLS key box. You may have saved this file on your HQ-Client as '''TLS.key'''.)

Scroll down and click '''Save'''.

==== Permit Traffic within VPN ====

Add a firewall rule to permit traffic within the VPN, same as the other side but changing the source to HQ’s 172.17.0.0/16.

{| class="wikitable"
! Field !! Value
|-
| Action || Pass
|-
| Interface || OpenVPN
|-
| Protocol || Any
|-
| Source || 172.17.0.0/16
|-
| Destination || any
|-
| Description || Allow HQ
|}

'''Save''' and '''Apply Changes'''.

=== Check Status and Test ===

On fw1-branch, browse to '''Status > OpenVPN'''. There you should see the status as up. If not, skip to the troubleshooting section.

'''Testing:'''

From HQ-client, try to ping fw1-branch and branch-client:

<pre>
training@hq-client:~$ ping -c 3 172.18.1.1
PING 172.18.1.1 (172.18.1.1) 56(84) bytes of data.
64 bytes from 172.18.1.1: icmp_seq=1 ttl=63 time=2.40 ms
...
--- 172.18.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 2.406/3.841/4.843/1.043 ms

training@hq-client:~$ ping -c 3 172.18.1.100
PING 172.18.1.100 (172.18.1.100) 56(84) bytes of data.
64 bytes from 172.18.1.100: icmp_seq=1 ttl=62 time=4.26 ms
...
--- 172.18.1.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.783/4.309/4.877/0.447 ms
</pre>

Then from branch-client, try to ping HQ-client and server1:

<pre>
training@branch-client:~$ ping -c 3 172.17.1.100
PING 172.17.1.100 (172.17.1.100) 56(84) bytes of data.
64 bytes from 172.17.1.100: icmp_seq=1 ttl=62 time=3.73 ms
64 bytes from 172.17.1.100: icmp_seq=2 ttl=62 time=5.21 ms
64 bytes from 172.17.1.100: icmp_seq=3 ttl=62 time=5.14 ms
--- 172.17.1.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 3.730/4.698/5.219/0.685 ms

training@branch-client:~$ ping -c 3 172.17.2.10
PING 172.17.2.10 (172.17.2.10) 56(84) bytes of data.
64 bytes from 172.17.2.10: icmp_seq=1 ttl=62 time=4.02 ms
64 bytes from 172.17.2.10: icmp_seq=2 ttl=62 time=4.01 ms
64 bytes from 172.17.2.10: icmp_seq=3 ttl=62 time=5.19 ms
--- 172.17.2.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 4.011/4.408/5.192/0.554 ms
</pre>

You can also try browsing to server1 from branch-client: <code>http://172.17.2.10</code>

=== Troubleshooting ===

If the client side status doesn’t show as up, check the troubleshooting section of the OpenVPN chapter in the book for guidance. The most likely causes are an incorrect or missing firewall rule on the WAN of the server (port 1194 rule created above). Check fw1-HQ firewall logs for any blocks. If it’s not getting blocked, and connectivity between the sites works in general, something in the OpenVPN server or client configuration is the likely cause. Double check your configuration on both the client and server, and ensure the shared key was pasted over correctly.

== OpenVPN Remote Access VPN ==

In this section we’re going to set up an OpenVPN remote access server for remote mobile clients.

=== Server Setup Wizard ===

On fw1-HQ, browse to '''VPN > OpenVPN''', and click the '''Wizard''' tab.

=== Authentication Backend ===

Choose '''Local User Access''' and click '''Next'''.

=== Create New Certificate Authority ===

Fill in these values as desired. The locale information has no functional impact and generally isn’t visible anywhere unless you go looking for it.

=== Create New Server Certificate ===

Again, fill in these values as desired.

=== OpenVPN Server Configuration ===

Most things can be left at defaults here. The port must be changed, since we’re already using port 1194 for the site-to-site VPN server.

{| class="wikitable"
! Field !! Value
|-
| Local Port || 1195
|-
| Description || Remote Access VPN
|-
| Tunnel Network || 172.17.4.0/24
|-
| Local Network || 172.16.0.0/12
|-
| DNS Server 1 || 172.17.1.1
|}

Leave everything not listed above at defaults and click '''Next'''.

=== Firewall Rule Configuration ===

The last step of the wizard prompts whether you want to add a rule to allow traffic from clients to the OpenVPN server, and allow traffic inside the VPN from clients when connected. Check both boxes and click '''Next'''.

Click '''Finish''' on the last page.

=== Configuration Complete ===

The configuration is now complete. The last screen reminds you to install the OpenVPN Client Export package if you’d like to use it. It’s already pre-installed on this system to save time. Click '''Finish'''.

Browse to '''Firewall > Rules''' to see the rules added by the wizard. On the '''WAN''' tab, you’ll see the rule allowing traffic to reach the OpenVPN server instance. Then click the '''OpenVPN''' tab to see the rule added to permit traffic from the connected clients.

This may be overly-permissive for real world scenarios since it allows all traffic coming in via OpenVPN from any source to any destination. In a real world setup, you may need to restrict this rule.

=== Special Configuration for Older Clients ===

Although this is rarely necessary, some older OpenVPN clients, like the one installed on your remote-host, will require some extra configuration in the OpenVPN server. Click the '''Edit''' button under the Remote Access VPN, and scroll down to the bottom of the screen. Place this into the '''Custom Options''' box and Save:

<pre>
tls-version-min 1.0;
tls-cipher DEFAULT:@SECLEVEL=0
</pre>

=== User Setup ===

Users need a certificate from the RemoteVPNCA to connect. We’ll add a certificate to the '''vpntest''' account created during the IPsec lab. Browse to '''System > User Manager''', and edit the vpntest user. Then click the '''Add''' button next to '''User Certificate''' to create the certificate.

Choose method '''Create an internal certificate.''' Both '''Descriptive name''' and '''Common Name''' should be set to the username. The other fields can be left to defaults.

{| class="wikitable"
! Field !! Value
|-
| User || vpntest
|-
| Certificate Method || Create an internal certificate
|-
| Descriptive Name || vpntest
|-
| Common Name || vpntest
|}

Click '''Save'''. Back at the user edit screen, you’ll see the user’s certificate. Click '''Save''' to save the user changes.

=== Client Configuration ===

The OpenVPN Client Export utility eases the process of client configuration. It’s a package that comes pre-installed on the lab VMs, but will need to be installed under '''System > Packages''' on your other systems.

Browse to '''VPN > OpenVPN''', and click the '''Client Export''' tab.

For our lab purposes, all other settings can be left at their defaults. Scroll down to the bottom to find the vpntest user’s client export options.

For Windows systems, the Windows installer is what you’ll want. Choose x86 for 32 bit versions of Windows and x64 for 64 bit versions. The Viscosity bundle is for Windows or Mac OS X clients running the Viscosity client. The inline configuration options are most commonly used for iOS and Android clients.

The '''Standard Configuration''' Archive option downloads a zip containing the user’s certificate, TLS key for the server, and OpenVPN config file.

Here you will see the remote access server just created in the wizard. Because the RemoteHost’s VPN client is older, we need to scroll down the page and make sure to put a check mark on '''Legacy Client'''.

=== Testing ===

In this lab environment, the only machine that’s available in the circumstance of a typical client out on the Internet is the remote-host VM. First, add it to the '''RemoteAdmin''' alias on fw1-HQ so you can log into fw1-HQ from that host to ease getting the OpenVPN configuration onto the client. Browse to '''Firewall > Aliases''', and edit the RemoteAdmin alias. Add '''100.64.0.50/32''' to that alias, save, then apply changes.

Now connect with VNC to '''100.64.0.50''' (remote-host) to begin the client-side setup. Bring up its web browser and browse to '''https://192.0.2.2'''. Log in and browse to '''VPN > OpenVPN > Client Export''' tab. Export the '''Configuration Archive''' option for the vpntest user.

Make a folder called OpenVPN in your Documents folder, and save the zip file there. Right click the zip file and choose '''Extract Here'''.

Click the Network Manager icon → VPN Connections → Configure VPN.

Click '''Add''' and scroll down to '''Import a Saved Configuration'''.

Navigate to the folder where the OpenVPN configuration archive was extracted. Click on the '''.ovpn''' file and choose '''Open'''.

Fill in the username and password portions of the next screen, and click '''Save'''.

You may get prompted to choose a password for a new keyring. If so, just enter “password” in both blanks and click '''Continue''' and then '''Close'''.

Now connect to the OpenVPN server by clicking on the Network Manager → VPN Connections and choosing your VPN configuration.

Enter your password and click '''Ok'''.

Now you should verify you can reach things on the HQ LAN and DMZ networks. Try HQ-client at '''172.17.1.100''', server1 at '''172.17.2.10''' and server2 at '''172.17.2.20'''.

Once you have verified that the OpenVPN connection is functioning as expected, please disconnect the OpenVPN session on the remote host.

== Conclusion ==

This concludes Lab 6.

== Source Attribution ==

''Source: Netgate pfSense Training Material — FUND001-LIVE-Lab6-OpenVPN.pdf © 2021 Rubicon Communications, LLC (Netgate)''

Training Lab 6: OpenVPN - Revision history

Justinaquino: Automated upload of Netgate pfSense training content