This article describes how to build an OpenVpn server with SSL/TLS + Auth authentication
with PfSense Release 2.4.3.p1
Create 3 certificates
CA certificate: System -> Cert.Manager reward the green “ADD” button below to create the CA certificate and fill in the fields as shown in the figure:
Method: Create an Internal Certificate Authority
Key Length: 2048
Digest Algorithm: sha256
Country Code: IT
State or Province: <your data>
City: <your city>
Email Address: <email>
Common Name: < optional>
Click on Save.
Certificate for the server: System à Cert.Manager à certificates, click here on the green Add button, the screen is the same as the previous one but follow this guidelines on this image:
User certificate: as above but select Client certificate instead of server.
VPN à Openvon à Wizard: in the first mask that appears select local user access
Click on “Next”
Select the CA certificate created, click “Next” select the server certificate, click “Next” select the WAN interface, the UDP protocol (or TCP) and the 1194 port (this is the default one but you can put the one you prefer), and finally a description of the server.
Click on the end and go on: for the server configuration we leave you to the following images
IPv4 Tunnel network: the virtual network that will use OpenVPN. IPv4 local network: the LAN network of the firewall, for example “192.168.0.0/24”. You can click, if you want, to force all the client generated trafic throught the tunnel. Leave everything as default as in the images below and then save everything.
To export user certificates, we recommend installing openvpn-client-export from System -> package Manager and selecting Available packages.
To create the user: System -> User Manager create the user by entering the values by name, a password, full name, click the check on certifacte to create the certificate for the user, in certificate authority, select the CA certificate..
It is possible to create a group called VpnUsers and then confine all vpn users in it.
To export the user: VPN –> Openvpn àclient export
In the window Host name you will have to put the public IP of the WAN; going down, the list of users created with a valid certificate will appear. Pressing on the blue buttons will allow us to download the most suitable application for our device..
Do not forget to:
- Open the port on the WAN
- Enable traffic on the OpenVPN interface