With OpenVPN, you can access your company network from any Internet-connected computer using an OpenVPN client that can be pre-configured from the pfSense machine.
Note: in this tutorial, OpenVPN will be configured in "remote access" mode. Which corresponds to the case explained above.
Additionally, OpenVPN will be secured with a TLS key and SSL certificates (internal to pfSense), as the use of a shared key is deprecated and will no longer be possible in future versions of pfSense.
If you have assigned a private (local) IP address to the pfSense WAN interface, you will need to modify its WAN interface configuration.
To do this, go to: Interfaces -> WAN.
At the bottom of the page, uncheck the "Block private networks and loopback addresses" box to allow network traffic coming from private (local) IP addresses on the pfSense WAN interface.
Otherwise, your OpenVPN server will not be accessible from the outside (WAN interface).
Then, click Save.
Then, at the top of the page, click: Apply Changes.
The configuration has been updated.
To configure OpenVPN in "remote access" mode, go to: VPN -> OpenVPN.
On the "VPN / OpenVPN / Servers" page that appears, click on: Wizards.
The "OpenVPN Remote Access Server Setup" wizard appears.
By default, the OpenVPN server will use the pfSense local user database as you can see by the "Type of Server: Local User Access" option.
Leave the "Local User Access" option selected and click Next.
Note: other possible choices are "LDAP" (for user authentication via Active Directory) or "RADIUS" (for authentication via a RADIUS server).
When you want to secure OpenVPN with SSL/TLS, you need:
Using this wizard, you will be able to configure these prerequisites step by step.
To begin, the wizard will ask you to select a pfSense internal Certificate Authority (CA) if there is one.
Otherwise, you will need to create a new internal certificate authority (CA) certificate using the "Create a New Certificate Authority (CA) Certificate" section:
Click on: Add new CA.
For more information on how a certification authority works, refer to our article : WS 2016 - AD CS - What is a CA and install an enterprise CA.
Next, you will be able to configure a certificate for your OpenVPN server.
The options offered are the same, but there are some differences in the values:
Now that the CA certificate and the "server" type certificate are created, the wizard allows you to configure your OpenVPN server using the "General OpenVPN Server Information" step:
In the "Cryptographic Settings" section:
For other security settings, these are available for compatibility reasons.
But, by default, the most secure values (keeping the good "security / performance" ratio) are selected by default. So leave these values at default unless you actually need to change them.
In the "Tunnel Settings" section, you can configure:
In the "Client Settings" section, you can configure these parameters:
Click Next.
Finally, for OpenVPN to work correctly, the pfSense firewall must be configured correctly:
Then, click Next.
Click Finish.
Note: as you can see, pfSense tells you that you can easily export the configuration for OpenVPN clients using the "OpenVPN Client Export" package.
However, you will see this a little later in this tutorial.
Source : OpenVPN Remote Access Configuration Example | pfSense Documentation.
In "VPN -> OpenVPN", you will see that an OpenVPN server "OpenVPN server for remote access" has been configured in "Remote Access (SSL/TLS + User Auth)" mode.
This means that OpenVPN clients will only be able to connect to the company network via this OpenVPN server if they have an account on your pfSense machine, as well as an associated personal SSL certificate.
In "System -> Cert. Manager" you will see that an internal Certificate Authority (CA) has been created.
In our case: OpenVPNRACA.
In the "Certificates" tab, you will see that an SSL certificate has been created for your OpenVPN server.
Firewall 8/13/2025
Firewall 7/2/2025
Firewall 8/27/2025
Firewall 6/20/2025
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment