-- For pfSense version 2.0 (beta & RC)
Once you have completed this tutorial, you will have a pfSense box that automatically connects to StrongVPN, and routes all traffic from your LAN,
through the vpn gateway.
--------------------------------Section 1---Step 1:
download the StrongVPN greeting file.
once extracted you are presented with these files: Step 2:
from the pfSense interface, navigate to the dropdown menus: System ---> Cert ManagerStep 3:
click the plus button as seen here:
to create a new certificate authorityStep 4:
enter a descriptive name for the new CA,
and ensure that "Import an existing certificate authority" is selectedStep 5:
go to the directory containing the files as seen in the first screenshot in this tutorial
open the file called "ca.crt" in notepad, and copy and paste the EXACT contents of it into the first box.
click SAVE. (the second box will remain empty, don't worry)Step 6:
click on the "Certificates" tab:
click on the plus button: Step 7:
ensure that "Import an existing certificate" is selected, and enter a descriptive name
go to the directory containing the files as seen in the first screenshot in this tutorial and open the file called "ovpn059.crt"
NOTE: depending on the server you have selected upon purchase, your client cert may have a number other then '059', so do not fret.
open in notepad, and copy and paste the contents of it into the first box.
open "ovpn059.key" (again, note that the number '059' will probably be different) and copy/paste the contents into the second box ('Private key data')Step 8:
navigate to the system dropdown menus: VPN ---> OpenVPN
click the Client tab: Step 9:
for this step; please just duplicate what you see in this screenshot, on your box.
-Note: In the "Cryptographic Settings" section, copy and paste the contents of the "ta.key" file into "TLS Authentication"
-Note 2: for ease, here are the "advanced configuration" options you can copy and paste: (remember to keep the trailing ; in place.) --->verb 5;tun-mtu 1500;fragment 1300;keysize 128;redirect-gateway def1;persist-key;
now, Click SaveStep 10:
navigate to the system dropdown menus Status ---> System Logs, and click on the OpenVPN tab.
if the last thing you see in this log is "Initialization Sequence Completed" you are connected to StrongVPN; but, you are not done yet, as none of your traffic is traversing this line.
move on to section 2
---------------------------------Section 2---Step 1:
navigate to the system dropdown menus Interfaces ----> (assign)
click the plus button:
-Note in the previous screenshot you will notice a StrongVPN interface. you will NOT have that on your box yet, so dont worry.Step 2:
after clicking on the plus button pfSense will tell you it has successfully added a new interface. the network port name will most likley be named
"ovpnc1". ensure that the new interface is selected as "ovpnc1" (it could be ovpnc2, ovpnc3, etc... depends if you have other ovpn interfaces or not)Step 3:
navigate to the system dropdown menus Interfaces ---> OPT1 (or whatever your new interface from the previous step is)
Enable the interface.
Enter a Description --> "StrongVPN"
"Type" ---> none
leave everything else alone
click Save.Step 4:
navigate to the system dropdown menus System ---> Routing
click the plus button:
ensure the Interface selected is the new one we have just assigned to the vpn client; should be "OPT1"
Enter the gateway name.
for "Gateway", enter "dynamic"
do NOT click "Default gateway"
for monitor IP, enter 184.108.40.206 (or whater will respond to ICMP)(220.127.116.11 is openDNS fyi)
leave "Advanced" alone
enter a description for "Description"
click saveStep 5:
navigate to the system dropdown menus Firewall ---> Rules
click on the LAN tab.Step 6:
create a new rule that looks like this:
Source: LAN Subnet
Description: LAN to Internet force through VPN
**IMPORTANT**: scroll down to "Gateway" under the "Advanced features" of the rule.
Set gateway to your VPN interface.
it should look something like this:
the rule should look like this:
at this point, i would give the box a reboot (possibly an unnecessary step)
if this isnt an option, disable the VPN client, wait a minute and then go ahead and re-enable it.
CHECK OpenVPN syslog for errors !
navigate to "http://www.whatismyip.com/
" and your public pacing IP will be one of strongvpn's IP's.you're done !
**edit - November 23 2010**
-- removed persist-tun, from additional configuration options
**edit - March 9 2011**
-- from now on, in order for traffic to be routed through the vpn gateway; from the pfSense interface, navigate to the dropdown menus: FIREWALL --> NAT --> OUTBOUND --| enable "Manual Outbound NAT rule generation" and select save.