Hello, Here I'm trying to update OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior) to work with pfSense 2 Release
I give no warranty that this will work for you or that it will not ruin your setup. So please BACKUP FIRST. Note that I tried to mark my updates in Green. I hope I didn't break that guide. I think a wiki would be the best place to but it, if I had access to pfsense wiki
A guide of how to connect a PC on the internet, to LAN behind a pfSense firewall using OpenVPN also known as a Road-Warrior setup
This guide is NOT detailed regarding different configurations, and may not be the best security practices - so use it at your own risk...
First of all you need to have keys and certificates generated in order to configure the pfSense OpenVPN service;
1) Download and install the most recent software from http://openvpn.net/download.html
If you plan to connect from a PC with Windows Vista you should get version 2.1 or newer.
Use the default options
2) Start a command prompt with administrator-rights!
This is done in Vista & Seven by clicking on START and then type CMD -> CMD.EXE should appear, and you RIGHT-Click on it and select 'Run as Administrator'
3) Change directory to c:\programfiles\openvpn\easy-rsa
4) run the "init-config.bat" file
5) Edit 'vars.bat' file.
I suggest using 'Wordpad' and to be able to save the file again, you need to start Wordpad in the same manner as the command-prompt (see #2)
The following things need to be edited:
2 Letters country ID - I use DK for Denmark
2 Letters Province ID - I use na as in 'Not Applicable'
Name of city
Name of your company
Put an email-address here. Dont use you private address, since this is the common address for the Certificate Authority (or something...)
Save the file
6) Run "vars.bat"
7) Run "clean-all.bat"
Cool Run "build-ca.bat"
Then you are prompted for some different things; Leave them at default, except "Common Name" - put something like "pfSense-CA"
9) Run "build-key-server.bat server"
Again you are prompted; leave them on default except "Common Name" - use "server" ,(Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]". you might also see that while creating client keys)
Run build-dh.bat not required, see Importing OpenVPN DH Parameters - PFSenseDocs
Now its time to generate keys and certificates for the client(s)
11) Run "build-key.bat ovpn_client1"
Again you are prompted; leave them on default except "Common Name" - here you should put in "ovpn_client1" (or whatever you have called it)
The ovpn_client1 will be the name of the keys, certificate and the name you identify the connection on later. You can use whatever name you like, and generate as many as you want (with different names).
12) The following files should now be copied from c:\programfiles\openvpn\
easy-rsa\keys to c:\programfiles\openvpn\config
ovpn_client1.crt (if you dont see a .crt file but only a .csr file, chances are that you dont have admin priviligies. Worst case generate the keys and certificates on a NON-Vista machine)
13) Make a file in the c:\programfiles\openvpn\config
called "ovpn_client1.ovpn" and the file should contain (leave out the hashes):
remote 126.96.36.199 1194
Please put in your own public IP address of you pfSense-box in the 'remote' line
If you have chosen another name than 'ovpn_client1' then change it in the lines beginning with 'cert' and 'key'
If you have more than one VPN client, you make one .ovpn-file per client (with the corresponding .key and .crt name)
Now its time to configure pfSense
21) Log into the web-gui of pfSense
22) Now you need to have access to some of the files created in c:\programfiles\openvpn\easy-rsa\keys (mentioned in #12) ,22) Log into the web-gui of pfSense then system >> cert manager
23) add new certificate in CAs tab, name it (ex, CA), and Copy the WHOLE content of ca.crt into the "Certificate data" field
24) add new certificate in Certificates tab, name it (ex, servercrt), and Copy the WHOLE content of server.crt into the "Certificate data" field and the WHOLE content of server.key into the "Private key data" field
Copy the WHOLE content of dh1024.pem into the "DH parameters" window not required, see Importing OpenVPN DH Parameters - PFSenseDocs
26) Select VPN/OpenVPN and add an entry in the 'server' page, Use the following settings:Server Mode: Peer to Peer (SSL/TLS)
Device Mode: tun
Local port: 1194
TLS Authentication: unchecked (maybe that is unsafe)
Peer Certificate Authority: CA (or what ever you named it in step 23)
Peer Certificate Revocation List: (not required)
Server Certificate: servercrt (or what ever you named it in step 24)
DH Parameters Length: 1024
Encryption algorithm: BF-CBC (128-bit)
Hardware Crypto: (I didn't set any - No hardware crypto acceleration)
Tunnel Network: 192.168.200.0/24 the client will be on that subnet
Redirect Gateway: unchecked
Local Network: 192.168.1.0/24 the network which the client should reach
Remote Network: blank
Concurrent connections: blank
Duplicate Connections: unchecked
Now we need a few simple rules in the firewall
27) On the WAN interface you should make a rule that;
OS type: any
Destination port range from: OpenVPN
Destination port range to: OpenVPN
Tick in the LOG
Leave the rest at default.
28) and another rule on the interface called openvpn
Any protocolSource: Any
Remember to apply the new rules.
Now you should be able to connect from OpenVPN (rightlick on the icon in the try and select Connect).
But remember to start OpenVPN with ADMIN RIGHTS!
A small trick; If you want a specific client to be able to access more than one subnet, you can add a 'Client Specific Configuration' in pfSense;
Find it in the "WebGui/VPN/OpenVPN/Client-Specific configuration", use the Common Name given in #11 (ovpn_client1) and in custom options add the following line
push "route 192.168.2.0 255.255.255.0"
if thats the subnet that you want to have connection to.
Hope this small guide provides some help to those of us who isn't much into *nix and OpenVPN.
There is problably a bunch of typ'O's - please write a comment when you see one that needs to be corrected...
This setup is working on my current setup:
pfSense 2 Release
Please visit http://openvpn.net/howto.htm
for much more indepth info Smiley
If you later would like to add new clients, run point 2,3,6, and continue from point 11! - dont run point 7-8-9-10!!!!
Also note you need to do this on the machine that was orignally used to issue the certificates.