I recently posted a Raspberry Pi3 as an OpenVPN server. It worked great, but I had some issues that I was still trying to fix (at least, at the time of this writing). Basically, I could not get the Internet access working. I mean it works, but I can only get access to some websites or IP addresses.
Therefore, I tried to find some other alternatives that will let me VPN-in using my laptops (MacOS or Linux) and/or mobile devices such as (iPad/iPhone or Android). I found PFsense and OPNsense firewalls. I already have a firewall, so this post is mainly for remote access VPN. Basically, the sole purpose of this OPNsense/PFsense virtual appliance is to be my SSL VPN concentrator.
I am running this VM on my HP N54L micro server just in case you are wondering.
Here is the network topology:
I am assuming that you have the OPNsense/PFsense installed and you are able to access its webUI. Also, since I am going to use this for home use, so I’d use DDNS instead of using my dynamic public IP. There are DDNS that offer free accounts – I use no-ip.
Make sure that you have at least two interfaces – one for the WAN (em0) and the other (em1) for management.
This is optional – by default, the OPNsense/PFsense will create firewall rules and Outbound NAT. In this post, I will be disabling the outbound NAT, since I don’t want to NAT my VPN from the OPNsense to my network. Also, I will create my own firewall rules.
If you do not want to do what I am going to do as I mentioned in the paragraph above then you are done once you finish from the beginning to OpenVPN Server, and no need to continue at Firewall Rules and Network Address Translation part of this guide.
Make sure that you are forwarding (destination NAT) the port 1194/udp from the Internet inbound to your OPNsense/PFsense firewall. Otherwise, it is not going to work.
Let’s get started – login to opnsense webUI.
Navigate to Services > DNS Tools > DynDNS > Add
When done click on Save. This will take a few seconds.
Enter all necessary information – see Figure 2
Navigate to System > Gateway > All > Add gateway
Select the WAN interface
Give it a Name
Enter the default gateway IP address in the Gateway field
Check the Default Gateway
Click Save and then Apply changes
Navigate to System > Settings > General
Make sure that you update the timezone
Scroll down and set the DNS servers and select Use gateway from the drop-down menu
Uncheck the Allow DNS server list to be overridden by DHCP/PPP on WAN
Click Save and Apply
Navigate to Interfaces > [WAN]
Then uncheck the Block private networks
Leave the Block bogon networks checked
Set the IPv4 Configuration Type to Static IPv4
Scroll down and give the WAN interface a static IP and select the IPv4 Upstream Gateway that was set up earlier.
Click Save when done.
Navigate to Interfaces > [LAN]
Set the IPv4 Configuration Type to Static IPv4
Scroll down and give the interface an static IP for management access
We need to download the OpenVPN package. Navigate to System > Firmware > Packages
Select openvpn23 > reinstall icon (the one that looks like a recycle icon)
We need to create the CA certificate and OpenVPN Server certificate. Navigate to System > Trust > Authorities > Add or import CA
Ensure you select ‘Create an internal Certificate Authority‘ from the Method drop-down menu.
Enter the necessary information as shown in Figure 11 and 12 then click Save
To create the OpenVPN server certificate, navigate to System > Trust > Certificates > Add or import certificates
- Ensure you select ‘Create an internal Certificate Authority‘ from the Method drop-down menu
- Under the Certificate authority’s drop-down menu, select the CA that was created earlier
- The Type should be Server Certificate
Now, we need to create the vpn users.
Navigate to System > Access > Users
Click the + symbol to add a user
Enter only the following:
- Expiration (optional)
- Make sure that you put a check mark on Certificate > Click to create a user certificate
Since you marked the Click to create a user certificate, after clicking Save, it will take you automatically to System > Trust > Certificates
From here, make sure that you change the Method to Create an internal certificate
It should auto-populate the rest of the fields for you. All you need to do is click Save
After click Save, it will bring you back to the user creation page (Figure 15 and Figure 16). From here, just click Save
Now we need to create the OpenVPN server. Navigate to VPN > OpenVPN > Servers > add server
Under General Information, set the Server Mode to Remote Access (SSL/TLS). The rest of the information should be automatically populated.
Under the Cryptographic Settings, make sure to select the OpenVPN server certificate that was created earlier from the Server Certificate drop-down menu.
The rest of the fields should already auto-populated, but modify them if needed for better security as shown below
Under the Tunnel Settings, do the following:
- IPv4 Tunnel Network – this is the IP pool where the VPN users going to get their IP address
- IPv4 Local Network – this is the resources that the VPN users will have access to. You can add multiple subnets separated by a comma
- Redirect Gateway – enabling this will remove the IPv4 Local Network and it will tunnel all the traffic to the VPN tunnel
- You probably guessed it already. Leaving the ‘Redirect Gateway‘ disable, the VPN traffic will be set to split tunneling (this is the default)
- Concurrent connections – this is number of allowed connections that can connect to the VPN server
- Compression – should be set to Enable with Adaptive Compression
Under Client Settings, the mark the following: Dynamic IP, Address Pool, and Topology. Mark the DNS Servers if you have a preferred DNS servers as shown in Figure 21
Under Advanced Configuration,
At this point, you everything is good to go. What is missing is exporting the users profile. Navigate to VPN > OpenVPN > Client Export
- Select the OpenVPN server you have created from the Remote Access Server drop-down menu. If you created just one server, then it should already be selected
- Select the DDNS that was created at the beginning of this post from the Host Name Resolution drop-down menu
- Leave everything as is. Scroll down at the bottom and you will see the users you have created
- Select the type of profile you will need for the user in the Export column
Firewall Rules and Network Address Translation
I am going to disable the outbound NAT and will create my own firewall rules. Now, before I disable my NAT, I had a static route for the OpenVPN subnet with the next-hop IP of the WAN interface of the OPNsense.
To disable source NAT (outbound NAT), navigate to Firewall > NAT > Outbound
Select the Disable outbound NAT rule generation then click Save
The firewall rule is very simple. It is just an inbound to the WAN interface. Basically, what you needed is the second line. I have the third line because I created two OpenVPN servers for two different purposes.
This is the OpenVPN firewall rules. I disabled the default ‘allow all’ rule and created several rules for specific needs
I believe this is it. Hope you will find this helpful. Cheers!!!