So, I started integrating the VPN category and its topics into my blog, you should find the section added to the main menu in the top while pfSense is the backbone for routing on my own Homelab and that's why I have a lot of experience in this field
Correspondingly, as an openning for the series we started with explaing how to set up an OpenVPN server on Linux along with client configuration for different operating systems.
This time around, we will go ahead and explain how to configure a pfSense firewall as client for a server running OpenVPN which is going to let every device connecting to the router to be a part of the VPN private network, thus having the same public IP as the hosting server instead.
Advantages of OpenVPN Client on pfSense
In fact, you can configure any device as an OpenVPN cient for a VPN server, but if you already have all of your devices connected to a central pfSense router, you can utilize that conveniently.
It would definitely make sense to set the firewall itself to be configured as the sole OpenVPN client and let it handle session management to the server instead, here's a couple of advanatges for that setup.
- You can assign a public static IP address to your pfSense router matching the VPN server.
- You can bypass the Carrier Grade NAT (CGN or CGNAT) restrictions which enables you to host your own services from home.
- You can connect multiple clients to an OpenVPN service and only use a single session, especially when the server has a limit on the number of sessions available.
- You don't need to bother with OpenVPN configuration for each client but only configure the router once.
- Some client devices may not have the ability to be configured as an OpenVPN client which is irrelevant in this case.
I don't even think the list ends here, many people will want to use VPN to hide and protect their identity. There's no limit for the possibilities, you can always define your own and find a purpose.
Configure OpenVPN Certificates on pfSense
On one hand, if you have previously followed our tutorial to set up your own OpenVPN server then you should know by now that the end result for client configuration is an ".ovpn" file which contains all the certificates and authentication keys needed.
In the other hand, if your are using a public VPN provider that's internally using OpenVPN to provide users with the service then again the result is the same, go ahead and refer to that ".ovpn" file, it doesn't matter.
There's a section called Certificate Manager on pfSense panel which you can find by navigating to System > Cert. Manager and you sould have your browser pointing to there by now to start.
Add CA Certificate
From the Certificate Manager, navigate to the CAs tab and press on the green Add button to add a new CA certificate.
Once clicked, you will find multiple input fields so just define your VPN service provider name in the "Descriptive name" field and change "Method" to Import an existing Certificate Authority so we can insert the certificate data.
Now, from the ".ovpn" file provided to you as client, copy everything in between the openning <ca> and closing </ca> tags and paste that into the "Certificate data" field then just press on the blue Save button.
Add Client Certificate
The instructions are almost the same for this as well, but this time navigate to the Certificates tab and from there press on the green Add button to add a new certificate.
Then again, once clicked you will find multiple fields so just define your VPN service provider name in the "Descriptive name" field and change "Method" to Import an existing Certificate so we can insert the certificate data and its private key data as well for this particular case.
Now, from the ".ovpn" file provided to you as client, copy everything in between the openning <cert> and closing </cert> tags and paste that into the "Certificate data" field.
Additionally, copy everything in between the openning <key> and closing </key> tags and paste that into the "Private key data" field, now you can safely press on the blue Save button to save the certificate.
Configure OpenVPN Client on pfSense
In order to successfully configure and authenticate an OpenVPN client on pfSense you must have all certificates correctly added and configured into the Certificate Manager as expained above, so make sure everything is set to proceed.
Add Client
Apparently, it's simple to add and configure pfSense as an OpenVPN client, from the main menu just naviage to VPN > OpenVPN > Clients and once you arrive at Clients tab, you have to press on the green Add button.
Configure Client
You should now be presented with a set of options to configure the OpenVPN client and those should match the configurtion on the server, if you have followed our tutorial it would be pretty much standard options otherwise you might have to slightly change some options to match the configuration given specifically by your VPN service provider.
You should keep all settings presented in their default values except for the ones that will be mentioned to be changed down below.
In fact, you don't have to worry much about it because once you acquire the ".ovpn" file it should contain all the information needed to do so, lets start.
- Server host or address: Change this to the IP address or the hostname for the VPN service provider.
- Description: You can change this to the name of the VPN service provider.
- Automatically generate a TLS Key: Untick this option then find what's in between the openning
<tls-crypt>and closing</tls-crypt>tags and insert that key into the TLS Key field. - TLS Key Usage Mode: Change this to "TLS Encryption and Authentication" from the drop-down listed options.
- TLS keydir direction: Change this to "Both directions" from the drop-down listed options.
- Peer Certificate Authority: Select the CA certificate that we previously configured right from the drop-down listed options.
- Client Certificate: Select the Client certificate that we previously configured right from the drop-down listed options.
- Encryption Algorithm: Select "AES-256-CBC" right from the drop-down listed options unless for some reason confiugred differently by your VPN service provider.
- Enable Negotiable Cryptographic Parameters: Untick this option unless for some reason required by your VPN service provider.
- Auth digest algorithm: Select "SHA512" right from the drop-down listed options unless configured differently by your VPN service provider.
- Use fast I/O operations with UDP writes to tun/tap: I recommend ticking this option on.
- Gateway creation: I recommend ticking "Both" from the options available.
Normally, these steps are everything you need to follow in order to fully configure OpenVPN client for pfSense especially if you have used an installation script on the server.
You might need to do a little more or change few options in some cases, when required specifically by your VPN service provider.
Configure VPN Interface on pfSense
Assuming you have corretly configured the OpenVPN client on pfSense, we can now proceed to adding the VPN interface.
Add VPN Interface
Now, if you navigate to Interfaces > Assignments you should see that there's a new interface called "ovpnc1" available to be added.
You have to go ahead and click "Add Interface" then just give it a name in the "Description" field, simply use "VPN" and save it.
Configure Outbound NAT
You have to allow mapping of the VPN interface through the firewall, so navigate to Firewall > NAT > Outbound and follow instructions.
Once your arrive at the Outbound tab change Mode to "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)" from the options available.
Now, if you look under "Mappings" you will find entries originally created for the WAN interface, you have to similarly re-create every entry but this time for the VPN interface we have just added.
The easiest way is to use the second option beside every entry from "Actions" column, this will duplicate any entry you want, the only thing you have to change is the interface from "WAN" to "VPN" when duplicated.
Verify Connectivity
There're two methods, you can refer to the "Interfaces" widget available on the pfSense dashboard, if you can see that VPN interface is up and has acquired an IP address on the VPN private nework, that means everything is well.
Alternatively, I think it's more convient by navigating to Status > OpenVPN then just check whether the service is alive with Virtual Address and Remote Host assigned correctly as you would expect matching the server.
