Skip to content

How to Configure OpenVPN Server for Remote Access⚓︎

Summary⚓︎

The objective is to allow outside access to the LAN network while remote. This guide will provide details on the setup and configuration of the tunnel using OpenVPN Server.

Configuration⚓︎

To start, navigate to VPN > OpenVPN > Wizards and start the Wizard.

Authentication⚓︎

  • Choose Local User Access, then click Next.
  • Certificate Authority (CA) Selection
  • Select Add a new CA
  • Descriptive Name
    • Used as the Common Name (CN) for the CA. Should not include any spaces, punctuation or special characters.
  • Key Length
    • Leave it at the default (2048)
  • Lifetime
    • Lifetime of the CA in days. Should be left at the default of 3650.
  • Enter Country Code, State & City accordingly.
  • Select Add New CA

Server Certificate Selection⚓︎

  • Select Add New Certificate
  • Largely the same as the previous step, so information should be populated accordingly.
  • Select Create New Certificate

General OpenVPN Server Information⚓︎

  • Interface
  • Interface where OpenVPN will listen for incoming connections, and should be left as WAN.
  • Protocol
  • Select UDP on IPv4 only
  • Local Port
  • Default is 1194.
  • Description
  • Provide a name for the OpenVPN instance.

Cryptographic Settings⚓︎

  • TLS Authentication
  • Leave this checked
  • Generate TLS Key
  • Leave this checked
  • TLS Shared Key
  • Leave blank
  • DH Parameter Length
  • Leave at the default, which is 2048.
  • Encryption Algorithm
  • AES-256-GCM
  • Auth Digest Algorithm
  • SHA256 (256-bit)
  • Hardware Crypto
  • BSD cryptodev engine

Tunnel Settings⚓︎

  • Tunnel Network
  • This should be a new, unique network that doesn't exist in the current network or routing table.
    • I've selected 192.168.40.0/24.
  • Redirect Gateway
  • Force all client generated traffic through the tunnel. Should be checked.
  • Local Network
  • This is the network that will be accessible from the remote endpoint.
    • Should be expressed as a CIDR range.
    • I've used 192.168.1.0/24.
  • Concurrent Connections
  • Left blank
  • Compression
  • Select Omit Preference (Use OpenVPN Default)
  • Type-of-Service
  • Leave unchecked
  • Inter-Client Communication
  • Check this option to allow the ability to administer the network remotely.
  • Duplicate Connections
  • Leave unchecked

Client Settings⚓︎

  • Dynamic IP
  • Checked
  • Topology
  • Select Subnet -- One IP address per client in a common subnet
  • DNS Default Domain
  • Leave blank
  • DNS Server:
  • 185.228.168.9 & 185.228.169.9
  • Leave the rest as-is and select Next.

Firewall Rule Configuration⚓︎

These will automatically add the necessary rules to the firewall to allow these connections.

  • Firewall Rules
  • Checked
  • OpenVPN Rule
  • Checked
  • Select Next and click Finish to complete.

Add User Certificates⚓︎

  • Navigate to System > User Manager
  • Click +Add to add a new user
  • Populate the Username, Password and Full Name fields
  • Check the Click to create a user certificate check box.
  • Enter the username in the Descriptive Name field.
  • Select the correct Certificate Authority (CA).
  • Key Length: 2048 bits
  • Lifetime: 3650
  • Click Save

Install the OpenVPN Client Export Package⚓︎

  • Navigate to System > Packages > Available Packages
  • Find OpenVPN-Client-Export in the list and install.

Export the Configuration⚓︎

  • Navigate to VPN > OpenVPN > Client Export
  • Choose the VPN from the Remote Access Server dropdown.
  • Leave everything else as the defaults.
  • Find the user in the list at the bottom of the page, and then select the appropriate configuration to export.

References⚓︎

https://www.samueldowling.com/2018/11/27/how-to-configure-an-openvpn-remote-access-server-in-pfsense/