How to use pfSense VPN

pfSense supports several VPN protocols, such as OpenVPN and IPsec, and these can be used to create secure connections to your network from remote locations.

This guide will focus on setting up an OpenVPN server on pfSense. OpenVPN is a widely used and supported VPN protocol that provides a good balance between security, speed, and compatibility with various clients.

Here are the steps to set up an OpenVPN server on pfSense:

  1. Access pfSense Dashboard: Open a web browser and navigate to your pfSense dashboard. The default address is usually http://192.168.1.1. Use your username and password to log in.
  2. Create a Certificate Authority (CA): Before setting up the OpenVPN server, you need to create a Certificate Authority. Go to System > Cert Manager > CAs tab, then click +Add. Fill in the Descriptive name, Method (choose “Create an internal Certificate Authority”), Key length (2048 bit should be sufficient), Digest Algorithm (SHA256), Lifetime, and Distinguished name information. Click Save.
  3. Create a Server Certificate: Now, go to the Certificates tab under System > Cert Manager. Click +Add/Sign. Select the Certificate authority created in the previous step. Fill in the rest of the form (descriptive name, common name, etc.). Click Save.
  4. Set Up the OpenVPN Server: Navigate to VPN > OpenVPN. On the Servers tab, click +Add. There are a lot of options on this page, but the important ones to fill out are:
    • Server Mode: Select ‘Remote Access (SSL/TLS + User Auth)’.
    • Backend for authentication: Select ‘Local Database’.
    • Protocol: Select ‘UDP on IPv4 only’ (or IPv6 if your network supports it).
    • Device Mode: Select ‘tun – Layer 3 Tunnel Mode’.
    • Interface: Select ‘WAN’.
    • Local port: You can leave this blank to use the default port (1194).
    • TLS Configuration: Check “Use a TLS Key”.
    • Peer Certificate Authority: Select the CA you created earlier.
    • Server Certificate: Select the server certificate you created earlier.
    • DH Parameter length: Select ‘2048 bit’.
    • Encryption Algorithm: Select ‘AES-256-GCM’.
    • Auth Digest Algorithm: Select ‘SHA256 (256-bit)’.
    • Tunnel Network: Specify a network for the VPN clients. This should be a network that is not in use on your LAN or WAN. For example, ‘10.0.8.0/24’.
    • Redirect Gateway: If you want all traffic from the clients to be routed through the VPN, check ‘Force all client-generated IPv4 traffic through the tunnel’.
    • Concurrent connections: Specify the number of clients that can connect to the VPN at the same time.
    • Compression: You can select ‘No Preference’ to let the client and server negotiate this.
    • Type-of-Service: Leave this unchecked unless you have specific needs.
    • Duplicate Connections: Leave this unchecked unless you have a specific use case.
    • Disable IPv6: Check this if you’re not using IPv6.
  5. Save and Apply Changes: Click Save at the bottom of the page, and then Apply Changes.
  6. Set Up Firewall Rules: You need to set up firewall rules to allow traffic from the VPN to your LAN (and vice versa). Go to Firewall > Rules. On the ‘OpenVPN’ tab, click +Add to create a new rule. Set ‘Protocol’ to ‘Any’, ‘Source’ to ‘any’, and ‘Destination’ to ‘any’. Click ‘Save’, and then ‘Apply Changes’. You may need to adjust these rules based on your specific security requirements.
  7. Export Configuration: Finally, to connect to the VPN, clients will need a configuration file. pfSense has a package that simplifies this process. Install the ‘openvpn-client-export’ package via System > Package Manager > Available Packages. After installation, go to VPN > OpenVPN > Client Export. Here you can export configuration files for various types of clients.

That’s it! You’ve set up an OpenVPN server on pfSense. To connect, install an OpenVPN client on your device (such as Tunnelblick for macOS, OpenVPN for Windows, or the official OpenVPN Connect app for iOS and Android), and import the configuration file you exported.

Please note: This is a basic OpenVPN setup and it might need more fine-tuning and configuration based on your network environment and security needs. Also, VPN setup could affect your network performance, so test it thoroughly to ensure that it meets your requirements.