pfSense software is a free, open source firewall and router platform based on FreeBSD for converting old PCs into dedicated firewall appliances. Its modular architecture allows administrators tremendous flexibility selecting packages extending functionality from basic NAT/firewalling all the way up to commercial-grade VPN capabilities.
OpenVPN comprises one of the most widely trusted open source solutions for establishing encrypted tunnels transporting sensitive traffic securely across untrusted networks. Integrated with the advanced routing and firewall rule management capabilities furnished by pfSense, an extremely high performance yet affordable site-to-site connectivity platform emerges fit for SMBs up to expansive multi-location enterprises.
This guide examines configuring OpenVPN functionality on pfSense in two major ways – first covering OpenVPN’s integrated role furnishing client remote access for road warriors. Afterwards we explore harnessing OpenVPN for linking entire private networks using pfSense’s site-to-site VPN capabilities. Read on for comprehensive discussion of OpenVPN server deployment within the acclaimed pfSense firewall distribution.
Setting Up an OpenVPN Remote Access Server in pfSense
pfSense ships with baked-in support for OpenVPN SSL/TLS encrypted tunnels making rolling out Windows/Linux/MacOS capable client endpoints quite straightforward:
- Navigate to VPN > OpenVPN > Wizards
- Select Remote Access Setup
- Check Enable & describe purpose of service
- Input network topology preferring topology appropriate for clientbase – 10.8.0.0/24 suits most
- Define DNS resolver and domain parameters
- Leave other advanced options default unless needed
- Click Save on final page
That wizard automatically generates necessary certificates signed by built-in pfSense CA along with base configuration. But additional refinements help harden things:
Lock Down Access Control
- Navigate to VPN > OpenVPN > Servers tab
- Select Remote server just created
- Under Client Settings define an explicit list of Allowed Clients based on existing certificate IDs or trusted source IPs
This Scope-Down Authorization tightens remote access only to designated users and source locations rather than leaving globally open.
Isolate Virtual Address Pool
The Client Virtual IP assignment pool furnish IPs inside clients for tunnel access but often overlaps private LAN space – not ideal for routing and permission segmentation. Allocating dedicated Disconnect Pool range avoids conflicts.
- Navigate to VPN > OpenVPN > Servers tab
- Modify topology under Tunnel Settings to dedicate separate subnet just for VPN clients rather than conflicting with existing LAN. Common pattern:
- LAN Network: 192.168.1.x
- VPN Pool: 10.6.x.x
With credentials and access controls defined we can download client installation files packaged by pfSense or leverage third party VPN managers for added convenience
Generate Client Config Files
pfSense includes OpenVPN Client Export Utility automatically preparing files for manual configuration on Windows/macOS/*nix platforms:
- Navigate to VPN > OpenVPN > Client Export tab
- Authenticate with admin credentials
- Select appropriate Remote server to base files off along with platform target
- Direct downloaded config zip file from browser to endpoint device(s)
- Import provided files into any standard OpenVPN tool like Tunnelblick or Viscosity
This streamlines endpoint rollout minimizing manual client-side adjustments. Consider standardizing profiles going forward.
Site-to-Site VPN with Viscosity
Transitioning beyond basic remote access, pfSense also empowers site-to-site connections joining entire networks using OpenVPN’s TLS mode securing traffic between peer firewalls rather than remote client devices individually.
Viscosity presents one of numerous endpoint VPN managers compatible for tunnel management across Windows/macOS/iOS/Android clients and pfSense alike, now in added site-site scenarios:
- Run Client Export Utility from earlier, ensure Viscosity bundle checked
- Import profile into Viscosity application on OSX/Windows and connect successfully
- Repeat Export but select ‘Make config bundle for another OpenVPN server’
- Enter parameters matching destination site’s WAN details
- Transfer zipped configuration bundle to peer pfSense firewall instance
- Import profile there into Viscosity or any standard OpenVPN client
- Save and connect bidirectional tunnel
This handshake sets up fully encrypted site-to-site communication channels secured via OpenVPN’s reputable TLS stack.
Manual OpenVPN Interface Configuration in pfSense
Beyond point-and-click solutions through VPN Wizards, pfSense enables OpenVPN deployment through manual FreeBSD tuning for advanced users. Outlining fully would extend beyond this piece but key steps involve:
- Creating necessary Certificate Authority and cryptographic infrastructure
- Configuring OpenVPN daemon itself under /usr/local/etc/openvpn
- Binding tunnel interface into bridge via /usr/local/etc/rc.d startup scripts
- Rule injection governing traffic handling within IPF on FreeBSD
Specifically bridged configurations allow decrypting VPN traffic on firewall itself to maximize flexibility managing remote/local access permissions in unified rule set.
Study pfSense documentation covering Hardening OpenVPN Security through oe-Theft Protection assignment and TLS Cryptographies for modern ciphersuites moving beyond dated defaults.
Once establishing OpenVPN connectivity between sites, properly governing route handling and permissions requires tight firewall policies segmenting access.
Common patterns include:
- Leave VPN zone largely unrestricted internally but limit broader WAN through tight INPUT filtering
- Place VPN Client Address Pool on isolated interface lacking outward LAN visibility
- Introduce restrictive Source NAT preventing VPN clients reaching private address space
- Implement Kill States flushing all site VPN connections if WAN links flap excessively
Ongoing refinement balancing remote access convenience against internal visibility makes VPN firewall rules some of the most critical to review as infrastructures evolve. Consider scheduling periodic audits.
With OpenVPN’s open-source pedigree and transparent rendering into site-to-site plus remote access modes, integrating with pfSense transparently unlocks enterprise-grade VPN versatility. This article explored key options getting started but countless additional tuning avenues around encryption, authentication, routing all extend possibilities further as needs grow from humble beginnings.
Examine the documentation covering OpenVPN, IPsec as well as commercial options like Netgate Global VPN for expanded capability options as complexity increases. Upskilling administrator fluency around advanced VPN servicing unlocks tremendous value.