OpenVPN Client Export Package¶
The easiest way to configure an OpenVPN client on most platforms is to use the OpenVPN Client Export Package on the pfSense firewall.
Install the OpenVPN Client Export Utility package as follows:
Navigate to System > Packages
Locate the OpenVPN Client Export package in the list
Click Install next to that package listing to install
Once installed, it can be found at VPN > OpenVPN, on the Client Export tab.
The options for the package include:
- Remote Access Server
Pick the OpenVPN server instance for which a client will be exported. If there is only one OpenVPN remote access server there will only be one choice in the list. The list will be empty if there are no Remote Access mode OpenVPN servers.
- Host Name Resolution
Controls how the “remote” entry the client is formatted.
- Interface IP Address
When chosen, the interface IP address is used directly. This is typically the best choice for installations with a static IP address on WAN.
- Automagic Multi-WAN IPs
This option is useful when redirecting multiple ports using port forwards for deployments that utilize multi-WAN or multiple ports on the same WAN. It will seek out and make entries for all port forwards that target the server and use the destination IP address used on the port forward in the client configuration.
- Automagic Multi-WAN DDNS Hostnames
Similar to the previous option, but it uses the first Dynamic DNS entry it finds that matches the chosen destination.
- Installation Hostname
Places the firewall’s hostname, defined under System > General Setup, into the client configuration. The hostname must exist in public DNS so it can be resolved by clients.
- Dynamic DNS Hostname Entries
Each Dynamic DNS hostname configured on the firewall is listed here. These are typically the best choice for running a server on a single WAN with a dynamic IP address.
Presents a text box in which a hostname or IP address can be entered for the client to use.
- Verify Server CN
Specifies how the client will verify the identity of the server certificate. The CN of the server certificate is placed in the client configuration, so that if another valid certificate pretends to be the server with a different CN, it will not match and the client will refuse to connect.
- Automatic - Use verify-x509-name where possible
This is the best for current clients. Older methods have been deprecated since this method is more accurate and flexible.
- Use tls-remote
This can work on older clients (OpenVPN 2.2.x or earlier) but it will break newer clients as the option has been deprecated.
- Use tls-remote and quote the server CN
Works the same as tls-remote but adds quotes around the CN to help some clients cope with spaces in the CN.
- Do not verify the server CN
Disables client verification of the server certificate common name.
- Use Random Local Port
For current clients, the default (checked) is best, otherwise two OpenVPN connections cannot be run simultaneously on the client device. Some older clients do not support this, however.
- Use Microsoft Certificate Storage
Under Certificate Export Options, for exported installer clients this will place the CA and user certificate in Microsoft’s certificate storage rather than using the files directly.
- Use a password to protect the pkcs12 file contents
When checked, enter a Password and confirm it, then the certificates and keys supplied to the client will be protected with a password. If the OpenVPN server is configured for user authentication this will cause users to see two different password prompts when loading the client: One to decrypt the keys and certificates, and another for the server’s user authentication upon connecting.
- Use Proxy
If the client will be located behind a proxy, check Use proxy to communicate with the server and then supply a Proxy Type, IP Address, Port, and Proxy Authentication with credentials if needed.
When checked, this option will bundle the Windows installer with OpenVPNManager GUI in addition to the normal Windows client. This alternate GUI manages the OpenVPN service in such a way that it does not require administrator-level privileges once installed.
- Additional configuration options
Any extra configuration options needed for the client may be placed in this entry box. This is roughly equivalent to the Advanced options box on the OpenVPN configuration screens, but from the perspective of the client.
There is no mechanism to save these settings, so they must be checked and set each time the page is visited.
Client Install Packages List¶
Under Client Install Packages is a list of potential clients to export. The contents of the list depend on how the server is configured and which users and certificates are present on the firewall.
The following list describes how the server configuration style affects the list in the package:
- Remote Access (SSL/TLS)
User certificates are listed which are made from the same CA as the OpenVPN server
- Remote Access (SSL/TLS + User Auth – Local Users)
User entries are listed for local users which also have an associated certificate made from the same CA as the OpenVPN server.
- Remote Access (SSL/TLS + User Auth – Remote Authentication)
Because the users are remote, user certificates are listed which are made from the same CA as the OpenVPN server. It is assumed that the username is the same as the common name of the certificate.
- Remote Access (User Auth – Local Users or Remote Authentication)
A single configuration entry is shown for all users since there are no per-user certificates.
The example setup from the wizard made previously in this chapter was for SSL/TLS + User Auth with Local Users, so one entry is shown per user on the system which has a certificate created from the same CA as the OpenVPN server.
If no users are shown, or if a specific user is missing from the list, the user does not exist or the user does not have an appropriate certificate. See Local Users for the correct procedure to create a user and certificate.
Client Install Package Types¶
Numerous options are listed for each client that export the configuration and associated files in different ways. Each one accommodates a different potential client type.
Downloads a ZIP archive containing the configuration file, the server’s TLS key if defined, and a PKCS#12 file which contains the CA certificate, client key, and client certificate. This option is usable with Linux clients or Tunnelblick, among others.
- File Only
Downloads only the basic configuration file, no certificates or keys. This would mainly be used to see the configuration file itself without downloading the other information.
This choice downloads a single configuration file with the certificates and keys inline. This format is ideal for use on all platforms, especially Android and iOS clients or for manually copying a configuration to a system that already has a client installed. This option will work for any client type based on OpenVPN version 2.1 or newer.
Used with the Android OpenVPN client mentioned in Android 4.x and later.
- OpenVPN Connect (iOS/Android)
Used with the OpenVPN Connect client on iOS or Android described in iOS.
Usable by any standard OpenVPN client on platforms such as Windows, OS X, or BSD/Linux. It also works well with Tunnelblick on OS X, simply download the inline config and drag it into the configurations folder for Tunnelblick.
SIP Phone archives¶
If the OpenVPN server is configured as SSL/TLS only without authentication then options will appear to export client configurations for several models of SIP handsets that support OpenVPN. Notable examples are the Yealink T28 and T38G, and SNOM phones. Installing the client to the phone varies by model, check the manufacturer’s documentation for more information.
Ensure the phone has a proper clock setup and/or NTP server, otherwise the certificates will fail to validate and the VPN will not connect.
Typically these handsets only support the use of SHA1 as a certificate hash. Ensure the CA, server certificate, and client certificates are all generated using SHA1 or they may fail. They may also only support a limited set of encryption algorithms such as AES-128-CBC. Consult the phone documentation for details.
The Windows Installer options create a simple-to-use executable installer file which contains the OpenVPN client with the configuration data embedded. The installer runs like the normal Windows OpenVPN client installer, but it also copies all of the settings and certificates needed. See Windows Installation below for some notes on how to install and run the Windows client.
Currently, there are four options available:
32-bit installer usable on Windows XP and later
64-bit installer usable on Windows XP and later
32-bit installer usable on Windows Vista and later and includes a newer tap driver
64-bit installer usable on Windows Vista and later and includes a newer tap driver
Be sure to click next/finish all the way through the installation process. Do not click cancel or X out the install at any step, or the client system may be left with the client installed but no imported configuration.
On Windows Vista, 7, 8, 10 and later with UAC (User Account Control) enabled, the client must be run as Administrator. Right click the OpenVPN GUI icon and click Run as Administrator for it to work. It can connect without administrative rights, but it cannot add the route needed to direct traffic over the OpenVPN connection, leaving it unusable. The properties of the shortcut may be set to always launch the program as Administrator. This option is found on the Compatibility tab of the shortcut properties. One way around that requirement is to check OpenVPNManager before exporting to use an alternate OpenVPN management GUI on Windows.
The Viscosity client is also available for Windows and it does not require administrative privileges to run properly.