Netgate is offering COVID-19 aid for pfSense software users, learn more.
- OpenVPN and IPv6
- OpenVPN Configuration Options
- Using the OpenVPN Server Wizard for Remote Access
- Configuring Users
- OpenVPN Client Installation
- Site-to-Site Example (Shared Key)
- Site-to-Site Example Configuration (SSL/TLS)
- Checking the Status of OpenVPN Clients and Servers
- Permitting traffic to the OpenVPN server
- Allowing traffic over OpenVPN Tunnels
- OpenVPN clients and Internet Access
- Assigning OpenVPN Interfaces
- NAT with OpenVPN Connections
- OpenVPN and Multi-WAN
- OpenVPN and CARP
- Bridged OpenVPN Connections
- Custom configuration options
- Sharing a Port with OpenVPN and a Web Server
- Controlling Client Parameters via RADIUS
- Troubleshooting OpenVPN
OpenVPN is an open source SSL VPN solution that can be used for remote access clients and site-to-site connectivity. OpenVPN supports clients on a wide range of operating systems including all the BSDs, Linux, Android, Mac OS X, iOS, Solaris, Windows 2000 and newer, and even some VoIP handsets.
Every OpenVPN connection, whether remote access or site-to-site, consists of a server and a client. In the case of site-to-site VPNs, one firewall acts as the server and the other as the client. It does not matter which firewall possesses these roles. Typically the location of the primary firewall will provide server connectivity for all remote locations, whose firewalls are configured as clients. This is functionally equivalent to the opposite configuration the primary location configured as a client connecting to servers running on the firewalls at the remote locations. In practice, the servers are nearly always run on a central location.
There are several types of authentication methods that can be used with OpenVPN: shared key, X.509 (also known as SSL/TLS or PKI), user authentication via local, LDAP, and RADIUS, or a combination of X.509 and user authentication. For shared key, a single key is generated that will be used on both sides. SSL/TLS involves using a trusted set of certificates and keys. User authentication can be configured with or without SSL/TLS, but its use is preferable where possible due to the increased security is offers.
The settings for an OpenVPN instance are covered in this chapter as well as a run-through of the OpenVPN Remote Access Server wizard, client configurations, and examples of multiple site-to-site connection scenarios.
While OpenVPN is an SSL VPN, it is not a “clientless” SSL VPN in the sense that commercial firewall vendors commonly state. The OpenVPN client must be installed on all client devices. In reality no VPN solution is truly “clientless”, and this terminology is nothing more than a marketing ploy. For more in depth discussion on SSL VPNs, this post from Matthew Grooms, an IPsec tools and pfSense® developer, in the mailing list archives provides some excellent information.
For general discussion of the various types of VPNs available in pfSense and their pros and cons, see Virtual Private Networks.
OpenVPN and Certificates¶
Using certificates is the preferred means of running remote access VPNs, because it allows access to be revoked for individual machines. With shared keys, either a unique server and port for must be created for each client, or the same key must be distributed to all clients. The former gets to be a management nightmare, and the latter is problematic in the case of a compromised key. If a client machine is compromised, stolen, or lost, or otherwise needs revoked, the shared key must be re-issued to all clients. With a PKI deployment, if a client is compromised, or access needs to be revoked for any other reason, simply revoke that client’s certificate. No other clients are affected.
The pfSense GUI includes a certificate management interface that is fully integrated with OpenVPN. Certificate authorities (CAs) and server certificates are managed in the Certificate Manager in the web interface, located at System > Cert Manager. User certificates are also managed in the web interface, as a part of the built-in user manager found at System > User Manager. Certificates may be generated for any user account created locally on the firewall except for the default admin account. For further information on creating a certificate authority, certificates, and certificate revocation lists, see Certificate Management.