VPN SETUP FOR pfSense 2.3.3
We are going to setup pfSense 2.3.3 with openvpn in a simple LAN and WAN environment, where WAN is connected to the internet, and LAN will be the OpenVPN connection.
We are using our German VPN as an example.
The zip file contains various .conf files (which should NOT be used for pfSense) as well as a folder called “ssl”. Within that folder, there are two files we need:
ca.crt (Certification Authority certificate) and ta.key (Transport Layer Security key)
In pfSense, navigate to System > Cert Manager, and under the CAs tab, click the + Add button to add a new CA.
Descriptive name: blackVPN CA
Certificate data: open ssl/ca.crt in a text editor, select all the text in the file and copy it to your clipboard, paste it into the box for the Certificate Data.
Create OpenVPN Client
Go to VPN > OpenVPN, and click the Clients tab. Then click the “+ Add” button to add a new client.
Description: Descriptive name of the VPN (blackVPN Germany, for example)
Server host name resolution: check Infinitely resolve server
Server port: 443
Server host or address: Choose your server from the list below. (vpn.blackvpn.de, for example)
blackVPN server list:
Also remember to fill in your blackVPN username and password.
Uncheck “Automatically generate a shared TLS authentication key”, which will reveal a Key box where you should paste in the content of ta.key
Key: Go back to the files you downloaded from blackVPN, open ssl/ta.key in a text editor, and copy its contents to your clipboard, then paste it in the Key box.
Peer Certificate Authority: set to “blackVPN CA” that we created earlier
Client Certificate:None (Username / Password required)
The Encryption Algorithm: AES-256-CBC
Auth Digest message digest algorithm: SHA512.
Compression: Enabled with adaptive compression.
Disable IPv6: Checked
Don’t pull routes: Checked
In the custom options we can add a local verify-x509-name check (this is optional)
Custom options: Choose your server name from the list below. (‘verify-x509-name de name’, example for Germany)
Click save. This will start the VPN in the background.
To confirm that is happening in pfSense, go to Status > System Logs, and click the OpenVPN tab.
The word you’re looking for are “Initialization Sequence Completed”, and the full log should look something like this:
You should do this after the VPN connection has been successfully established.
Navigate to Interfaces -> (assign)
Available network ports: select “ovpnc1(blackVPN Germany)”. Click the “+ Add” button to add the interface.
The new interface will be named “OPT1”, Click on “Interfaces > OPT1” to edit the interface.
IPv4 Configuration Type: DHCP
Click Save and Apply Changes.
Network Interfaces: All
Outgoing Network Interfaces: BLACK
System Domains Local Zone Type: Transparent
DNS Query Forwarding: uncheck
DHCP Registration: check
Static DHCP: check
While in DNS Resolver, select Advanced Settings.
Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Harden DNSSEC Data: uncheck
Click Save and Apply Changes.
First we are going to automatically create a set of rules, which we can then edit.
Navigate to Firewall -> NAT -> Outbound and select “Manual Outbound NAT rule generation”.
Press Save and then Apply Changes in the top of screen.
4 rules is now created like below:
We now need to edit each of the rules and change the Interface to OpenVPN on all the 4 rules.
Press the “edit pen” button on the first entry in the list.
Repeat this process for each of the 3 rules.
In the end all the rules should have OpenVPN Address as NAT Address, and it should look similar like below:
Now click Apply changes at the top of the page
Go to Firewall -> Rules -> LAN
Add a new rule by clicking on the “Add”(add top of list) button:
Address Family: IPv4
Click on Display Advanced and only change:
Click Save and Apply Settings
The screen should look something like this:
Preventing Traffic Leaks
To prevent traffic leaks, we will make the VPN Gateway the default route.
Go to System -> Routing -> Gateways
Edit the VPN gateway BLACK_DHCP-, by clicking on the Pen button.
Default Gateway: checked
Save, and then click “Apply Changes.”
The Gateway list should look something like this:
Since BLACK_DHCP-… is the default gateway, me must specify a WAN DNS that is public.
We use 220.127.116.11 (censurfridns.dk) but you can off course use another reliable third-party DNS server.
172.31.0.1 is the DNS server on the VPN.
Go to System -> General Setup.
DNS Server Override: uncheck
Disable DNS Forwarder: check
Save and Apply Settings
If you use a DHCP Server on the LAN interface to share the openvpn connection, you must add DNS 172.31.0.1 to it. (Prevents DNSLeaks)
Go to Services -> DHCP Server -> Lan
DNS servers: 172.31.0.1
Save and we are done!
Go to Status -> OpenVPN and restart OpenVPN by pressing the restart button.
That should be it. Give it a minute and it should work.
If no site loads, open a terminal and ping a reliable site like 18.104.22.168. If you get no response.
If Status -> OpenVPN shows that the link is up, and you can ping Internet sites, it’s probably DNS resolution that is the problem.
Recheck the DNS server(s) specified in Services->DHCP Server and System -> General Setup.