pfSense as an OpenVPN client

pfSense as an OpenVPN client.md

pfSense as an OpenVPN client for specific devices

Introduction

One of the most powerful features of pfSense is it’s ability to direct your data requests through different end-points using NAT rules. pfSense is amazing as an OpenVPN client because it can selectively route any device on the network through the VPN service (i.e., my tablets and TV go through US servers, while my smartphone, VoIP, computers go my local ISP).

This setup becomes extremely handy for use with applications which are not aware of OpenVPN protocol, eg. download managers, torrent clients, etc. Expecting privacy you should be positive that traffic won't go through your ISP's gateway in case of failure on side of VPN provider. And obviously OpenVPN client should automatically reconnect as soon as service goes live again.

Note: This How-To is meant for pfSense 2.1.x. For those using 2.2 Beta, there is a bug that prevents this from working. Read about here in the pfSense forum thread, “cannot NAT trough OPT1 interface on multiwan”. The bug has been filed in redmine and at the time of this writing, it has been fixed for IPv4 traffic.

Note: By the time of editing, in 2.2.4-RELEASE version of pfSense the only way to route traffic through OpenVPN client seems to be "redirect-gateway def1" advanced option, which redirects absolutely all traffic and pfSense default gateway becomes the same thing with OpenVPN client's gateway and not the ISP's one. There is a way to still route traffic to ISP avoiding VPN tunnel. Basically, in such case pfSense becomes an OpenVPN client for it's whole LAN subnet. This fact makes it clunky to use this guide on a main router because for each firewall rule you need to change default gateway to the right one. This why I use a separate pfSense virtual machine on a Proxmox server to provide VPN access for specific virtual machines using dedicated virtual subnet. Needles to say that I could also assign a physical interface for such purpose for use on some physical machines.

Configuration

Configure certificates:

• Go to System > Cert Manager
• In the CAs tab, click the + icon to add a new Certificate Authority
• Fill in a Descriptive name like “[VPN PROVIDER] CA”
• Copy and paste Certificate data. It can be found in one of two .crt files, provided by VPN service. In some cases .ovpn file may include Certificate Authority information between <ca>...</ca> tags. Do not include this tags. All certificates going into pfSense should have similar format:

-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgIJAOP9Uyx2LzzOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
BAThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherEP
MAThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother0B
CQThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherYw
MzThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBothercT
DEThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherUg
Q0ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherZI
hvThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBothertL
o/ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherLM
liThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherLB
xgThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherEP
2QThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother/o
1lThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherCB
4DThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherAU
c8ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherUE
CBThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherVN
RTThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherBo
aWThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherUA
A4ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherog
lpThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother2h
z1ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother7W
NpThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother8Y
HmThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherUo
brc4OSiSKdeskaqGQgWaObJCdsnB
-----END CERTIFICATE-----

• Click Save.
• Go to the Certificates tab and click the + icon to add your VPN certificate and private key.
• Fill in a Descriptive name like “[VPN PROVIDER] CERT”
• Copy and paste Certificate data. It can be found in one of two .crt files, provided by VPN service. In some cases .ovpn file may include Certificate information between <cert>...</cert> tags. Do not include this tags.
• Copy and paste Private key data. It can be found in .key file, provided by VPN service. In some cases .ovpn file may include private key information between <key>...</key> tags. Do not include this tags. All private keys going into pfSense should have similar format:

-----BEGIN PRIVATE KEY-----
MIIEYTCCA0mgAwIBAgIJAOP9Uyx2LzzOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
BAThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherEP
MAThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother0B
CQThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherYw
MzThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBothercT
DEThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherUg
Q0ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherZI
hvThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBothertL
o/ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherLM
liThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherLB
xgThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherEP
2QThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother/o
1lThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherCB
4DThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherAU
c8ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherUE
CBThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherVN
RTThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherBo
aWThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherUA
A4ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherog
lpThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother2h
z1ThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother7W
NpThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBother8Y
HmThisIsOnlyAnExampleDoNotBotherThisIsOnlyAnExampleDoNotBotherUo
brc4OSiSKdeskaqGQgWaObJCdsnB
-----END PRIVATE KEY-----

• Click Save

Configure OpenVPN client:

• Go to VPN > OpenVPN
• Click the Client tab.
• Click the + icon to add a new client.

Note: Most of the settings on this tab totally depend on VPN provider.

These are important for the how-to:

• Interface set to WAN interface.
• Server host name resolution needs to be checked in order for client to automatically reconnect.
• Peer Certificate Authority and Client Certificate set to previosly defined.
• redirect-gateway def1 should persist in Advanced options to actually route traffic through VPN. These are the rest for my VPN provider:
• Server Mode = Peer to Peer ( SSL/TLS )
• Protocol = UDP => Server port = 1194
• Protocol = TCP => Server port = 443
• Device mode = tap
• Description = "[VPN Provider name]"
• TLS Authentication: unchecked Enable authentication of TLS packets

Note: if your VPN provider uses TLS Authentication you should check it, uncheck Automatically generate a shared TLS authentication key. and paste your shared key. It usually can be found in .ovpn configuration file between <tls-auth> ... </tls-auth> tags. Do not include this tags. Paste should look like this:

-----BEGIN OpenVPN Static key V1-----
4ThisIsOnlyAnExampleDoNotBother5
dThisIsOnlyAnExampleDoNotBother8
fThisIsOnlyAnExampleDoNotBother1
fThisIsOnlyAnExampleDoNotBother2
dThisIsOnlyAnExampleDoNotBother6
8ThisIsOnlyAnExampleDoNotBother2
5ThisIsOnlyAnExampleDoNotBother5
fThisIsOnlyAnExampleDoNotBotherd
8ThisIsOnlyAnExampleDoNotBother3
0ThisIsOnlyAnExampleDoNotBother5
5ThisIsOnlyAnExampleDoNotBother0
bThisIsOnlyAnExampleDoNotBother6
dThisIsOnlyAnExampleDoNotBotherc
3ThisIsOnlyAnExampleDoNotBother1
fThisIsOnlyAnExampleDoNotBother5
eThisIsOnlyAnExampleDoNotBother9
-----END OpenVPN Static key V1-----

• Encryption algorithm = BF-CBC (128-bit)
• Auth Digest Algorithm = RSA-SHA1 (160-bit)
• Hardware Crypto = BSD cryptodev engine - RSA, DSA, DH (Depends on CPU)
• Compression = Enabled with Adaptive Compression
• Advanced = ns-cert-type server;redirect-gateway def1;persist-key;persist-tun;mute 20;explicit-exit-notify
• Verbosity level = 4
• Click Save

Validate connection status:

• Go to Status > System Logs
• Select the OpenVPN tab.
• Verify that you have successfully connected. Specifically look for Initialization Sequence Completed statement. It may be anywhere between other log entries but should be tagged with time when you clicked Save on client configuration tab. If you don’t see it, it means you are not connected. Check your configuration again. Use the log to look for errors. These are probably flags in your advance options or encryption settings. Double check that you pasted right certificates and keys.

####Configure OpenVPN gateway interface:

• Go to Interfaces > (assign)
• In Available network ports: select ovpnc# [VPN Provider name] according to the Description given on client configuration step.
• Click the + icon and add a new interface. It will be called OPT#
• Click the OPT# name of new interface to configure it.
• Change the name of OPT# into something more useful, eg. name of VPN server.
• IPv4 Configuration Type = None
• IPv6 Configuration Type = None
• You may want to decide on Block private networks for your setup. Mine is unchecked since this pfSense is a virtual machine in a private network.
• Click Save

Verify working gateways:

• Go to Status > Dashboard
• Look for [VPN Provider name] entry in Interfaces table (Alternatively Status > Interfaces)
• Verify that you have an IP Address for your VPN.
• If no, try going to Status > Services and restarting OpenVPN service by clicking the play button next to OpenVPN client: [VPN Provider name]

Note: you may want to have OpenVPN table on dashboard to see client connection status. Click + icon right under Status: Dashboard header at the top of page, select OpenVPN and click Save Settings button.

• Go to System > Routing
• Verify that your gateways are available: there should be green play icon before [VPN Provider name]_VPNV4

Note: In pfSense 2.1.x or below that entry should have IP address Gateway column. If no , try opening the entry, scrolling down and clicking Save. That seemed to restart it. Note: In pfSense 2.2-Beta or above there probably would be dynamic in Gateway column of VPN entry.

Configure NAT

• Go to Firewall > NAT
• Select the Outbound tab.
• Note rules in automatically generated table.
• Select the Manual Outbound NAT Rule Generation (AON - Advanced Outboud NAT) radio button.
• Click Save
• Now you should see all the same rules ungrouped and editable. Verify presence of all seing earlier rules.
• By clicking + icon next to the rule entry, copy every rule changing only the interface to the one you created for VPN client [VPN Server name]

Note: rules for VPN interface should follow the corresponding for WAN interface. Order is crucial here. That is the reason we are not able to use "convinient" Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below). As it stated on the bottom of the page: "If hybrid outbound NAT is selected, mappings you specify on this page will be used, followed by the automatically generated ones."

Note: Rule of thumb: final NAT mappings table should have 4 rules for each interface on the system except OpenVPN client's one (eg. 4x WAN + 4x LAN) (Theoretically, you may configure more then one OpenVPN client on single pfSense, but since “redirect-gateway def1” option redirects all the traffic, I don't believe in success of such setups).

Configure firewall:

From this moment you use Firewall rules to direct traffic from your IPs/networks/interfaces to either WAN gateway (for direct ISP connection) or VPN client gateway for VPN access. I especially do not define any steps for further configuration because some pfSense version behave little bit different here and everyone's setup would be different, so you should play a bit with rules, learn how they affect your network and you will be rewarded eventually with pretty good skills and understanding of the whole picture.

Source: Setup pfSense as an OpenVPN client for specific devices by Tai Toh

If you insert a space between the last pound sign and the heading text, the headings will work properly.

amazing guide helped me out a lot. My pfsense only has 2 outbound rules for each vlan interface though. I am still figuring out the outbound rules for my connection but you helped me get connected in the first place so thank you

if you have a serverside TLS static key (example .ovpn included tls-crypt) then you have to enable on pfSense under section Cryptographic Settings
TLS Key Usage Mode > TLS encryption And Authentication