How To Setup Your Own OpenVPN Server in Pfsense

6/3/22, 2:40 PM How to Setup your own OpenVPN Server in pfSense
Search
VPN
Antivirus
Online backup
Streaming
Blog
More Comparisons
About Us
yBlog
Use Reviews
» VPN & Privacy » How to set up your own OpenVPN server in pfSense
yWe
OS/Device
are fundedBy by OS/Device
our readers and may receive a commission when you buy using links on our site.
y CountryGuides
How to set up your own OpenVPN server in
uides Compare providers
pfSense
eviews
There's a lot you can do with pfSense. It's a very powerful firewall/router.
In this post, we look at how to set up your own OpenVPN server in
pfSense.
MARC DAHAN
- SPECIALIST IN ONLINE PRIVACY

February 18, 2022
pfSense is a powerful, open-source firewall/router that’s

based on FreeBSD. Using pfSense instead of a typical
consumer router has many benefits. Frequent OS
updates to patch vulnerabilities is a big one. Most
consumer routers never get firmware updates, and most
people use their router for more than five years. But
beyond better security, pfSense includes many tools that
https://www.comparitech.com/blog/vpn-privacy/openvpn-server-pfsense/ 1/23
make it easy to configure pretty much any network

configuration quite easily thanks to its comprehensive
GUI.
One thing that’s easy to set up on pfSense is your own

OpenVPN server. When you have a VPN server running
on your router, you can connect to your home network
securely and, from anywhere, access your local
machine, and even use your home internet connection
from your remote device. And that’s what we’re going to
look at in this article. We’re going to guide you through
all of the steps you need to go through to configure your
own OpenVPN server on pfSense.
To learn how to configure an OpenVPN client connection

to a commercial VPN provider in pfSense, you can read
our dedicated guide.
See also: Best VPN for pfSense
This guide assumes you’ve already got pfSense setup

with working WAN and LAN interfaces.
Settings that are ignored in the instructions should be

left at their default values (i.e., untouched).
Thinking about authentication
Before we configure our OpenVPN server, we need to

choose an authentication method. Both OpenVPN and
pfSense support password-based authentication,
certificate-based authentication, or both. In this guide,
we’ll be using both so that we cover all the bases. But
you’re free to select one or the other. If you choose to
use password-based authentication only, you can skip
the steps of generating user certificates. But you still
need to generate a Certificate Authority as well as a
server certificate.
Generating the Certificate Authority (CA)
The first thing we need to do is generate our Certificate

Authority (CA), which will validate the OpenVPN server’s
identity and authenticate user certificates (if enabled).
1. From the menus at the top of the screen, select

System > Cert. Manager.
2. Click the Add button at the bottom right.
3. Enter a name for your CA.

4. Make sure Method is set to Create an internal
Certificate Authority.
5. Select your Key type. I will be using RSA for this
example, but you can also use ECDSA.
6. Set your Key length to at least 2048. I will be using
4096 for this example.
7. Set your Digest Algorithm to at least sha256. I will
be using sha512 for this example.
8. Choose a Common Name for your certificate or
leave the default of internal-ca.
9. Click Save at the bottom. You’ve created your

Certificate Authority.
Generating the server certificate
1. If you’re not already there, from the menus at the

top of the screen, select System > Cert. Manager.
2. Select the Certificates sub-menu.
3. From the Certificates sub-menu, click the

Add/Sign button at the bottom right.
Certificate.
5. Enter a Descriptive name for your certificate.
6. Use the same values you set for the Certificate
Authority for the Key type and length, as well as
for the Digest Algorithm.
7. Set the Lifetime to 365 days.
8. Select Server Certificate as the Certificate Type.
9. Click Save. You’ve created your server certificate.
Create your OpenVPN user and your user

certificate
We now need to create a user to access the OpenVPN

server.
I will be creating a single user for this guide, but you can
create as many users as you need. Simply repeat these
steps.

System > User Manager. You are taken to the
User Manager.
2. Click the Add button at the bottom right.

3. Enter a Username and Password for your user.
4. Click Save. You’ve created your OpenVPN user and

are taken back to the User Manager.
5. If you chose to set up your server for certificate-

based authentication or for certificate and
password-based authentication, click the pencil
icon to the right of your new user. You’re taken
back to the Edit User window.
6. Click the Add button under User Certificates.
You’re taken to the Certificate Manager, and you’re
prompted to input the parameters for your user

certificate.

Certificate.
8. Enter a Descriptive name for your certificate.
9. Set the same values you set for the Certificate
Authority for the Key type and length, as well as
for the Digest Algorithm.
10. Set the Lifetime to 365 days.
11. Make sure Certificate Type is set to User
Certificate.
12. Click Save. You’re taken back to the User

Manager, and you can see that your newly created
user certificate is now associated with your

OpenVPN user.
13. Click Save.
Creating the OpenVPN server
We’re now ready to create our OpenVPN server.

VPN > OpenVPN. You are taken to the OpenVPN
Servers sub-menu.
2. Click the Add button on the bottom right.
General Information
1. Set the Server mode to either Remote Access

(SSL/TLS), Remote Access (User Auth), or
Remote Access (SSL/TLS + User Auth). As
mentioned above, I will be using Remote Access
(SSL/TLS + User Auth) for this example.
2. Change the Local port to a different port if required
by your network topology or leave it at the default
(1194).
3. Enter a name for your server in the Description
field.
Cryptographic Settings
1. Make sure Use a TLS Key and Automatically

generate a TLS Key are enabled.
2. Make sure your Peer Certificate Authority is set to
the CA we created earlier.
3. Set the Server certificate field to the server
certificate we created earlier.
4. Select 4096 for the DH Parameter Length setting.
5. Set the Auth digest algorithm to RSA-SHA512
(512-bit).
Tunnel Settings
1. In the IPv4 Tunnel Network field, enter a subnet

that is not present on your network to be used as
the OpenVPN network’s internal subnet. In my
case, I’m using 192.168.2.0/24.
2. If your network also supports IPv6 and you want
your OpenVPN tunnel to support IPv6 as well, enter
an unused IPv6 subnet in the IPv6 Tunnel Network
field. In this example, I am configuring my server for
IPv4 only.
3. Enable Redirect IPv4 Gateway in order to route all
IPv4 traffic over the VPN tunnel.
4. Enable Redirect IPv6 Gateway in order to route all
IPv6 traffic over the VPN tunnel, if needed.
Advanced Configuration
1. Enable UDP Fast I/O.

2. If you’re only using IPv4, select IPv4 only in the
Gateway creation field. If you’re using both IPv4
and IPv6, leave it set to Both.
3. Click Save. You’ve created your OpenVPN server.
Verifying the OpenVPN server configuration
1. To make sure our server is set up correctly, select

Status > System Logs from the top menus.
2. Select the OpenVPN sub-menu. The OpenVPN
logs are displayed.
3. If everything is set up correctly, you should see
Initialization Sequence Completed in the logs.
Create firewall rules
Now that our OpenVPN server is configured, we need to

create a firewall rule to allow traffic to and from our
server.
OpenVPN rule
This rule will allow traffic from the OpenVPN subnet out
to the internet.

Firewall > Rules.
2. Select the OpenVPN sub-menu.
3. Click the Add button to create a new rule at the top
of the list.
4. Set the Address Family to IPv4 + IPv6 if your

system is using both IPv4 and IPv6. If not, leave it
at the default value of IPv4.
5. Set the Protocol field to Any.
6. Set the Source to Network.
7. Enter the OpenVPN subnet you specified earlier in
the Source Address field but without the /24. For
example: 192.168.2.0.
8. Select 24 from the drop-down menu to the right of
the Source Address field.
9. Enter a description for this rule in the Description
field.
June's Top VPN

Discounts
60% off +
FREE
Anti-
malware
Get Deal >
81% off 2yr

plan
Get Deal >
Save 49%
Get Deal >
How we test VPNs
WHAT'S IN THIS
ARTICLE?
Thinking about
authentication
Generating the
Certificate Authority (CA)
10. Click Save. And click Apply Changes. Traffic will Generating the server
now be allowed out the firewall from the OpenVPN certificate
subnet. Create your OpenVPN

user and your user
certificate
Creating the OpenVPN
server
Create firewall rules
Install the OpenVPN

Client Export Utility
WAN rule Export the OpenVPN
client configuration
In order to connect to your OpenVPN server from the
outside world (i.e., the internet), you’re going to need to
open the port your server runs on (1194, in this example)
on your WAN interface. This rule will allow your client to
connect to your OpenVPN server from the internet.

Firewall > Rules.
2. Select the WAN sub-menu (the default).
3. Click the Add button to create a new rule at the top

of the list.
4. Set the Address Family to IPv4 + IPv6 if your
system is using both IPv4 and IPv6. If not, leave it
at the default value of IPv4.
5. Make sure Source is set to Any.
6. Set the Protocol field to UDP.
7. Set the Destination Port Range to 1194.
8. Enter a description for this rule in the Description
field.
9. Click Save. And click Apply Changes. Traffic will

now be allowed from the internet to the OpenVPN
server.
Install the OpenVPN Client Export Utility
In order to easily configure our OpenVPN client, pfSense

provides an automated configuration generator for
OpenVPN. However, it’s not installed by default. We
need to install the package from the pfSense Package
Manager manually.

System > Package Manager. You are taken to the
Package Manager.
2. Select the Available Packages sub-menu.
3. Scroll down until you see openvpn-client-export

and click the Install button to its right. You’re taken
to the Package Installer page.
4. Click Confirm. The installation begins.
5. Once the installation is finished, the progress bar

turns green, and you should see Success
displayed in the Package Installation window.
Export the OpenVPN client configuration

VPN > OpenVPN.
2. Select the Client Export sub-menu.
3. Make sure the correct OpenVPN server is selected
next to Remote Access Server.
4. If you’re using Dynamic DNS to access your
pfSense WAN, select Other from the Host Name
Resolution drop-down menu. Then enter the
hostname in the Host Name box that appears
below. This allows you to access your pfSense
WAN by hostname rather than IP address, which
means that you won’t lose access to your OpenVPN
server if your ISP changes your WAN IP address. If
you’re not using Dynamic DNS, leave Host Name
Resolution set to Interface IP Address.
5. Scroll down to the bottom of the page, and you’ll

find generated configurations for various systems
and apps. Click on the appropriate configuration for
your device(s) to download it to your computer.
I’m going to be connecting a Linux laptop, so I

downloaded the Most Clients inline configuration.
Upon importing my configuration in Linux’s Network

Manager, I simply need to input my username and
password (they’re not included in the configuration file),
and I can connect to my OpenVPN server.
I can then check to make sure that my public IP address

has been changed to the WAN address of my home
internet, using Comparitech’s IP Address Check tool.
Wrap-Up
So that’s how you set up a basic OpenVPN server in

pfSense for remote access. There are a lot of places to
go from here to accommodate more complex setups.
You could also configure content filtering on your

pfSense box to block ads and malicious sites. Your
OpenVPN clients would benefit from this as well. But for
now, you have a fully functional OpenVPN server
configured on your home router (pfSense), enabling you
to use your home internet connection from any device,
wherever you are.
VPN on, friends.
Comments
Leave a Reply
Comment
Name *
Leave Comment
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Home
Blog
Authors
Privacy policy
Cookies Policy
Terms of use
Disclosure
About Comparitech
Contact Us
Accessibility
© 2022 Comparitech Limited. All rights reserved.

Comparitech.com is owned and operated by Comparitech Limited, a registered company in England and Wales (Company No. 09962280),
Suite 3 Falcon Court Business Centre, College Road, Maidstone, Kent, ME15 6TF, United Kingdom. Telephone +44(0)333 577 0163

How To Setup Your Own OpenVPN Server in Pfsense

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How To Setup Your Own OpenVPN Server in Pfsense

Uploaded by

Copyright:

Available Formats

6/3/22, 2:40 PM How to Setup your own OpenVPN Server in pfSense

February 18, 2022

pfSense is a powerful, open-source firewall/router that’s

make it easy to configure pretty much any network

One thing that’s easy to set up on pfSense is your own

To learn how to configure an OpenVPN client connection

See also: Best VPN for pfSense

This guide assumes you’ve already got pfSense setup

Settings that are ignored in the instructions should be

Thinking about authentication

Before we configure our OpenVPN server, we need to

Generating the Certificate Authority (CA)

The first thing we need to do is generate our Certificate

1. From the menus at the top of the screen, select

2. Click the Add button at the bottom right.

3. Enter a name for your CA.

9. Click Save at the bottom. You’ve created your

Generating the server certificate

1. If you’re not already there, from the menus at the

3. From the Certificates sub-menu, click the

9. Click Save. You’ve created your server certificate.

Create your OpenVPN user and your user

We now need to create a user to access the OpenVPN

1. From the menus at the top of the screen, select

2. Click the Add button at the bottom right.

4. Click Save. You’ve created your OpenVPN user and

5. If you chose to set up your server for certificate-

prompted to input the parameters for your user

7. Make sure Method is set to Create an internal

12. Click Save. You’re taken back to the User

user certificate is now associated with your

13. Click Save.

Creating the OpenVPN server

We’re now ready to create our OpenVPN server.

1. From the menus at the top of the screen, select

2. Click the Add button on the bottom right.

1. Set the Server mode to either Remote Access

1. Make sure Use a TLS Key and Automatically

1. In the IPv4 Tunnel Network field, enter a subnet

1. Enable UDP Fast I/O.

3. Click Save. You’ve created your OpenVPN server.

Verifying the OpenVPN server configuration

1. To make sure our server is set up correctly, select

Create firewall rules

Now that our OpenVPN server is configured, we need to

1. From the menus at the top of the screen, select

4. Set the Address Family to IPv4 + IPv6 if your

June's Top VPN

81% off 2yr

How we test VPNs

subnet. Create your OpenVPN

Install the OpenVPN

1. From the menus at the top of the screen, select

3. Click the Add button to create a new rule at the top

9. Click Save. And click Apply Changes. Traffic will

Install the OpenVPN Client Export Utility

In order to easily configure our OpenVPN client, pfSense

1. From the menus at the top of the screen, select

3. Scroll down until you see openvpn-client-export

4. Click Confirm. The installation begins.

5. Once the installation is finished, the progress bar

Export the OpenVPN client configuration

1. From the menus at the top of the screen, select