Setting up OpenVPN on pfsense - Server Setup

Setting up OpenVPN on a pfSense firewall isn't one of those real obvious tasks, but can be accomplished easily enough with the proper instructions. I setup the VPN to depend on a Public Key Infrastructure (PKI). It would be easier to just use a pre-shared key, but less secure. For a more exhaustive, but slightly out-of-date tutorial, check out this pdf.

First, you want to head over to your pfSense web interface and go to the VPN -> OpenVPN screen. On the server tab click the '+' symbol to add a new server. Fill in the address pool and other stuff. Beside "Authentication method" be sure to select PKI.

Before you can go any further, you'll need to download the openvpn program onto another computer and find inside it the directory called easy-rsa. If you are running linux, this may be installed in the online documentation directory when you install the package. Mine was at /usr/share/doc/openvpn/examples/easy-rsa/2.0/. I've also done this successfully from a MacOS X Leopard machine by unzipping the openvpn tarball and digging out the easy-rsa stuff.

I dump this into my root directory. At the bottom of the 'vars' file in that directory you will have some variables that must be changed, after that you are ready to initialize your PKI environment like this.

# source ./vars
# ./clean-all
# ./build-dh

After that we create the Certificate Authority certificates and server certificates using these commands.

# ./pkitool --initca
# ./pkitool --server pfsense

These dumped the certificates in the ./keys/ directory unless you changed the KEY_DIR variable. If you did, you know where to look.

So cd to the ./keys directory and make sure that ca.crt, dh1024.pem, pfsense.crt and pfsense.key are all present. Now cut & paste the the contents of:

  • ca.crt to pfSense's "CA certificate" field
  • pfsense.crt to the "Server certificate" field
  • pfsense.key to the "Server key" field
  • dh1024.pem to the "DH parameters" field

Make sure the remainder of your fields are filled in as desire and then be certain to save that easy-rsa directory some place safe. The keys directory and vars file are the most important.

Next, you'll want to setup your clients. I'll make that a separate blog post.