Setting up VPNs with pfSense

Welcome to Artiste1.com's Guide on setting up Virtual Private Networks (VPNs) using pfSense.
This guide will walk you through the process of configuring both OpenVPN and IPsec VPNs on your pfSense firewall.

1. Introduction to VPNs in pfSense

pfSense supports various VPN technologies, with OpenVPN and IPsec being the most popular. Each has its strengths and use cases:

• OpenVPN: Flexible, easy to set up, and works well through NAT.
• IPsec: Faster performance, widely supported by many devices and platforms.

2. Setting up OpenVPN

2.1 Certificate Authority and Server Certificate

1. Navigate to System > Cert. Manager
2. Create a new Certificate Authority (CA) if you haven't already
3. Create a new Server Certificate, ensuring it's signed by your CA

2.2 OpenVPN Server Configuration

1. Go to VPN > OpenVPN
2. Click Add to create a new server
3. Configure the following settings:
   • Server Mode: Remote Access (SSL/TLS + User Auth)
   • Protocol: UDP on IPv4 only
   • Device Mode: tun
   • Interface: WAN
   • Local Port: 1194 (or your preferred port)
   • TLS Configuration: Select your Server Certificate
   • DH Parameters Length: 2048 bits
   • Encryption Algorithm: AES-256-CBC (or your preferred algorithm)
   • Auth Digest Algorithm: SHA256
   • Tunnel Network: Choose a subnet (e.g., 10.0.8.0/24)
   • Local Network: Your LAN subnet (e.g., 192.168.1.0/24)
   • Concurrent Connections: Set as needed
   • Compression: Enable LZO compression
   • Push "redirect-gateway def1"
   • Push "dhcp-option DNS 192.168.1.1" (replace with your pfSense LAN IP)
4. Save the configuration

2.3 User Authentication

1. Go to System > User Manager
2. Add users for VPN access
3. Optionally, set up RADIUS for external authentication

2.4 Firewall Rules

1. Navigate to Firewall > Rules > WAN
2. Add a rule to allow OpenVPN traffic:
   • Protocol: UDP
   • Source: Any
   • Destination: WAN Address
   • Destination Port: OpenVPN port (1194 by default)
3. Go to Firewall > Rules > OpenVPN
4. Add rules to allow traffic from OpenVPN clients to desired destinations

2.5 Client Configuration

1. Go to VPN > OpenVPN > Client Export
2. Select the OpenVPN server you created
3. Choose the user and export type (e.g., viscosity, inline configurations)
4. Download and distribute the client configuration to users

3. Setting up IPsec VPN

3.1 IPsec Configuration

1. Navigate to VPN > IPsec
2. Click Add P1 to create a new Phase 1 entry
3. Configure Phase 1:
   • Remote Gateway: Dynamic IP
   • Description: Road Warrior IPsec
   • Authentication Method: Mutual PSK
   • My identifier: My IP address
   • Peer identifier: Any
   • Pre-Shared Key: Generate a strong key
   • Encryption Algorithm: AES 256
   • Hash Algorithm: SHA256
   • DH Group: 14 (2048 bit)
   • Lifetime: 28800
4. Save Phase 1 configuration
5. Click Show Phase 2 Entries, then Add P2
6. Configure Phase 2:
   • Mode: Tunnel IPv4
   • Local Network: LAN subnet
   • Remote Network: 0.0.0.0/0
   • Protocol: ESP
   • Encryption Algorithms: AES 256
   • Hash Algorithms: SHA256
   • PFS key group: 14 (2048 bit)
   • Lifetime: 3600
7. Save Phase 2 configuration

3.2 Mobile Clients Configuration

1. Go to VPN > IPsec > Mobile Clients
2. Enable IPsec Mobile Client Support
3. Configure the following:
   • User Authentication: Local Database
   • Virtual Address Pool: Choose a subnet (e.g., 10.0.9.0/24)
   • Virtual IPv4 Network: Your LAN subnet
   • Save Settings

3.3 User Authentication

1. Go to System > User Manager
2. Add users for IPsec VPN access
3. Ensure users have a username and password set

3.4 Firewall Rules

1. Navigate to Firewall > Rules > WAN
2. Add rules to allow IPsec traffic:
   • Protocol: UDP
   • Source: Any
   • Destination: WAN Address
   • Destination Port: 500, 4500
3. Go to Firewall > Rules > IPsec
4. Add rules to allow traffic from IPsec clients to desired destinations

4. Testing and Troubleshooting

4.1 Testing VPN Connections

• Connect using a client device (e.g., smartphone, laptop)
• Verify IP address assignment from VPN pool
• Test access to internal resources
• Check internet access through VPN (if configured)

4.2 Troubleshooting

• Review VPN logs: Status > System Logs > VPN
• Check firewall logs for blocked traffic
• Verify NAT configurations if needed
• Ensure client configurations match server settings

5. Advanced Configurations

5.1 Split Tunneling

For OpenVPN, modify the server configuration:

• Uncheck "Force all client-generated IPv4 traffic through the tunnel"
• Add specific routes under "Custom options"

5.2 Two-Factor Authentication

Implement 2FA for additional security:

1. Install the FreeRADIUS3 package
2. Configure TOTP or other 2FA methods
3. Modify VPN settings to use RADIUS authentication

Conclusion

You've now set up both OpenVPN and IPsec VPNs on your pfSense firewall. Remember to keep your pfSense and VPN configurations updated regularly for optimal security and performance. As VPN needs can vary greatly depending on specific use cases, always tailor these configurations to your particular requirements.

For more advanced pfSense topics, check out our other guides:

• Advanced Routing in pfSense
• pfSense High Availability Setup
• Common pfSense Issues and Solutions