VPN SETUP FOR pfSense 2.3.3
We are going to setup pfSense 2.3.3 with openvpn in a simple LAN and WAN environment, where WAN is connected to the internet, and LAN will be the OpenVPN connection.
We are using our German VPN as an example.
Create Certificate
Download our zip file with configs and certificates: blackvpn_linux.zip (MD5) (SHA1)
The zip file contains various .conf files (which should NOT be used for pfSense) as well as a folder called “ssl”. Within that folder, there are two files we need:
ca.crt (Certification Authority certificate) and ta.key (Transport Layer Security key)
In pfSense, navigate to System > Cert Manager, and under the CAs tab, click the + Add button to add a new CA.
Descriptive name: blackVPN CA
Certificate data: open ssl/ca.crt in a text editor, select all the text in the file and copy it to your clipboard, paste it into the box for the Certificate Data.
Click Save
Create OpenVPN Client
Go to VPN > OpenVPN, and click the Clients tab. Then click the “+ Add” button to add a new client.
Description: Descriptive name of the VPN (blackVPN Germany, for example)
Server host name resolution: check Infinitely resolve server
Server port: 443
Server host or address: Choose your server from the list below. (vpn.blackvpn.de, for example)
blackVPN server list:
Also remember to fill in your blackVPN username and password.
Uncheck “Automatically generate a shared TLS authentication key”, which will reveal a Key box where you should paste in the content of ta.key
Key: Go back to the files you downloaded from blackVPN, open ssl/ta.key in a text editor, and copy its contents to your clipboard, then paste it in the Key box.
Peer Certificate Authority: set to “blackVPN CA” that we created earlier
Client Certificate:None (Username / Password required)
The Encryption Algorithm: AES-256-CBC
Auth Digest message digest algorithm: SHA512.
Compression: Enabled with adaptive compression.
Disable IPv6: Checked
Don’t pull routes: Checked
In the custom options we can add a local verify-x509-name check (this is optional)
Custom options: Choose your server name from the list below. (‘verify-x509-name de name’, example for Germany)
| Australia: | au |
| Brazil: | br |
| Canada: | canada |
| Czech Republic: | cz |
| Estonia: | estonia |
| France: | fr |
| Germany: | de |
| Japan: | jp |
| Lithuania: | lt |
| Luxembourg: | lux |
| Netherlands: | nl |
| Norway: | no |
| Romania: | ro |
| Russia: | ru |
| Spain: | es |
| Switzerland: | ch |
| Ukraine: | ua |
| UK: | uk |
| USA Central/East/West: | usa |
Click save. This will start the VPN in the background.
To confirm that is happening in pfSense, go to Status > System Logs, and click the OpenVPN tab.
The word you’re looking for are “Initialization Sequence Completed”, and the full log should look something like this:
Create Interface
You should do this after the VPN connection has been successfully established.
Navigate to Interfaces -> (assign)
Available network ports: select “ovpnc1(blackVPN Germany)”. Click the “+ Add” button to add the interface.
The new interface will be named “OPT1”, Click on “Interfaces > OPT1” to edit the interface.
Enable: check
Description:BLACK
IPv4 Configuration Type: DHCP
Click Save and Apply Changes.
Dns Resolver
Navigate to Services -> DNS Resolver -> General Settings
Enable: check
Network Interfaces: All
Outgoing Network Interfaces: BLACK
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: uncheck
DHCP Registration: check
Static DHCP: check
Click Save.
While in DNS Resolver, select Advanced Settings.
Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Harden DNSSEC Data: uncheck
Click Save and Apply Changes.
Firewall
First we are going to automatically create a set of rules, which we can then edit.
Navigate to Firewall -> NAT -> Outbound and select “Manual Outbound NAT rule generation”.
Press Save and then Apply Changes in the top of screen.
4 rules is now created like below:
We now need to edit each of the rules and change the Interface to OpenVPN on all the 4 rules.
Press the “edit pen” button on the first entry in the list.
Interface: OpenVPN
Repeat this process for each of the 3 rules.
In the end all the rules should have OpenVPN Address as NAT Address, and it should look similar like below:
Now click Apply changes at the top of the page
Go to Firewall -> Rules -> LAN
Add a new rule by clicking on the “Add”(add top of list) button:
Action: Pass
Interface: LAN
Address Family: IPv4
Protocol: any
Click on Display Advanced and only change:
Gateway: BLACK_DHCP-…
Click Save and Apply Settings
The screen should look something like this:
Preventing Traffic Leaks
To prevent traffic leaks, we will make the VPN Gateway the default route.
Go to System -> Routing -> Gateways
Edit the VPN gateway BLACK_DHCP-, by clicking on the Pen button.
Default Gateway: checked
Save, and then click “Apply Changes.”
The Gateway list should look something like this:
DNS Settings
Since BLACK_DHCP-… is the default gateway, me must specify a WAN DNS that is public.
We use 91.239.100.100 (censurfridns.dk) but you can off course use another reliable third-party DNS server.
172.31.0.1 is the DNS server on the VPN.
Go to System -> General Setup.
DNS Server 1: 91.239.100.100 ; WAN_DHCP-…
DNS Server 2: 172.31.0.1 ; BLACK_DHCP-…
DNS Server Override: uncheck
Disable DNS Forwarder: check
Save and Apply Settings
DHCP Settings
If you use a DHCP Server on the LAN interface to share the openvpn connection, you must add DNS 172.31.0.1 to it. (Prevents DNSLeaks)
Go to Services -> DHCP Server -> Lan
DNS servers: 172.31.0.1
Save and we are done!
Go to Status -> OpenVPN and restart OpenVPN by pressing the restart button.
That should be it. Give it a minute and it should work.
Troubleshooting
If no site loads, open a terminal and ping a reliable site like 8.8.8.8. If you get no response.
If Status -> OpenVPN shows that the link is up, and you can ping Internet sites, it’s probably DNS resolution that is the problem.
Recheck the DNS server(s) specified in Services->DHCP Server and System -> General Setup.