Install OpenVPN on pfSense - The Complete Step-by-Step Guide

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello my beautiful friends on the internet uh today i have a new video for you and in today's video we will learn how to install openvpn on pfsense 2.5 now i have gotten a lot of requests from you guys lately or not really lately but over the past year or so to update my last pfsense guide it was still working but it got a bit dated because there were a couple of new steps that came into play for pfsense 2.5 the last guide i did was on pfsense 2.4 so with today's video i want to give you guys the long anticipated update we will go through on how to install openvpn so that you will be able to connect from outside of your network to the inside of your network and access your devices inside of your internal network so let's get right on with that of course there is also a written article on cosec.com i will leave the link to the article in the video description below so you can pull that up while we are going through the tutorial if you feel more comfortable having that open on the side every step is described in here it's all very well structured and there are pictures for every step so i recommend to you if the video is a little bit too fast for you just pull up this article on the side so you can leave it open and follow through with it because everything that i do every single step is documented right here and i tell you exactly what to fill in in each and every field this also can help you to go through your whole settings again once we are finished with the tutorial to make sure you didn't do any mistakes so if you want to reach your network from the outside from when you're on the road or something you need to utilize something like dine dns unless you have a static ip if you have a static ip address you can skip this step or if you use any other method and you already know how to do that for everybody else who doesn't know how to do that we are going to use no ip which is a free service on the free plan all you have to do is every 30 days you need to click on a link in the email to reactivate your account if you want to skip that you can obviously choose the paid version but what this does is it allows you to create a host name here that is linked to this website address and that host name will refer back from your pfsense firewall to your uh local to your public ip address so this will always automatically update that means if you enter your host name then you will be able to find your local network from anywhere in the internet if that makes sense i think this is the easiest way i can possibly explain that all right so let's go through the sign up process here real quick you can just go to no ip.com this is no advertising i don't get any money from them obviously it's a free service that you can utilize um host name you can choose whatever you want i choose cosec for the sake of this tutorial but you should choose something generic like whatever random string of numbers and letters just to make it harder for somebody to guess a name when they are uh surveying or scanning the internet for host names so just something very generic can be as long as you like or almost as long as you like again for the sake of this tutorial we choose my name cosec and then you can choose one of those three uh basically top-level domains so i choose cosec.hop then you click on sign up and then you are required to enter a email address now i'm going to use a temporary email address that i just created because i'm going to delete this account again after the tutorial is done so i just quickly entered it here oh my god that's a hard account to type there we go i use temp mail.org temp minus mail.org for creating a random email address by the way in case you're interested we do a very unsecure password you should be more secure and then again we have to confirm the the hostname here cosec.hop2.org then you can see that they have the paid plan here which is very cheap it's 24 a year if you don't want to go ahead and click on this link in the email uh on a monthly basis it doesn't bother me to be honest i don't care to click on that all right then check this box obviously and click on free sign up we can save that for now we have to confirm the account yep so click in the link in your email then your account is activated right now we are ready to roll click on sign in and then i need to type this stupid email address again just give me one second i hope i didn't delete it yet okay i found it again you probably have to activate your account by entering your name and your address and stuff like this so do that if you like or don't i think it also works without doing that once you are there then click on dynamic dns and no ip host names and then you can see your actual host name and they already know uh which is your public ip address so this is what we will verify again a little bit later um once we have set that up in pf sense all right when we have that all in place we can go ahead and continue with the next step okay now we need to go ahead and set up down dns in pf sense so log into your pf sense firewall and click on services and dynamic dns then click on the add button here and you want to choose the service type which is no ip that's comes pre configured with pfsense all right then the host name is obviously the name that you have set up so it's cosacc.hop2.org i think it was org right yeah it is okay so we have that in there that's perfectly fine then you need to enter your username and i was smart enough to copy that weird generic email address before and you need to enter your password and this is the username and password for no ip for your no ip account all right then you can say description no ip dyn dns or whatever you like click on save and once you click on save that goes ahead and fetches your data that means that fetch is your public ip address and if that lights up green as a caged ip address you are all good to go and we can continue with the next step sorry guys i had to switch my video off because i have problems running it alongside with virtual box out of some weird reason but it doesn't matter let's continue with the tutorial the next thing we are going to do is we are going to install the client export package that's going to help us a little bit later so click on system and click on package manager and i hope you can see that well enough i'll make it a little bit bigger everything here and then go to available packages once you are there type open vpn and then install the openvpn client export package by clicking on the install button and click on the confirm button this should just take a couple of seconds and then we can continue once that is finished all right that is done now we can go ahead and actually install openvpn on pfsense or install the openvpn server so go to open go to vpn up here click on open vpn and then click on wizards to start the wizard now we want local user access that's fine so we're going to click on next next it's automatically going to set up a new certificate authority for us you don't need to understand what that means just follow along the steps you can give it a descriptive name i always like to name them specifically as what they are and in this case it's our pfsense certificate authority there we go then the country code in my case it's d e for germany search your appropriate a country code for you assets us you'll find that i believe in you put your state or province where you're located and put your city and put your organization if you have one or just leave that empty you don't need to enter that at all then next click on add new certificate authority that has been done and next we need to create a server certificate or select a server certificate which we don't have so we need to create a new one that for i do pf sense open vpn server certificate there we go all right we leave everything as on a default this is all fine it automatically takes the stuff that you have entered in the step before then click on create new certificate to create the certificate all right next we do the server setup azure interface you obviously want to select van that's fine as a protocol i like to choose tcp ipv4 and ipv6 on all interfaces for multi-home there are many different ways on how to set that up the best thing you can do is to read that on the psense documentation i like to do it that way it works for me so i'm going to leave it as it is you can leave it on the default port 1194 as well and then we are going to do a pfsense open vpn server we simply call it what it is you can call it whatever you like you can call it dogecoin if you like to um tls authentication stays as it is generate tls key stays as it is that's all fine data encryption negotiation can stay like this too and for the digest algorithm we leave sha256 perfectly fine hardware crypto choose to enable that if you have it available or not usually don't do that and now we come to the very important part which is the tunnel setting now try to not mess this up because this is a very important part and can mess up your whole configuration i try to explain it to you as easy as possible the tunnel network is a new subnet that you create specifically for your vpn clients now let's assume your local network is 192.168.1.1 as it is in our case that means the subnet would be one nine two one six eight one point zero forward slash twenty four and that four or therefore we can go ahead and create a new one right here you cannot take a subnet that is already in use so in this case we just do 192 168 2.0 24 and if you don't know what that means and if you just have one subnet like this just do it as i do it don't think about it anymore uh this is just another network where your vpn clients will get an ip address when they connect so if you connect to your vpn to your tunnel your client that connects from a remote location will have the ip address 192 168 2.2 all right does that make sense i hope so we don't need to redirect gateway thing this is a design question you can choose or not choose to do that i per default don't do it because i don't want to force all client generated traffic through my tunnel um if you just want a secure connection to your home and if you are just one user you can do that but be aware that even traffic like youtube and stuff like this will get routed over your uh vpn tunnel so if you do this for a company and you have employees you probably don't want to do that because it generates a lot of traffic that goes through your tunnel all right next up local network if you do not want to connect to devices on your local network like a nas or whatever file server you have whatever other resources if you want to print your documents from far away in your home printer that's uh then you need to enter a local network address so in our case the local network is 192.168.1.0 forward slash 24 and this is a cider range so as i said if you don't understand what that means just follow along on this tutorial or adjust it to your own ip range so if your network is one nine two one six eight uh ten point something then just put ten point zero four slash twenty 24 you get the idea concurrent connections uh usually is only one in a single user case so i only want to connect with one device at the same time obviously if you want to connect more devices you'll figure it out allow compression this is fine fine can stay as it is inter-client communication now this means if you have multiple uh vpn or multiple clients that connect to your vpn tunnel and you want that they are able to connect uh between each other so if you have two laptops and you want to connect from laptop 1 to laptop 2 while they are connected to the tunnel obviously do more concurrent connections in here and also enable inter-client communication now for our simple use case we don't need that so we don't check the box a dynamic ip is perfectly fine topology we leave it on default and then we have some options for the dns servers now if you run your pfsense firewall if you run a dns resolver on your pfsense firewall for your local network you could go ahead and you could put that in there so in that case 192.168.1.1 this is the ip address of dpf since firewall which also is the dns server in that case so you could put that in if you want and as a second server just in case you could put the google public dns server there to make sure your connected clients have internet that's really all there is to it then click on next and then absolutely make sure to check those two boxes to create firewall rules for both the server and the clients that come in through dvpn if you don't do that your clients will not be able to connect or communicate with your internal network believe it or not guys we are almost done now we need to create a user that is allowed to connect to our vpn to do that click on system click on user manager and by the way those are the exact same steps that i have described in the written article again if you are unsure unsecure pull up that article and follow through very slowly step by step look at all of the settings to make sure to not mess anything up all right so click on add once you are there and then just give it a descriptive name like what can we name it um my vpn user or let's say yeah my vpn user sounds amazing password very secure you should choose a secure password obviously um okay we got that we got my vpn user then you want to click here to create a user certificate very important scroll down a little bit and just i like to call it as the user so i'd say um my vpn user user certificate it gets really um confusing with all of those different kind of certificates so i i really like to name them as exactly what they are this is the my vpn user user certificate it doesn't get more descriptive than that the certificate authority obviously is rpf send certificate authority we have created earlier the key type can stay at rsa the digest algorithm is sha256 perfectly fine everything is nice click on save all right there we go okay now it depends um probably the most of you will want to use this vpn client on a windows machine so i'm going to show you how to do that on a windows machine i have an article on cosec.com that describes how to use openvpn on a linux machine as well maybe we'll cover it in this video let me think about it while we are going through those steps so to do the windows way you want to go to vpn you want to go to openvpn and you want to go to client export and this is the package we have installed in the beginning of this video uh make sure the remote access server is in fact your pf sends openvpn server that we just have created and then very important for host name resolution not the interface ip address but your dyn dns address that you have set up if you have set up or if you do have a static ip address you can go to other and set it up with that and just put your public ip address in here or something like that i actually didn't do it with a static ip address yet so i always used some kind of dns so this is the way on how to do it i think you can create an alias or something for a static ip address as well you'll figure it out i believe if you have a static ip address you can figure it out okay you have a couple of options here something like block outside dns legacy client or silent installer something like that you can deploy it in a wsu us or like a package manager in windows that you can roll it out via gpo or something but all of that is not interesting for us for our use case we don't need any of this so um what else do we have here oh yeah this is important in case you want to connect with more clients at the same time you have to use a random local port because it says here without a set two clients may not run concurrently all right so let's scroll down scroll down scroll down and uh do we need to do something in here yes we need to click on save as default and now this is always set up as a default all right so let's scroll down to the openvpn clients and we have my vpn user and that's what we want so if you are running windows as i said go to current windows installers click on the 64-bit installer download it install it leaving everything on a default on the default settings it might ask you to install a tab network driver or something like this always say yes agree to everything openvpn asks you in fact if you there might be the windows defender popping up and telling you that it's scanning this file because it's a kind of a edgy file or something but it's it's perfectly fine it's just a false positive just windows being overly secure nothing's going to happen and once you have installed that then you are ready to go and ready to connect to your openvpn server so i'm just quickly going to show you how that looks like now a great way on how to test if your vpn is working is by using your mobile phone and using the hotspot function so you can on most mobile modern mobile phones you can use personal hotspot to connect a laptop or whatever device you're using to your mobile phone's internet connection because if you are connected with your laptop to your own wi-fi network the same wi-fi network where your pf sends firewall is is located in it will not work it will probably not connect through the vpn because it's expecting a different route now as i said great way connect your laptop to your mobile phones hotspot function and then try that so if you have installed openvpn you have to start it by choosing the dust the icon on the desktop which is probably somewhere there or you just hit the windows key and search for openvpn gui and once you click on that this small icon appears in your taskbar then you right click it you click on connect and then you wanna put your myvpn user in there and your password whatever that is whatever you set up and once you click on connect then the connection will be established and if you followed every step correctly then this little icon here will turn green and you will be officially connected to your openvpn on pfsense now i have gone through exact those steps just one day ago because i reconfigured my own openvpn server i reinstall it completely from scratch to make sure this tutorial works and it was working flawlessly by following those exact steps so i am pretty confident that it will work for you too all right guys and that's it now you know how to install openvpn on pf sends it's actually really straightforward once you have done it once but as i said the written article is there in case you have any problems there is also a troubleshooting section the link is in the video description below if this helped you out i would really appreciate if you subscribe to my channel and just a side note you have heard that i did a dogecoin a pun uh just a quick side note i created a new channel that is called crypto with stefan you can find it on the recommended channels down below on my youtube if you're interested in cryptocurrencies i would highly highly appreciate it if you did subscribe to my new channel because i'm trying to grow it right now alright guys thanks for watching i hope to see you back let me know what you think about this tutorial see you [Music] [Music] you

Info

Channel: Stefan Rows

Views: 30,333

Rating: undefined out of 5

Keywords: OpenVPN on pfSense, Openvpn guide, openvpn on pfsense, install openvpn on pfsense, openvpn step by step guide, openvpn beginner guide, openvpn pfsense beginner guide, openvpn tutorial, configure openvpn on pfsense, setup openvpn on pfsense, openvpn setup guide, openvpn anleitung, openvpn auf pfsense installieren

Id: N_EOMP0mmEA

Channel Id: undefined

Length: 22min 5sec (1325 seconds)

Published: Fri May 07 2021