¶ Client config
vim /etc/openvpn/client.conf
client
dev tun
proto udp
remote vpn.domain.com 1994
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
ca /etc/openvpn/client/something.crt
;cert client.crt
;key client.key
remote-cert-tls server
;tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
;mute 20
auth SHA256
auth-user-pass /etc/openvpn/client/.vpnlogin.txt¶ pfSense OpenVPN Server
¶ Create Server Certificate
1. Create a new certificate by selecting the ‘Add/Sign’ button on the ‘System / Certificate Manager / Certificates’ page.
2. Make sure the highlighted fields match OR are populated with the information that corresponds to you.
- Set the ‘Certificate Authority’ to the CA you have created for your OpenVPN servers.
- I have the ‘Lifetime (days)’ set higher than the recommended time only because… I just don't care and I don't wanna issue a new cert within the next year.
- Fill out the Country Code, State, CIty, etc. accordingly.
- Set the ‘Certificate Type' to ‘Server Certificate’ since this cert will be for a OpenVPN server.
¶ Peer to Peer (SSL/TLS)
1. Create a new OpenVPN server by selecting the ‘Add’ button on the ‘VPN / OpenVPN / Servers’ page.
2. I will be using the following settings. Modify yours as necessary.
¶ Custom Options
push "dhcp-option DOMAIN int.example.com";
push "route 10.0.0.0 255.255.0.0";¶ pfSense OpenVPN Client
¶ Peer to Peer (SSL/TLS)
1. Create a new OpenVPN client by selecting the ‘Add’ button on the ‘VPN / OpenVPN / Clients’ page.
2. I will be using the following settings. Modify yours as necessary.
¶ Giganews / VyprVPN
1. Download the Giganews Certificate Authority certificate to your local machine.
wget -O ca.vyprvpn.com.crt https://www.giganews.com/vyprvpn/ca.vyprvpn.com.crt2. In pfSense, go to ‘System’ → ‘Cert. Manager’
3. Under ‘CAs', select ‘Add’
4. Give the new CA a descriptive name and set ‘Method’ to ‘Import an existing Certificate Authority’
5. Open the CA we download in Step 1 with a text editor, copy ALL of the contents of the file.
Meaning:
-----BEGIN CERTIFICATE-----
. . . . .
rZUsdGGfG+HSPsrqFFiLGe7Y4e2+a7vGdSY9qR9PAzyx0ijCCrYzZDIsb2dwjLct
Ux6a3LNV8cpfhKX+s6tfMldGufPI7byHT1Ybf0NtMS1d1RjD6IbqedXQdCKtaw68
kTX//wIDAQABo2MwYTAdBgNVHQ4EFgQU2EbQvBd1r/EADr2jCPMXsH7zEXEwHwYD
. . . . .
-----END CERTIFICATE-----
6. Paste the CA into the ‘Certificate data’ field. Click ‘Save’.
7. Navigate to OpenVPN → Clients
8. Click ‘Add’
9. Change the highlighted fields as indicated below. Populate fields such as ‘Server host or address’, ‘Server Port’ and ‘Description' with your own data accordingly.
This configuration is set to not pull routes from the VPN server. I will be using this VPN as an optional gateway and controlling what traverses it via pfSense firewall rules (tagging).
- Server host or address: This either the IP address or hostname of the server you will be connecting to. [1.2.3.4] or [vpn-server.example.com]
- Server port: The port on the server that is listening for clients. (OpenVPN is 1194 by default)
- Description: A descriptive name for this VPN client on the pfSense box.
- Username: Your Giganews username.
- Password: Your Giganews password.
- TLS Configuration: This box must be unchecked.
- Peer Certificate Authority: Set this to the CA we imported at the beginning.
- Data Encryption Negotiation: Disable cryptographic algorithm negotiation.
- Data Encryption Algorithms: Only AES-256-CBC should be in the right-side box. (As of the time of writing this, the Giganews/VyprVPN servers will only allow this algorithm. (There are a few others, but this is the most secure))
- Hardware Crypto: Enable this if your hardware supports it.
- Allow Compression: Set to ‘Compress packets’.
- Compression: Set to ‘Adaptive LZO Compression'.
- Don't pull routes: I checked this because I don't want all of the firewall's outbound traffic to traverse the VPN. I'm going to route traffic based on which internal host it comes from.
- Custom options: These options are optional, but recommended. I advise Googling each option, but likely, you'll want them in your config.
resolv-retry infinite
keepalive 10 60
persist-key
persist-tun
persist-remote-ip
verify-x509-name ca1.vpn.giganews.com name
verb 3
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
- Gateway creation: I select ‘IPv4 only’ because I only use IPv4.
10. Save the configuration. The OpenVPN Client should start automatically. Using the ‘Services Status’ and ‘OpenVPN’ widgets on the home screen will give basic details about the client's status. If the client won't start, check the logs. It's usually pretty obvious about what the issue may be.