SSL/TLS + Auth authentication with PfSense Release 2.4.3.p1JTVCYWRyb3RhdGUlMjBiYW5uZXIlM0QlMjIzJTIyJTVE
Create 3 certificates
[vc_separator border_width=”2″ css=”.vc_custom_1519892703184{margin-top: -20px !important;}”]CA certificate: System -> Cert.Manager reward the green “ADD” button below to create the CA certificate and fill in the fields as shown in the figure:[vc_single_image image=”15569″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338165581{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]Method: Create an Internal Certificate AuthorityKey Length: 2048
Digest Algorithm: sha256
Lifetime: 3650
Country Code: IT
State or Province: <your data>
City: <your city>
Organization:< Company>
Email Address: <email>
Common Name: < optional>
Click on Save.[vc_separator border_width=”2″ css=”.vc_custom_1519892703184{margin-top: -20px !important;}”]Certificate for the server: System à Cert.Manager à certificates, click here on the green Add button, the screen is the same as the previous one but follow this guidelines on this image:[vc_single_image image=”15573″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338177506{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]User certificate: as above but select Client certificate instead of server.
VPN à Openvon à Wizard: in the first mask that appears select local user access[vc_single_image image=”15575″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338187609{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]Click on “Next“
Select the CA certificate created, click “Next” select the server certificate, click “Next” select the WAN interface, the UDP protocol (or TCP) and the 1194 port (this is the default one but you can put the one you prefer), and finally a description of the server.[vc_single_image image=”15577″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338195746{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]Click on the end and go on: for the server configuration we leave you to the following images[vc_single_image image=”15593″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338205368{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”][vc_single_image image=”15591″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338218747{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]IPv4 Tunnel network: the virtual network that will use OpenVPN. IPv4 local network: the LAN network of the firewall, for example “192.168.0.0/24”. You can click, if you want, to force all the client generated trafic throught the tunnel. Leave everything as default as in the images below and then save everything.[vc_single_image image=”15589″ img_size=”full” alignment=”center” css=”.vc_custom_1532589489117{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”][vc_single_image image=”15587″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338227365{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]To export user certificates, we recommend installing openvpn-client-export from System -> package Manager and selecting Available packages.
To create the user: System -> User Manager create the user by entering the values by name, a password, full name, click the check on certifacte to create the certificate for the user, in certificate authority, select the CA certificate..
It is possible to create a group called VpnUsers and then confine all vpn users in it.[vc_single_image image=”15585″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338236525{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]To export the user: VPN –> Openvpn àclient export
In the window Host name you will have to put the public IP of the WAN; going down, the list of users created with a valid certificate will appear. Pressing on the blue buttons will allow us to download the most suitable application for our device..[vc_single_image image=”15583″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338250597{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]
Do not forget to:
[vc_separator border_width=”2″ css=”.vc_custom_1519892703184{margin-top: -20px !important;}”]- Open the port on the WAN
- Enable traffic on the OpenVPN interface
