This guide describes how to build an OpenVpn server with authentication SSL / TLS + Auth with OPNsense 19.7
Through your OPNSense firewall you can allow your device, PC, smartphone, tablet, notebook or MAC to connect to your office remotely; it will be sufficient to be able to access the Internet from your device and through the VPN that we are going to configure it will be like having the device connected to your LAN in a secure and encrypted way.
The three basic steps will be:
Create the OpenVPN “server”
Create the users, one for each device / user that you want to connect to the remote LAN.
Download the files needed to configure your OpenVPN client on your device (link)
Hardware and software used:
Applicable from OPNsense 19.X onwards.
A working installation is required
All our hardware is compatible with this guide: https://www.miniserver.it/firewall
Create the OpenVPN Server
First we create the OpenVpn server, select from the menu VPN -> OpenVPN -> Server.
From here we click on the button “Use a wizard to setup a new server”.
First we are asked where to look for users who will authenticate themselves on the VPN Server. In our example we will use local users to the Firewall, then select “Local User Access” and click “Next”.
Then we will be asked to select a CA. If we have already configured a CA we can choose the one we want from the drop-down menu, but if it does not exist yet, we must create one by clicking on Add new CA.
We fill in all fields, it is not necessary to be precise, we just have to respect the correct format. In particular, in the email field, we insert a syntactically correct email address, but it does not need to really exist. So we click Next.
At this point we have to create the OpenVPN Server certificate, without hesitation click on “Add new Certificate”.
Enter the name of the certificate, for example rw2, or rw2cert leave the rest unchanged (precompiled by the choices made during the creation of the CA) and click Next.
From the interface menu, I do not recommend selecting the external interface, in most cases the “WAN”. If you have multiple WANs, select any. Protocol select UDP, the default port is 1194, modifiable as you wish. In description enter a short description.
You can Leave everything else with the default.
Instead, it is important to correctly configure the networks. The IPv4 Tunnel Network must be a network dedicated to the VPN, therefore it must not conflict (therefore be different) with any other network involved in the firewall. Therefore choose a different network from all those you use. In this example we used 10.10.94.0/24 (use only the CIDR format: network- address / mask).
Select both checkboxes to create all the rules necessary to make the VPN work. These rules can be modified and customized later, in fact they are very normal OPNSense firewall rules.
Once we clicked Next and then we are done creating the OpenVPN Server.
To this we can create all the users we need. In this guide we will create only one, but the procedure applies to all the users we want.
Let’s go to: System -> Access -> Users
Click on “+ Add” and enter the user name and password (repeated twice)
At this point, always on this page, remember to select the “Certificate” flag, otherwise the VPN will not work.
After entering the user password and having flagged the Certificate field, click on “Save”, thus doing OPNSense will make you create a certificate for your user.
In the Descriptive name field, enter a name. For example rw1 or rw1-mycert, if you like leave the rest unchanged and click on “Save”.
This will create the certificate associated with your user and return to the view. Under User Certificate you can see the row for the newly created certificate. Click on “Save”. And you have finished.
Firewall configuration is complete. Now you need to export the configuration files to be fed to the OpenVPN client that you will install on your device.
Download files needed to configure the OpenVPN client
To download the configuration files with the certificates, go to VPN -> OpenVPN -> Client Export.
Select the desired OpenVPN server from the drop-down menu; in our example there will be only one and therefore there is nothing to choose from.
Export type: select “archive” if you need to configure a Microsoft PC or notebook (as in most cases), or “File Only” if you need to configure a smartphone, or the files for specific programs.
The port must be the one chosen in the OpenVpn server, in our example 1194.
Warning, “hostname” must always be the public IP with which your Internet connection is configured, whether or not
OpnSense has this IP configured on the WAN,
OpnSense has a private IP and a gateway that points to your Internet provider’s router.
In the second case, it will be essential to request port forwarding of ports 1194 to the WAN IP of your OpnSense.
At this point at the bottom you will find the list of users you have configured and on the right side of the corresponding row, you will find the download icon. Click on it and download the file.
We are done, you just have to install OpenVPN and feed your ClientOpenVpn the files you just downloaded. To do this you can follow our guide:
For PC: https://blog.miniserver.it/en/pfsense-and-openvpn-configuration-on-windows-pc/
For MAC: https://blog.miniserver.it/en/pfsense-and-openvpn-configure-our-apple-mac-with-tunnelblick/
For iPhone: https://blog.miniserver.it/en/pfsense-configurazione-openvpn-su-apple-iphone-tablet-e-ios/