{"id":15595,"date":"2018-07-25T10:47:35","date_gmt":"2018-07-25T10:47:35","guid":{"rendered":"https:\/\/www.firewallhardware.it\/creare-una-vpn-road-warrior-client-to-gateway-con-pfsense-e-openvpn\/"},"modified":"2019-11-11T11:26:26","modified_gmt":"2019-11-11T11:26:26","slug":"create-a-road-warrior-vpn-client-to-gateway-with-pfsense-and-openvpn","status":"publish","type":"post","link":"https:\/\/blog.miniserver.it\/en\/firewall\/create-a-road-warrior-vpn-client-to-gateway-with-pfsense-and-openvpn\/","title":{"rendered":"Create a Road Warrior VPN (client-to-gateway) with PfSense and OpenVpn"},"content":{"rendered":"

[vc_row css=”.vc_custom_1517220328543{margin-top: 30px !important;}”]This article describes how to build an OpenVpn server with
\nSSL\/TLS + Auth authentication with PfSense Release 2.4.3.p1JTVCYWRyb3RhdGUlMjBiYW5uZXIlM0QlMjIzJTIyJTVE<\/p>\n

Create 3 certificates<\/h3>\n

[vc_separator border_width=”2″ css=”.vc_custom_1519892703184{margin-top: -20px !important;}”]CA certificate: System<\/strong> -> Cert.Manager<\/strong> reward the green “ADD” button below to create the CA certificate and fill in the fields as shown in the figure:[vc_single_image image=”15569″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338165581{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]Method<\/strong>: Create an Internal Certificate Authority
\nKey Length<\/strong>: 2048
\nDigest Algorithm<\/strong>: sha256
\nLifetime<\/strong>: 3650
\nCountry Code<\/strong>: IT
\nState or Province<\/strong>: \u00a0<your data>
\nCity<\/strong>: <your city>
\nOrganization<\/strong>:< Company>
\nEmail Address<\/strong>: <email>
\nCommon Name<\/strong>: < optional><\/p>\n

Click on Save.<\/strong>[vc_separator border_width=”2″ css=”.vc_custom_1519892703184{margin-top: -20px !important;}”]Certificate for the server: System<\/strong> \u00e0 Cert.Manager<\/strong> \u00e0 certificates<\/strong>, click here on the green Add button, the screen is the same as the previous one but follow this guidelines on this image:[vc_single_image image=”15573″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338177506{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]User certificate: as above but select Client certificate instead of server.
\nVPN <\/strong>\u00e0 Openvon<\/strong> \u00e0 Wizard<\/strong>: in the first mask that appears select local user access[vc_single_image image=”15575″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338187609{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]Click on “Next<\/strong>“<\/p>\n

Select the CA certificate created, click “Next” select the server certificate, click “Next” select the WAN interface, the UDP protocol (or TCP) and the 1194 port (this is the default one but you can put the one you prefer), and finally a description of the server.[vc_single_image image=”15577″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338195746{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]Click on the end and go on: for the server configuration we leave you to the following images[vc_single_image image=”15593″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338205368{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”][vc_single_image image=”15591″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338218747{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]IPv4 Tunnel network: <\/strong>the virtual network that will use OpenVPN. IPv4 local network: <\/strong>the LAN network of the firewall, for example “192.168.0.0\/24”. <\/strong>You can click, if you want, to force all the client generated trafic throught the tunnel. <\/strong>Leave everything as default as in the images below and then save everything.[vc_single_image image=”15589″ img_size=”full” alignment=”center” css=”.vc_custom_1532589489117{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”][vc_single_image image=”15587″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338227365{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]To export user certificates, we recommend installing openvpn-client-export<\/strong> from System -> package Manager<\/strong> and selecting Available packages<\/strong>.<\/p>\n

To create the user: System -> User Manager<\/strong> create the user by entering the values \u200b\u200bby name, a password, full name, click the check on certifacte to create the certificate for the user, in certificate authority, select the CA certificate..<\/p>\n

It is possible to create a group called VpnUsers<\/strong> and then confine all vpn users in it.[vc_single_image image=”15585″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338236525{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]To export the user: VPN \u2013> Openvpn<\/strong>\u00a0\u00e0client export<\/strong><\/p>\n

In the window Host name<\/strong> you will have to put the public IP of the WAN; going down, the list of users created with a valid certificate will appear. Pressing on the blue buttons will allow us to download the most suitable application for our device..[vc_single_image image=”15583″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338250597{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]<\/p>\n

Do not forget to:<\/h3>\n

[vc_separator border_width=”2″ css=”.vc_custom_1519892703184{margin-top: -20px !important;}”]<\/p>\n

    \n
  • Open the port on the WAN<\/li>\n<\/ul>\n

    [vc_single_image image=”15581″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338258750{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]<\/p>\n

      \n
    • Enable traffic on the OpenVPN interface<\/li>\n<\/ul>\n

      [vc_single_image image=”15579″ img_size=”full” alignment=”center” onclick=”link_image” css=”.vc_custom_1539338267682{margin-top: -20px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #f4f4f2 !important;}”]<\/p>\n","protected":false},"excerpt":{"rendered":"

      This article describes how to build an OpenVpn server with SSL\/TLS + Auth authentication with PfSense Release 2.4.3.p1<\/p>\n","protected":false},"author":11,"featured_media":13991,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[123,128],"tags":[137,138],"class_list":["post-15595","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-firewall","category-hardware","tag-opnsense-en","tag-pfsense-en"],"_links":{"self":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/15595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/comments?post=15595"}],"version-history":[{"count":8,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/15595\/revisions"}],"predecessor-version":[{"id":18968,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/15595\/revisions\/18968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media\/13991"}],"wp:attachment":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media?parent=15595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/categories?post=15595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/tags?post=15595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}