OpenVPN Step-by-Step Setup for pfSense aes256/Strong [firewall/router]
( NOTE: At this point all of the steps have been updated for the new configurations! Only the video and the picture are still out of date. )
NOTE: Updates to this guide will assume you are using pfSense 2.3.1-RELEASE-p5OpenVPN Setup on pfSense [firewall/router]
=============================================
pfSense is an open source firewall/router computer software distribution based on FreeBSD. - Source wikipedia.org
Video...
...showing the following steps being done within pfSense webConfigurator
=============================================
- http://youtu.be/_lMl_fN3n28 ( ***out of date*** )
For pfSense aes128 Setup - click here
For Debian based Linux Distributions - click here
For Manjaro Linux Setup - click here
Instructions
Setting up OpenVPN on pfSense [firewall/router]
=============================================
Color Key
=============================================
Things highlighted in yellow are commands to be executed in the terminal
Things highlighted in blue are to be clicked
Things highlighted in green are to be typed
Things highlighted in violet are to be pressed on the keyboard
Things highlighted in grey are showing output
First start by downloading openvpn-strong.zip from...
- https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
- This supplies PIAs "ca.rsa.4096.crt" file after unzipping the openvpn-strong.zip file.
Log into pfSense webConfigurator
- https://pfsense-LAN-IP/index.php
- Ex. https://192.168.1.1/index.php
Prevent DNS leaks by setting PIA DNS only
pfSense Setup Wizard - Video - http://youtu.be/MYXpAnDdEaI
=====================
- Click "System"
- Click "Setup Wizard"
- Click "Next"
- Click "Next"
- For "Primary DNS Server:" type in "209.222.18.218"
- For "Secondary DNS Server:" type in "209.222.18.222"
- "Override DNS:" [unchecked]
- Click "Next"
- Click "Next"
- Scroll to the bottom and click "Next"
- Click "Next"
- "Admin Password AGAIN:" type in your pfSensePassword for the WebGUI
- Click "Next"
- Click "Reload" and wait
- Click the 2nd "here" where is says...
- "Click here to continue on to pfSense webConfigurator"
Once pfSense loads up the "Status / Dashboard" your DNS section should look as follows:
- DNS server(s) 209.222.18.218
209.222.18.222
"PIA-CA-aes256" Installation
=====================
- Click "System"
- Click "Cert. Manager"
- Click "CAs"
- Click "+ Add"
- "Descriptive name" type in "PIA-CA-aes256"
- "Method" select "Import an existing Certificate Authority"
- "Certificate data" - (paste in all the content from the ca.rsa.4096.crt file)
-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
+no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
-----END CERTIFICATE-----
- "Certificate Private Key (optional)" = (leave blank)
- "Serial for next certificate" = (leave blank)
Now click "Save"
NOTE: The following password is not valid...
...so don't waste your time trying it.
Write your "p"-username and password into the /etc/openvpn-passwd.txt file
=====================
- Click "Diagnostics"
- Click "Command Prompt"
- Under "Execute Shell Command" click into the "Command" box and type the following into that box removing the username p2099690 and password JkY6UgYHa5 and replacing them with your credentials:
echo "p2099690" > /etc/openvpn-passwd.txt; echo "JkY6UgYHa5" >> /etc/openvpn-passwd.txt
- Click "Excute"
Create OpenVPN Client
=====================
- Click "VPN"
- Click "OpenVPN"
- Click the "Client" tab
- Click "+ Add"
Configure as follows...
- "Disabled" = [unchecked]
- "Server Mode" = "Peer To Peer (SSL/TLS)"
- "Protocol" = "UDP"
- "Device Mode" = "tun"
- "Interface" = "WAN"
- "Local Port" = (leave blank)
Choose a server for "Server host or address" form the PIA list here...
https://www.privateinternetaccess.com/pages/network/#
- "Server host or address" = "us-east.privateinternetaccess.com"
- "Server Port" = "1197"
- "Proxy host or address" = (leave blank)
- "Proxy port" = (leave blank)
- "Proxy authentication extra options" = none
- "Server host name resolution" = [check] "Infinitely resolve server"
- "Description" = "PIA OpenVPN aes256"
- "TLS Authentication" = [uncheck] "Enable authentication of TLS packets."
- "Peer Certificate Authority" = "PIA-CA-aes256"
- "Client Certificate" = "webConfigurator default *In use"
- "Encryption algorithm" = "AES-256-CBC (256-bit)"
- "Auth Digest Algorithm" = "SHA256 (256-bit)"
- "Hardware Crypto" = "No Hardware Crypto Acceleration"
- "IPv4 Tunnel Network" = (leave blank)
- "IPv6 Tunnel Network" = (leave blank)
- "IPv4 Remote Network/s" = (leave blank)
- "IPv6 Remote Network/s" = (leave blank)
- "Limit outgoing bandwidth" = (leave blank)
- "Compression" = choose "Enabled with Adaptive Compression"
- "Type-of-Service" = [unchecked]
- "Disable IPv6" [check] "Don't forward IPv6 traffic."
- "Don't pull routes" = [unchecked]
- "Don't add/remove routes" = [unchecked]
- Under "Advanced Configuration" for "Custom options" type the following in the box:
auth-user-pass /etc/openvpn-passwd.txt;
verb 5;
remote-cert-tls server
- "Verbosity level" = default
Now click "Save"
Create OpenVPN interface
=====================
- Click "Interfaces"
- Click "(assign)"
- "Available network ports:" select "ovpnc1(PIA OpenVPN aes256)" Note: If you already setup aes128 this will be listed as "ovpnc2(PIA OpenVPN aes256)"
- Click "+ Add"
Note: The new interface will be named "OPT1" or "OPT2" with a network port of "ovpnc1(PIA OpenVPN aes256)" or "ovpnc2(PIA OpenVPN aes256)"
- Click on "OPT1" or "OPT2" to edit the interface
Configure as follows...
- "Enabled" = [check]
- "Description" = "OpenVPN_aes256_Interface"
- "IPv4 Configuration Type" = none
- "IPv6 Configuration Type" = none
- "MAC address" = (leave blank)
- "MTU" = (leave blank)
- "MSS" = (leave blank)
- "Block private networks" = [unchecked]
- "Block bogon networks" = [unchecked]
Now click "Save"
Now click "Apply changes"
NAT Settings
=====================
- Click "Firewall"
- Click "NAT"
- Click the "Outbound" tab
- For "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)"...
- put a (dot) in the radio button
Now click "Save"
The next step is to duplicate each of these rules...
- but change the NAT Address from WAN to OpenVPN_aes256_Interface
- Start with the first "WAN" rule by clicking the copy icon ( looks like a square in front of another square ) immediately to the right of the line to "Add a new NAT based on this one"
A new page will open configure as follows...
- "Disabled" = (do not change) [unchecked]
- "Do not NAT" = (do not change) [unchecked]
- "Interface" = OpenVPN_aes256_Interface
- "Protocol" = (do not change)
- "Source" = (do not change)
- "Destination" = (do not change)
- "Translation" = (do not change)
- "No XMLRPC Sync" = (no dot change)
- "Description" = Made for PIA_OpenVPN_aes256
Now click "Save"
IMPORTANT! Repeat this process for each of the other rules.
- When completed, it should resemble the following...
- http://i.imgur.com/zoVTbUr.png ( ***out of date*** )
Now click "Apply changes" at the top of the page
The changes have been applied successfully.
You can also monitor the filter reload progress.
Verify OpenVPN Service
=====================
At this point, your system is configured. Restart your OpenVPN service to be sure.
- "Status"
- "OpenVPN"
- "Status" should be "UP" (but it may be DOWN)
- Click the "Restart OpenVPN Service" button no matter what the status is.
- It's the button that looks like an arrow bent into a circle to the right of the service.
- "Status" should be "UP" now
Reboot the pfSense firewall now
=====================
- "Diagnostics"
- "Reboot"
- "Reboot"
- "OK"
Rebooting
Page will automatically reload in 90 seconds
Verify OpenVPN initialized correctly by checking System Logs
=====================
- "Status"
- "System Logs"
- Click the "OpenVPN" tab
- Scroll down and look for "Initialization Sequence Completed" similar to the following:
Jul 17 21:10:43 openvpn 3328 Initialization Sequence Completed
Test by opening your Internet browser and going to...
=====================
- https://www.privateinternetaccess.com/pages/whats-my-ip/
- https://ipleak.net
- http://dnsleak.com
- http://ipv6leak.com
Enjoy!
To donate, please scan the QR code to the left or send bitcoins to the following address:
17ioPjLoCLDsUKwNpGV9dGtnLmpM8ioyUn
Comments
Enjoy!
Jan 13 22:30:37