Tutorial: pfsense OpenVPN Configuration For Remote Users 2020

At the 3:30 mark I meant to say "Leave it at the UDP default, not the TCP Default.

How the heck am I constantly watching your videos, but not subscribed? You've helped me so much with PFSense setup. Thanks dude!!

I'm glad you had certs already configured. I don't. I skipped over it even though its probably important.

About the TCP vs UDP questions: there is no need to use TCP here since all connections your vpn clients make will assume that the network is "unreliable" and therefore themselves use TCP to guarantee packet delivery. Using TCP to carry OpenVPN just adds unnecessary overhead to the connection. For this reason - always use UDP for OpenVPN by default.
(Use case for TCP could be for example to host OpenVPN at port 443/TCP (https port) which may bypass some restictive firewalls etc)

Você podia criar um livro sobre a configuração do PFsense, muito show!

Thank you for the video, but mostly thank you for the Italian flag behind you ( green+white+red) ! AWESOME!

Lots of people don't read the logs or error messages. So true.

Hey I love your videos, thank you for all you do!

Thank you Tom i found the problem, was good to look at the firewall logs as well, private networks was blocked on wan side

As always SUPER INFORMATIVE. GOOD JOB TOM.

thanks!!!! really really good content!!! greetings from mexico!!!!! im will start to use pfsense with all my clients! and this is cause u make a superb tutorials!

Thank you! Finally got it working thanks to your video! Amazing work as always. Thank you very much for your time and help!

Thank you, referred back to this many times.

Thank you tom

tunneling ipv6 over it isn't bad on it, providing you have at least one free static /64 block or more if you want multiple ovpn servers, each will need a /64 block.
I just picked whatever random /64 out of the he net/48 tunnel. of course making sure it doesn't overlap it with other lan/opt which have prefix delegations enabled for sub-routers

great video for this moment, thanks for sharing

excellent. the pfsense documentation is scary. this makes it look easy

Thanks. I learned a lot from this video.

again, another great video!

As usual, thanks!

Your videos are so good. Thank you

Your fingers do not like .40 - they most definitely default to .30
Thanks for the updated video Tom

Very well presented information. Thank you.

Thank you, very informative! If I may suggest, though, lowering your screen resolution would help tremendously viewers read text. Often times I watch TH-cam vids on my smartphone, but with yours, I have to sit in front of my PC or TV. Have a nice day!

NIce video, you made this cool feature easy to implement.

Just an FYI, I figured out the problems I was having with my site to site with key link. If you use 172.XXX.0.0/16 for the tunnel network, the gateways won't come up. If you subnet that down to /24 the gateways will (probably) come up. Mine popped to life as soon as I made the change on both ends. I didn't see that limitation in the manual, and probably no one has ever tried being that sloppy with the tunnel network.

Hi Lawrence thank you so much for your videos, I have seen your videos to strengthen my pfsense knowledge, during vpn configs, it raised a question what should be the best option to opt for between udp vs tcp?

Working Notes for self:
0:30 description of setup/goals
1:55 PFSense Wizard
VPN -> OpenVPN
(* install openvpn-client-export from System>PackageManager>AvailablePackages)
OpenVPN Rmove Access Server Setup
Tunnel Network: ensure doesn't conflict
Local Network: ?? should be list of LAN networks?
Duplicate Connections: May be useful for rapid disconnect/reconnect scenario
[NEXT] 9:20
tick firewall and openvpn rules
[NEXT] 9:32
[FINISH]
under Actions, click 'pen' to fine tune
- Certificate Depth: 10:11
10:52 Client Export
Remote Access Server (essentially list of VPNs created)
18:53 Trouble Shooting
*read error messages*
Status>System Logs>OpenVPN
*BackUp*
Diagnostics>Backup & Restore
- See connected users:
VPN>OpenVPN>{top right bar-graph icon}
AND/OR
Dashboard>[+]>OpenVPN

Hi Tom, what are your thoughts on correct open VPN settings for OpenVPN Client using PIA servers with regards to mssfix, link-mtu and tun-mtu in order to prevent IP fragmentation?
(WAN is PPPoE with MTU of 1492). Do these need to be set manually or just let OpenVPN figure it out? This is pfSense 2.5.0 dev version. Thanks from Australia. 🦘

Thank you sir :)

Thanks!

Worked great. Would help to show how to add a user though.

I found your guide useful for adding remote access (windows) what I am having trouble pinning down is a step by step guide for adding site to site tunnels where the remote end is not pfsense (ie uses ipsec etc). There is a fair bit of info but nothing from beginning to end that I can see ?

Do u have a video where u show how u installed pfsense for this network?

Thank you tom. Perfect tutorial. If i set the local network in the openvpn wizard to a vlan network. Is then the client automatically in the right vlan and has access? Is there any other step necessary? My plan is to create the vpn direct in the vlan.

HI, I m glad full for your work, it really helps a lot but I think the whole Clients part is missing!

Could you make a version using LDAP? thanks love the videos!

Can you make a tutorial on L2TP with IPSec.

I is a bit confusing. You did not show how how to configure the clients.

Thank you for your videos, I very like the way you explain! I'm wondering if you could do any OpenVPN video with tap Layer 2? Thank you!

Thank you for the view this has been a lot of help, however I am not seeing any downloads, do I need to create users/clients and how do I do that

Hi is it possible to do a Site to site VPN using PFsense and Openvpn combined with remote users (also conneting thru open VPN via remote) being able to access both sites of the site to site VPN network?

Ok thats great, thanks but need to know just 1 thing i’ve been wanting to do: what do I have to do in your senario to access the windows 10 entire subnet 10.0.2.0/24 from the ovpn server end
If you can explain that in a video that would be great as that would be very useful
On a “remote access vpn server” as you have there not a site to site ovpn server

Hi, can we run VPN server on shared internet it have dynamic IP's for accessibility from Home to Office .

If you have a dual WAN setup with failover (as shown in another of your great videos), do you need to make a VPN for each WAN connection? Perhaps name the one on the failover "Backup VPN" so your users can access the VPN if the main internet connection is down?
Thanks for taking the time to make these videos.

Does this work if your ISP has a nat behind your home router?

Thank you so much very well explained, However it is not showing the OpenVPN Clients even i can't see the user and certificate name and they are created and exist? Thanking you in advance for any help if you can.

Nice video I got everything working so I decided to find out what would happen if I rekeyed a user cert with the option to regenerate a new key. I discovered that the user could still connect to OpenVPN with the old config file. ???? I assumed a a rekey would mean I would have to send this user a new config but I'm now curious- other than removing the user entirely or reassigning a password- how do you make their 'old' config invalid? thanks again for making this tutorial- well done.

Is there a way to monitor the bandwidth going through OpenVPN? I tried to see it in Ntopng, but the addresses don't show up.

Isn't TCP over TCP going to be a mess? Shouldn't we let the application handle the packet loss like it would without the VPN?
How do realtime applications behave via TCP VPN?

I assume you could create a VPN with all traffic, and another that is the same except that it does not route all traffic.

Hi lawrence, thanks for great video. Issue - My connection establish locallay nut when i try connect on any other network or mobile hotspot it fails with error (TCP: connect to [AF_INET]x.x.x.x:1194 failed: Unknown error). please suggest. thanks

You mention you did a video on authentication backend, i honestly can't find it on the pfsense playlist(i don't see it on the basic pfsense install video for example)

Can you please explain your choice of TCP over UDP?

can i get help on how to configure the openvpn on mobile phone for both android and ios?

Tom, I'm a little confused on the certificate part of the setup. Are you still using a LE signed certificate, or an internal certificate? Maybe I missed something in the instructions.
I know you have to go into "User Manager" and add a certificate then assign it in the OpenVPN server configuration , but did you make a specific LE certificate just for VPN?

If you are going to create a tutorial for configuration perhaps next time also include the certification/user creations as well

Have you ever explained how you configure your “pseudo internet” network? I’d like to use something similar in my home lab.

Having problem connecting to pfsense's openvpn from host machine. VM Wan interface is bridged but cannot ping from host although in same subnet. Any workaround? Thanks.

Your use of TCP instead of UDP, and not changing the SHA1 to SHA384 or 512 is very questionable.
But the video does show the whole OpenVPN on PFsense process well, and good job trying to explain the routing.

Hi Tom, been having a problem pinging a server that is assigned a static IP on the lan side. When connected on open VPN I can ping any lan side ips assigned via dhcp but cannot ping those assigned statically on the lan side

My internet provider puts me behind their nat (CGNAT) so it will work in that condition? pls make a video there is so much confusion there is no perfect form out there

So sorry is this LAN traffic only or does all Internet traffic get routed?

I have a question. Because the firewall I want to connect to with OpenVPN is behind another firewall (assignment for school). The connection worked before I created the second firewall but now i can't connect anymore. Do you maybe know the cause of this?

Great video but you did not talk about adding users in pfsense ...simple but some may not know.

Nice episode, but I have a problem.
I've got a client who is connected to a ISP who don't gave him a public ip adress.
This local ISP is running a sort of nat to the client, who's adresse is 192.168.35.220 !!!
So now, to get to this opensense firawall, I wrote a script to establish a reverse ssh to a DigitalOcean instance to forward the 80 and 22 ports, but is less than ideal.
Can you make a tutorial for a better solution: IpSec, or something else.
It would be greate to have ZeroTier working on Pfsense, but until now, I was unable to get it working.

Everything works as described as long as I'm connected via the same wifi network, if I try to connect over LTE I am not able to successfully connect to openvpn server..... any help?

Hi, When the "Redirect Gateway" is not check, client does not have internet connection, Could you please tell me why? thanks.

Tom, first thank you for your videos.
I have the following issue: every time the ISP changes the IP address I have to export a new config file and reinstall on the client's computers this is a no brainer if you only have one or two clients but in my case is like 15.
can you do a followup with that scenario, please?
Thanks you.

Did I space out or was there no explanation on how he signs into the VPN with auth credentials? Where do you create those accounts?

any idea why im getting TCP: connect to [AF_INET]192.168.100.111:1194 failed: Unknown error?

Hi, great video, however i face issues such as disconnecting using openVPN on my pfsense : i read that came from keepalive but, i don't how to configure this... Do you have any idea?

Where can i find the video on "Custom options" as mentioned at 22:08 ?

Is it possible to get OpenVPN to autoconnect at Win10 startup before loggging in, so that it will log in to the domain and get all the drive maps? Everything I've seen that is supposed to accomplish this hasn't worked. :(

Hi - Thanks for the Video Tutorial. I'm implementing now.
Have you heard any plans about pFSense implementing Wireguard?

What about the warning server auth-nocache, how to fix. I just installed this in my windows laptop and saw this warning.

if i don't do anything in regards to remote connectivity/administration, is setting up openvpn beneficial for me? i don't realy understand vpn's.

Is "redirect-gateway def1" on the remote config still required if redirecting all traffic?

thanks for the video.
How do i specify a local group just to use this vpn..cannot find the option.

OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-128-GCM') if you want to connect to this server.
ERROR: Failed to apply push options
Failed to open tun/tap interface
How do I fix this in OpenVPN?

damn i dont have the openvpon clientes

Im unsure if ill get a reply but I was able to get it connected. Theres a route made for the internal network but I cant ping anything. I can ping the pfsense interface(192.168.5.1) but am not able to ping the clients ip in the network(192.168.5.10). Any suggestions?

What to do when I got double-nat.....basically the WAN of pfSense is in the DMZ of my router, which then has public IP. Because in the server config the IP clients would connect to is an internal IP. Should I just change that to the public IP

Can you show your firewall rules in PFSense ?

On a client machine, like a laptop, how do you load multiple OpenVPN clients. Example, you are a tech that supports many clients and you need to access their systems ( not at the same time of course). How do you load the clients?

I have tried to use lan IP but it is not working. However, I switch to my isp IP it works. why ?

Does anyone know how to make it work using DynDNS or No-IP, cause my Public IP is Dynamic and not Static. I cant seem to make it work. What else needs to be done? Thanks!

i can't find the video about openvpn with AD

@10:58 When you do the client export you have two users "admin" and "tom" - where did those come from? I'm following the tutorial step by step and I see no users at all at this step.

Hi Tom, good video, as usual. Any chance you could do a video of configuring an open VPN site to site VPN from a Unifi USG to pfsense? i.e. Pfsense being the server and the USG initiating the VPN.

Is it possible to do this with a double NAT? If so, could you direct me to a guide or information regarding this? Thank you.

HI, on the 17.54, the username and password comes from where?

What happened to the client piece? Those don't just auto-populate.

Hello: Two questions. 1st what if I want to connect two different office as they act as just one big LAN network? 2nd can I create a VPN Tunnel between two pfsense Firewall on two office without the need to run the client on each computer?

Please help I'm getting:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

@6:31 - can you force just a few apps to route all traffic via the VPN?

Is this safe to do? Will I expose my network to the internet too much with OpenVPN?

Tom, Is there a way I can access my home NAS using this? Or maybe I am doing something wrong! Thanks man! I love your videos!!!

Hey Tom, just reviewed this video and it needs a bit of help fixing inconsistency in the setup and you jumped back and forth a couple times. Any chance this one will get a refresh?

"No Clients in export wizard" Disclaimer: I'm not an expert. I didn't know to add users under System, User manager and then a certificate for each user. Once I did that the user export wizard had a client and I moved on.