How to Set Up OpenVPN on pfSense with SSL/TLS Certificate and Username/Password

Table of Contents

1. Introduction

2. Why Use SSL/TLS + Username/Password?

3. Prerequisites

4. Step 1: Start the OpenVPN Wizard

5. Step 2: Choose ‘Local User Access (SSL/TLS + User Auth)’

6. Step 3: Create or Select Certificate Authority

7. Step 4: Create a Server Certificate

8. Step 5: Configure OpenVPN Server Settings

9. Step 6: Create User Accounts and Certificates

10. Step 7: Verify Firewall Rules

11. Step 8: Export Client Configurations

12. Step 9: Install and Connect on Windows

13. Step 10: Test Access to Internal Resources

14. Security Tips and Best Practices

15. Conclusion

Introduction

When it comes to secure remote access, using SSL/TLS certificates alongside username/password authentication significantly increases security. In the event that a password is compromised, an attacker still cannot connect without the corresponding certificate—and vice versa. This guide shows how to configure pfSense to require both factors when setting up OpenVPN.

Why Use SSL/TLS + Username/Password?

• Enhanced Security: Attackers need both a stolen certificate and valid credentials to gain unauthorized access.

• Granular Revocation: If a user leaves or a device is lost, simply revoke the user’s certificate and/or reset their password.

• Compliance: Many regulations (PCI-DSS, HIPAA) favor multi-factor authentication methods for remote connections.

Prerequisites

• pfSense firewall fully installed and updated.

• Administrative access to the pfSense WebGUI.

• A LAN subnet (e.g., 192.168.1.0/24) where internal resources (e.g., file server) are located.

• A Windows client to test VPN connectivity and file server access.

Step 1: Start the OpenVPN Wizard

1. Log in to your pfSense WebGUI (e.g., https://192.168.1.1).

2. Go to VPN → OpenVPN.

3. Click on the Wizards tab at the top.

4. This will launch the OpenVPN Wizard, which simplifies creating a Remote Access server.

Step 2: Choose ‘Local User Access (SSL/TLS + User Auth)’

On the wizard’s first screen, you’ll see options for different server modes. Select:

• Type of Server: Local User Access

• This mode in pfSense is effectively SSL/TLS + User Authentication, ensuring each user must have a certificate and username/password.

Click Next to continue.

Note: If you see “Remote Access (SSL/TLS + User Auth)” explicitly, choose that. Different pfSense versions word this option slightly differently, but it’s essentially the same concept.

Step 3: Create or Select Certificate Authority

1. If you have no existing CA, select Create a new Certificate Authority.

   • Descriptive Name: OpenVPN_CA

   • Key Length: 4096

   • Digest Algorithm: SHA256

   • Fill in the rest of the fields (Country Code, State, etc.)

2. If a CA already exists for OpenVPN, select it from the drop-down list.

Click Next.

Step 4: Create a Server Certificate

1. If no Server Certificate exists, choose Create a new Certificate.

2. Provide a Descriptive Name like OpenVPN_Server_Cert.

3. Make sure Certificate Type is set to Server Certificate.

4. Use 4096-bit key and SHA256 for higher security.

Click Next.

Step 5: Configure OpenVPN Server Settings

1. Interface: Select WAN (where external clients connect).

2. Protocol: UDP (commonly used for VPN).

3. Local Port: 1194 (default OpenVPN port; can change if needed).

4. Tunnel Network: e.g., 10.8.0.0/24 (must be different from your LAN).

5. Local Network: Enter your LAN subnet, e.g. 192.168.1.0/24, so VPN clients can reach the internal network/file server.

6. Encryption Algorithm: AES-256-CBC.

7. Auth Digest Algorithm: SHA256.

8. Hardware Crypto (if available): Enable AES-NI if your hardware supports it.

9. Concurrent Connections: Set a max number of users.

Click Next, then Finish to let the wizard build the server instance and firewall rules.

Step 6: Create User Accounts and Certificates

To enforce both certificate and username/password, each user must have:

1. A unique user account in pfSense.

2. A personal certificate signed by your CA.

Creating Users and Certificates:

1. Go to System → User Manager.

2. Click Add.

3. Provide:

   • Username: e.g., vpnuser1

   • Password: secure, complex password

4. Under User Certificates, check Add to create a new certificate for this user:

   • Certificate Authority: OpenVPN_CA (the one created earlier)

   • Method: Create an internal certificate

   • Certificate Type: User Certificate

5. Save the user.

Repeat for each employee needing remote access.

Step 7: Verify Firewall Rules

Although the wizard usually creates these automatically, double-check:

1. WAN Rule: A rule allowing UDP 1194 to your pfSense WAN IP.

2. OpenVPN Rule: A rule on the OpenVPN interface permitting traffic from the VPN subnet (10.8.0.0/24) to your LAN (192.168.1.0/24).

   • You can restrict it further if only one server IP is needed.

Step 8: Export Client Configurations

pfSense includes a helpful Client Export package:

1. Install the Client Export Package:

   • Go to System → Package Manager → Available Packages.

   • Search for OpenVPN Client Export, install it if not already installed.

2. Export Configuration:

   • Go to VPN → OpenVPN → Client Export.

   • Scroll to the user you created (e.g., vpnuser1).

   • Choose the appropriate installer type, typically Windows Installer, 64-bit.

   • This file includes the user’s certificate, key, and configuration.

Step 9: Install and Connect on Windows

1. Transfer the exported installer (or .ovpn file) to the user’s Windows PC.

2. Run the Installer if it’s a .exe or .msi. This automatically places the config and certificates into the proper directories.

   • Alternatively, install the OpenVPN client and copy the .ovpn file to C:\Program Files\OpenVPN\config\.

3. Launch the OpenVPN GUI by right-clicking and selecting “Run as Administrator.”

4. Right-click the system tray icon and choose Connect.

5. Enter the Username and Password created in pfSense when prompted.

When the connection is successful, the icon turns green, and you’ll see “Initialization Sequence Completed” in the status log.

Step 10: Test Access to Internal Resources

Ping the File Server: Open Command Prompt in Windows:
bash
CopyEdit
ping 192.168.1.10

1. (Replace 192.168.1.10 with your file server’s IP.)

If the ping is successful, open File Explorer and connect to the share:
CopyEdit
\\192.168.1.10\SharedFolder

3. Provide file server credentials if prompted, or map a network drive for convenience.

Security Tips and Best Practices

1. Use MFA: If possible, integrate a multi-factor authentication method (e.g., TOTP) for an extra layer beyond username/password and certificates.

2. Strong Password Policy: Enforce password complexity and regular rotation.

3. Regularly Update pfSense: Keep up with patches for security enhancements.

4. Revoke Certificates: If a user’s credentials are compromised or they leave the company, revoke their certificate immediately.

5. Restrict Access: If users only need the file server, limit VPN subnet traffic to that IP address in Firewall → Rules → OpenVPN.

Conclusion

By requiring SSL/TLS certificates plus a username/password, you significantly elevate the security of your OpenVPN deployment on pfSense. This approach, often called “remote access (SSL/TLS + user auth),” ensures that a compromised password alone cannot grant access to your internal network—because the attacker would also need the user’s unique certificate. Setting this up is straightforward with pfSense’s built-in OpenVPN Wizard and Client Export utility, making it an ideal choice for organizations seeking a robust, scalable, and compliance-ready VPN solution.

Additional Resources

• pfSense Documentation: docs.netgate.com/pfsense

• OpenVPN Community: community.openvpn.net

If you found this tutorial helpful, please share it with colleagues or bookmark it for future reference. With SSL/TLS + Username/Password in place, you can rest assured that your remote access is both convenient and highly secure.