This guide outlines the process of configuring an OpenVPN server on pfSense to enable secure remote access to internal resources. The setup supports scenarios such as connecting back to a homelab network or routing all internet traffic through a trusted connection.
Create an Internal Certificate Authority (CA)
The internal CA will be used to issue certificates for the OpenVPN server and clients. Higher key sizes and secure algorithms enhance long-term security.
Navigate to System -> Certificates -> Authorities -> Add- Descriptve Name: Any name that best suits
- Method: Select “Create an Internal Certificate Authority”
- Key Type: RSA (2048 or 4096 bits recommended)
- Digest Algorithm: sha256
- Lifetime: 3650 (10 years, change as per the requirement)
- Common Name: Unique to this authority
An internal Certificate Authority (CA) has been successfully created within pfSense. This CA will serve as the trusted root for issuing certificates to both the OpenVPN server and individual VPN clients.
Create Certificate for OpenVPN
Navigate to System -> Certificates -> Certificates -> Add- Method: Create Internal Certificate
- Descriptive Name: Any String that best suits
- Certificate Authority: Select Authority that was created in Step 1
- Key Type: RSA 2048
- Algorithm: sha256
- Common Name: Unique name (openvpn)
- Certificate Type: Server Certificate
Save & continue to next step
Create a VPNUser & Client Certificate
Navigate to System -> User Manager -> Add- This user cannot login: Check this user doesnt need to access pfSense UI/SSH
- Username: username
- Password: password
- Full Name: Name
- Click to create a user certificate
- Descriptve Name: User Certificate for username
- Certificate Authority: Select authority that is created.
- Key Type: RSA 2048
- Digest Algorithm: sha256
- Lifetime: 3650
Create as many users as need and generate one certificate for every user. This process creates a user and assigns a unique certificate for VPN authentication.
Save & continue to next step
Configure OpenVPN with wizard
Navigate to VPN -> OpenVPN -> WizardsWizard 1: Server Type
Click on Next to continue to Wizard Step 2
Wizard 2: Certficate Authority
Click on Next to continue to Wizard Step 3
Wizard 3: Server Certficate
Click on Next to continue to Wizard Step 4
Wizard 4: Server Setup
- Description: Anyt string that best suits
- Protocol: UDP on IPV4 only
- Interface: WAN
- Local Port: 1194
- Enable Authentication of TLS Packets
- Automatically generate a shared TLS authentication key.
- Data Encryption Algorithms: AES-256-GCM AND CHACHA20-POLY1305
- Fallback Data Encryption Algorithms: CHACHA20-POLY1305
- Auth Digest Algorithm: SHA256
- IPv4 Tunnel Network: OpenVPN assigns ip to the client from this range. Pick any subnet that is available for example 10.10.1.0/24
- Redirect IPv4 Gateway: Select this for full tunnel, if left empty it is split tunnel.
- IPv4 Local Network: LAN subnet that need to accessed.
Click on Next to continue to Wizard Step 5
Wizard 5: Create Firewall Rules
The wizard will automatically generate the required OpenVPN configuration and firewall rules.
Click on Next to continue to Wizard Step 6
Finish and Create the VPN Server confifuration along with the rules
Quick checks
Navigate to VPN -> OpenVPN -> ServersEdit the newly created server and check & select the server mode field to “Remote Access (SSL/TLS + User Auth)
Navigate to Firewall -> Rules -> WAN
There should an entry created the OpenVPN Wizard to allow traffic on port 1194 or the port that was picked while configuring.
Navigate to Firewall -> Rules -> OpenVPN
Rule to let traffic pass to the services on the OpenVPN interface.
Install additional packages
Install OpenVPN Client Export Utility to easily export VPN configurations for devices.
Navigate to System -> Package Manager -> Available Packages- In the search bar, type:
openvpn-client-export. - Click Install next to
openvpn-client-export - Confirm the installation and wait for it to complete
DDNS Update
Setting up Dynamic DNS (DDNS) is a great way to keep public IP address updated with a domain — especially handy if your ISP changes your IP periodically. There are many DDNS providers like DuckDNS, Cloudflare, No-IP, DynDNS, etc. As an example I am considering dukdns.
- Create a domain “example.duckdns.org”
- Click on Install menu on duckdns and pfSense in Routers section to generate the url to update the IP by pfSense.
- Copy the URL “ https://www.duckdns.org/update?domains=example&token= ***&ip=%IP%”
Back to pfSense Navigate to Services -> Dynamic DNS
- Service Type: Custom (for duckdns)
- Interface to monitor: WAN
- Update URL: Paste the URL copied from the duckdns website.
Dynamic DNS ensures consistent remote access, even when the public IP address changes.
Connect Using OpenVPN Client
Navigate to VPN -> OpenVPN -> Client Export Under OpenVPN clients import the configuration for the user created in Step2 as per the OS and connect the homelab remotely using OpenVPN Connect client which can be downloaded from here
- Remote Access Server: Select the VPN Server that was created in Step4
- Host Name Resolution: Other
- Host Name: DDNS created in step 6 (example.duckdns.org)
- Save as Default
Logs are Saviours
In case of connection failures or unusual behavior, always check the logs. pfSense provides detailed logs under Navigate to Status -> System Logs -> OpenVPN and Navigate to Status -> System Logs -> System > General for firewall events. These logs often reveal authentication errors, misconfigurations, or blocked traffic that may not be immediately obvious.
Summary
By following this guide, you can successfully set up a secure VPN server on pfSense, enabling remote access to your home lab’s internal resources. This setup enhances security by ensuring that only authenticated users can access sensitive services. Additionally, integrating Dynamic DNS ensures that your VPN remains accessible even if your ISP changes your public IP address. With these configurations, you can manage your home lab from anywhere in the world, maintaining control and security over your network.