@@rpsmith some people just don’t have the time to learn or don’t care to learn. i don’t know their particular situation but it’s not impossible that they just needed a vpn deployed and it was more cost effective to hire LTS rather than learning how to do it
While I have a Tailscale connection(inactive) to the work network from my home network, I still connect using openVPN. I have to make some changes to it. Thank you Tom for this timely video.
Every CPU made in the last 10 years supports AES-NI instructions (including mobile), usually with multiple gigaBYTEs per second of encryption throughput. AVX-512 is needed to accelerate ChaCha, so I'm sticking with OpenVPN for the foreseeable future.
I'm stuck in the user certificate part. I don't see my created user in the client export section. Do I need to paste an Authorized SSH Key in the Keys section of the user?
Thanks for videos like this, very easy to follow. I have a Cisco RV220W. Pf sense installed on a protecli box. Is there a way to have in and out traffic flow thru the RV220 vpn? Vs using norvpn or openvpn?
The Reason you would USE AES-256 is because it is HIPPA secure. Last i checked, If you store patient files or transfer files for healthcare system, you need to use AES-256 by HIPPA law.
OpenVPN GUI client on Windows now includes Pre-Logon Access Provider support. Would love to see you cover configuration for PLAP (aka Start Before Login or SBL)...
Have an issue with this. I followed the steps you did and after finish, I get "No configuration found, please try again" and it took me to Step 2 of 11 to create a LDAP Server configuration? Not sure what I did wrong. Any guidance would be appreciated.
Thanks Tom. Great video. The only problem is pfblockerng blocks my client access via openvpn. I can overcome this issue by placing my openvpn firewall rule on top of the pfblockerng rules but every time I do it, pfblockerng reorders the rules and put the openvpn rule below pfblockerng rules. So, I could not find a solution. Any help?
@@LAWRENCESYSTEMS Yes, if I remove the GeoIP Top Spammers rule then openvpn works. But, I would prefer to be able to change the orders of rules instead of removing Top Spammers rule. However, pfblocker does not let me change the rule orders and I do not know how to do that. Anyway, thank you so much Tom.
Does setting up a VPN on a pfSense router make you more vulnerable to attack. If it does is that vulnerability limited to the networks you've made accessible via VPN?
Hi Tom, thank for this. I'm considering per user certificate auth and this is quite useful. Any disadvantage for using OpenVPN Connect (GUI). Our users find that easier to use than the default OpenVPN client downloaded through the export wizard in pfsense.
I have used both in production daily for 24/7 monitoring, and I can attest that both work flawlessly compared to other VPNs. Troubleshooting from either is a breeze. I even prefer it over global protect, forticlient, and all the others I've used over the years in work and in my home lab. Would love to hear any other insights other viewers have to offer!
Hi, how can I get that cool footer on the terminal dysplaying IP addresses and other info? I tryed to search online but I found nothing like that... FOUND IT IN ANOTHER VIDEO! Tmux!!
I just want to be able to connect to my home network so things like RUclips tv sees me as home when I am away. What is the best and easiest way to do that in pfsense?
Question. I have PFSense set up for our Web Servers. I do not want to mess with anything on that box that will take down our web servers. So, my question is this. Would it be best to install PFSense in VMWare ESXi VM and then route my traffic through that machine instead of messing with the existing working PFSense box? Thanks.
So, I should be able to run the VPN on that same machine without an issue? Do you have an article or something I can read or watch where these two things have run on the same machine? Just want to cover all bases before I do this.
I would like to monitor all my VPN Clients currently on pfsense Status/OpenVPN i see "Client Connections" if they are connected but i would also like to see client that arent connected on the Status Dashboard, any suggestions?
What if you want your staff openvpn users to different Subnet access than your admin account, can you create a second server setup and simply change the port during setup?
@@LAWRENCESYSTEMS Thank you, if I simply copied the current server and changed port and added one of the same subnets in the other server will that cause my admin account to possibly drop? Since we will both have access to the same subnet.
Every time I setup Surfshark on my PFSense router, it cuts my download speeds drastically from 600-800 Gbs to 15-25Gbs. No one seems to know why. Only thing I can figure is I’m setting something wrong forcing it to eat up my speeds.
@@LAWRENCESYSTEMS My router assigns IP's to Access Points via PoE. I'm not sure that would be feasible in my situation - but I do like PfSense - it's been around for at least 23 years.
@@Destroyer954 cuz no user management. Wireguard is good for homelabbers. Not so ideal for business use with multiple users. Wireguard isn't insecure, though it lacks a certain level of security that OpenVPN does not
PFsense and other vpn server/client is overly cumbersome and full of stuff that we dont really care about. Exposing the 40 input variables for the server is great for advance views but the defaults out of the box should work. I can think of 2 dozen ways to make the pfsense web pages for this easier to use. The video helped but have no idea how he created CA or the Cert. It the most simple of configs, openvpn just burbs out a silly number of errors and pages of debug which means nothing.
Probably, depending on how it's implemented. I'd say it's at the ISP level and connecting to a VPN outside the ban zone would allow downloading and usage of the app. I don't like toktok but I don't support the ban and I'm hopeful that it will be repealed.
I just added TOTP to opnsense in a sitting. There's docs and some forum discussions available. Just set up the users, generate seeds, switch vpn auth on the server and add the challenge option to client config
Rather than set it up myself, I clicked the "Hire Us" button, and his people did it for me!
This is fairly basic stuff if you just follow Tom's video. Sounds like you missed a great opportunity to learn something new.
@@rpsmith some people just don’t have the time to learn or don’t care to learn. i don’t know their particular situation but it’s not impossible that they just needed a vpn deployed and it was more cost effective to hire LTS rather than learning how to do it
@@majoryoshi What keeps us in business and relevant.
Another great video. It's one thing to know this stuff, it's quite another to be able to give instructions in an easy to follow manner.
Worked perfectly, thank you. I always enjoy your pfsense content !
This will save me so much time tomorrow, I thank you!
Excellent video, really helpful and clearly explained. Many thanks!
While I have a Tailscale connection(inactive) to the work network from my home network, I still connect using openVPN. I have to make some changes to it. Thank you Tom for this timely video.
Thanks for yet another awesome video!!!!!! 🙂
Every CPU made in the last 10 years supports AES-NI instructions (including mobile), usually with multiple gigaBYTEs per second of encryption throughput. AVX-512 is needed to accelerate ChaCha, so I'm sticking with OpenVPN for the foreseeable future.
Nice vids, the client export is so nice, click, clack, take the file : )
Thank you for this updated video.. It helped me in earlier setup and this will help me in future.. ✌️
I'm stuck in the user certificate part. I don't see my created user in the client export section. Do I need to paste an Authorized SSH Key in the Keys section of the user?
Nice update!!!
Great alternative to paying for OpenVPN Access Server
Thanks for videos like this, very easy to follow. I have a Cisco RV220W. Pf sense installed on a protecli box. Is there a way to have in and out traffic flow thru the RV220 vpn? Vs using norvpn or openvpn?
Great as always thanks for the guide
Even though you don't use L2TP/IPsec, is there any chance you could still do a video walk through on how to setup one up?
The Reason you would USE AES-256 is because it is HIPPA secure. Last i checked, If you store patient files or transfer files for healthcare system, you need to use AES-256 by HIPPA law.
Thanks!
Thank you very much!
Hi. Your explanation about User Auth vs TLS/SSL + User Auth was VERY confusing. I could not distinguish the difference from your description.
Thanks for sharing
OpenVPN GUI client on Windows now includes Pre-Logon Access Provider support. Would love to see you cover configuration for PLAP (aka Start Before Login or SBL)...
For anyone wondering where the hell the Client Export section is: Install the package from package manager from the start of the video @2:10
Have an issue with this. I followed the steps you did and after finish, I get "No configuration found, please try again" and it took me to Step 2 of 11 to create a LDAP Server configuration? Not sure what I did wrong. Any guidance would be appreciated.
Thanks Tom. Great video. The only problem is pfblockerng blocks my client access via openvpn. I can overcome this issue by placing my openvpn firewall rule on top of the pfblockerng rules but every time I do it, pfblockerng reorders the rules and put the openvpn rule below pfblockerng rules. So, I could not find a solution. Any help?
Remove the rules in pfblocker that is blocking clients
@@LAWRENCESYSTEMS Yes, if I remove the GeoIP Top Spammers rule then openvpn works. But, I would prefer to be able to change the orders of rules instead of removing Top Spammers rule. However, pfblocker does not let me change the rule orders and I do not know how to do that. Anyway, thank you so much Tom.
You are very smart I'm looking for vpn firewall rules
Great video, thx Tom. If I change Cipher Choices, will I have to reissue the client configs via export?
Yes, or you could edit the configs on each client so they match.
Does setting up a VPN on a pfSense router make you more vulnerable to attack. If it does is that vulnerability limited to the networks you've made accessible via VPN?
Opening any ports increases risk.
@@LAWRENCESYSTEMS thank you
Personally, I like to add geo blocking to my server, its setup to only allow inbound from AU IP ranges.
Tom - do you guys use/recommend using compression with ovpn? or only do you enable it in your demos?
As stated in the video leaving it off is most secure so we leave it off.
A NAT rule forwarding ports to my honeypot (SANS dshield) is interfering with the configuration. Not sure how to solve this.
11:07 User Auth: no need to re-generate a new certicate for everybody, just change the password of the compromised user.
Thanks for that! Please how can i fix this problem "enable to retrieve package information"
Hi Tom, thank for this. I'm considering per user certificate auth and this is quite useful.
Any disadvantage for using OpenVPN Connect (GUI). Our users find that easier to use than the default OpenVPN client downloaded through the export wizard in pfsense.
Not sure, we just use the download from pfsense.
I have used both in production daily for 24/7 monitoring, and I can attest that both work flawlessly compared to other VPNs. Troubleshooting from either is a breeze. I even prefer it over global protect, forticlient, and all the others I've used over the years in work and in my home lab. Would love to hear any other insights other viewers have to offer!
Hi, how can I get that cool footer on the terminal dysplaying IP addresses and other info? I tryed to search online but I found nothing like that...
FOUND IT IN ANOTHER VIDEO! Tmux!!
I just want to be able to connect to my home network so things like RUclips tv sees me as home when I am away. What is the best and easiest way to do that in pfsense?
I need a tutorial about certificates ^ self/CA/SC...?
Question.
I have PFSense set up for our Web Servers. I do not want to mess with anything on that box that will take down our web servers.
So, my question is this.
Would it be best to install PFSense in VMWare ESXi VM and then route my traffic through that machine instead of messing with the existing working PFSense box?
Thanks.
Setting up OpenVPN should not break pfsense and I always prefer to run pfsense on bare metal.
So, I should be able to run the VPN on that same machine without an issue?
Do you have an article or something I can read or watch where these two things have run on the same machine?
Just want to cover all bases before I do this.
@@WayneBarroncffcs I have OpenVPN on the system that I did this video with.
HI Tom, I am beijg ptompted to enter a key password as well when trying to connect where would Ibget this from?
I would like to monitor all my VPN Clients currently on pfsense Status/OpenVPN i see "Client Connections" if they are connected but i would also like to see client that arent connected on the Status Dashboard, any suggestions?
nope, it only shows connected clients.
The QAT 3 link specifically says NO QAT used to get the speed up...unless I am misinterpreting, " no QAT here. Just CPU."
Current available versions of QAT DO NOT but version three which I don't think is available yet is supposed to work
Openssl speed -avg cipher in my case chachapoly always give less results than aes-128 / 256.
the windows client is using the DCO interface by default which is very annoying , i have to always configure this for our staff
If you're just using vpn for one user, is there still a need for SSL/TLS + user auth?
Not really a need for just one user.
With wireguard being a thing now. What / if any performance benefit is there to openvpn vs wireguard?
Depends on use case.
different use case..really.
Hi Tom, is it possible to use an external DHCP Server instat of the ip pool?
I am not aware of a way to do that.
What if you want your staff openvpn users to different Subnet access than your admin account, can you create a second server setup and simply change the port during setup?
Yes, you can have multiple servers.
@@LAWRENCESYSTEMS Thank you, if I simply copied the current server and changed port and added one of the same subnets in the other server will that cause my admin account to possibly drop? Since we will both have access to the same subnet.
Every time I setup Surfshark on my PFSense router, it cuts my download speeds drastically from 600-800 Gbs to 15-25Gbs. No one seems to know why. Only thing I can figure is I’m setting something wrong forcing it to eat up my speeds.
Can surfShark servers even handle faster connections than that?
Can I run this behind my router? My router assigns all the IP's.
it's better if pfsense replaces your router.
@@LAWRENCESYSTEMS My router assigns IP's to Access Points via PoE. I'm not sure that would be feasible in my situation - but I do like PfSense - it's been around for at least 23 years.
Why not just use Wireguard? It's been out long enough to prove itself.
Does wireguard have good auth options for end users? I know tailscale solves that but native wireguard doesn't
@@Destroyer954 TailScale and similar are magic but you lose a lot of performance from native WireGuard line speeds.
@@Destroyer954 cuz no user management. Wireguard is good for homelabbers. Not so ideal for business use with multiple users. Wireguard isn't insecure, though it lacks a certain level of security that OpenVPN does not
22 years vs 8. And why do people care so much about what other people use? He does have wireguard videos you know.....
Because OpenVPN can do things that Wireguard can't.
PFsense and other vpn server/client is overly cumbersome and full of stuff that we dont really care about. Exposing the 40 input variables for the server is great for advance views but the defaults out of the box should work. I can think of 2 dozen ways to make the pfsense web pages for this easier to use. The video helped but have no idea how he created CA or the Cert. It the most simple of configs, openvpn just burbs out a silly number of errors and pages of debug which means nothing.
I'm not and I don't but can VPN technology overcome Montana's Tik Tok ban?
Probably, depending on how it's implemented. I'd say it's at the ISP level and connecting to a VPN outside the ban zone would allow downloading and usage of the app. I don't like toktok but I don't support the ban and I'm hopeful that it will be repealed.
I used OpenVPN in pfSense and it was great. But then I changed ISP and now I'm behind CGNAT so can't use it anymore.
Can't you buy a static IPv4 off your ISP?
@@TheCheshireCat. not possible on Starlink :)
dynamic dns?
@@sammo7877 not working behind CGNAT
Purchase a VPS and send a static ip over a gre tunnel
What about adding mfa to the vpn?
Having certificate and user authentication is MFA.
I just added TOTP to opnsense in a sitting. There's docs and some forum discussions available. Just set up the users, generate seeds, switch vpn auth on the server and add the challenge option to client config
First