Tutorial: pfsense OpenVPN Configuration For Remote Users 2020

At the 3:30 mark I meant to say "Leave it at the UDP default, not the TCP Default.

I'm glad you had certs already configured. I don't. I skipped over it even though its probably important.

About the TCP vs UDP questions: there is no need to use TCP here since all connections your vpn clients make will assume that the network is "unreliable" and therefore themselves use TCP to guarantee packet delivery. Using TCP to carry OpenVPN just adds unnecessary overhead to the connection. For this reason - always use UDP for OpenVPN by default.
(Use case for TCP could be for example to host OpenVPN at port 443/TCP (https port) which may bypass some restictive firewalls etc)

How the heck am I constantly watching your videos, but not subscribed? You've helped me so much with PFSense setup. Thanks dude!!

I is a bit confusing. You did not show how how to configure the clients.

Working Notes for self:
0:30 description of setup/goals
1:55 PFSense Wizard
VPN -> OpenVPN
(* install openvpn-client-export from System>PackageManager>AvailablePackages)
OpenVPN Rmove Access Server Setup
Tunnel Network: ensure doesn't conflict
Local Network: ?? should be list of LAN networks?
Duplicate Connections: May be useful for rapid disconnect/reconnect scenario
[NEXT] 9:20
tick firewall and openvpn rules
[NEXT] 9:32
[FINISH]
under Actions, click 'pen' to fine tune
- Certificate Depth: 10:11
10:52 Client Export
Remote Access Server (essentially list of VPNs created)
18:53 Trouble Shooting
*read error messages*
Status>System Logs>OpenVPN
*BackUp*
Diagnostics>Backup & Restore
- See connected users:
VPN>OpenVPN>{top right bar-graph icon}
AND/OR
Dashboard>[+]>OpenVPN

Your fingers do not like .40 - they most definitely default to .30
Thanks for the updated video Tom

Thank you, very informative! If I may suggest, though, lowering your screen resolution would help tremendously viewers read text. Often times I watch RUclips vids on my smartphone, but with yours, I have to sit in front of my PC or TV. Have a nice day!

Lots of people don't read the logs or error messages. So true.

Thank you Tom i found the problem, was good to look at the firewall logs as well, private networks was blocked on wan side

Worked great. Would help to show how to add a user though.

tunneling ipv6 over it isn't bad on it, providing you have at least one free static /64 block or more if you want multiple ovpn servers, each will need a /64 block.
I just picked whatever random /64 out of the he net/48 tunnel. of course making sure it doesn't overlap it with other lan/opt which have prefix delegations enabled for sub-routers

HI, I m glad full for your work, it really helps a lot but I think the whole Clients part is missing!

excellent. the pfsense documentation is scary. this makes it look easy

Thank you for the video, but mostly thank you for the Italian flag behind you ( green+white+red) ! AWESOME!

Just an FYI, I figured out the problems I was having with my site to site with key link. If you use 172.XXX.0.0/16 for the tunnel network, the gateways won't come up. If you subnet that down to /24 the gateways will (probably) come up. Mine popped to life as soon as I made the change on both ends. I didn't see that limitation in the manual, and probably no one has ever tried being that sloppy with the tunnel network.

Thank you! Finally got it working thanks to your video! Amazing work as always. Thank you very much for your time and help!

"No Clients in export wizard" Disclaimer: I'm not an expert. I didn't know to add users under System, User manager and then a certificate for each user. Once I did that the user export wizard had a client and I moved on.

If you are going to create a tutorial for configuration perhaps next time also include the certification/user creations as well

Great video but you did not talk about adding users in pfsense ...simple but some may not know.

Can you please explain your choice of TCP over UDP?

Você podia criar um livro sobre a configuração do PFsense, muito show!

Hi is it possible to do a Site to site VPN using PFsense and Openvpn combined with remote users (also conneting thru open VPN via remote) being able to access both sites of the site to site VPN network?

Nice video I got everything working so I decided to find out what would happen if I rekeyed a user cert with the option to regenerate a new key. I discovered that the user could still connect to OpenVPN with the old config file. ???? I assumed a a rekey would mean I would have to send this user a new config but I'm now curious- other than removing the user entirely or reassigning a password- how do you make their 'old' config invalid? thanks again for making this tutorial- well done.

thanks!!!! really really good content!!! greetings from mexico!!!!! im will start to use pfsense with all my clients! and this is cause u make a superb tutorials!

Thank you, referred back to this many times.

If you have a dual WAN setup with failover (as shown in another of your great videos), do you need to make a VPN for each WAN connection? Perhaps name the one on the failover "Backup VPN" so your users can access the VPN if the main internet connection is down?
Thanks for taking the time to make these videos.

Tom, I'm a little confused on the certificate part of the setup. Are you still using a LE signed certificate, or an internal certificate? Maybe I missed something in the instructions.
I know you have to go into "User Manager" and add a certificate then assign it in the OpenVPN server configuration , but did you make a specific LE certificate just for VPN?

Thank you for the view this has been a lot of help, however I am not seeing any downloads, do I need to create users/clients and how do I do that

damn i dont have the openvpon clientes

Your use of TCP instead of UDP, and not changing the SHA1 to SHA384 or 512 is very questionable.
But the video does show the whole OpenVPN on PFsense process well, and good job trying to explain the routing.

OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-128-GCM') if you want to connect to this server.
ERROR: Failed to apply push options
Failed to open tun/tap interface
How do I fix this in OpenVPN?

What about the warning server auth-nocache, how to fix. I just installed this in my windows laptop and saw this warning.

What happened to the client piece? Those don't just auto-populate.

Isn't TCP over TCP going to be a mess? Shouldn't we let the application handle the packet loss like it would without the VPN?
How do realtime applications behave via TCP VPN?

I assume you could create a VPN with all traffic, and another that is the same except that it does not route all traffic.

Hey I love your videos, thank you for all you do!

I don't know why, but 10:57 apparently openvpn client export does not want to work on my side.

As always SUPER INFORMATIVE. GOOD JOB TOM.

Thank you so much very well explained, However it is not showing the OpenVPN Clients even i can't see the user and certificate name and they are created and exist? Thanking you in advance for any help if you can.

Please help I'm getting:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

Hi Lawrence thank you so much for your videos, I have seen your videos to strengthen my pfsense knowledge, during vpn configs, it raised a question what should be the best option to opt for between udp vs tcp?

thanks for the video.
How do i specify a local group just to use this vpn..cannot find the option.

Your videos are so good. Thank you

Hi, When the "Redirect Gateway" is not check, client does not have internet connection, Could you please tell me why? thanks.

NIce video, you made this cool feature easy to implement.

Thanks. I learned a lot from this video.

Thanks!

is it me, or I am leaking my DNS with this set up on 2.6?

great video for this moment, thanks for sharing

I have tried to use lan IP but it is not working. However, I switch to my isp IP it works. why ?

I found your guide useful for adding remote access (windows) what I am having trouble pinning down is a step by step guide for adding site to site tunnels where the remote end is not pfsense (ie uses ipsec etc). There is a fair bit of info but nothing from beginning to end that I can see ?

Can you make a tutorial on L2TP with IPSec.

As usual, thanks!

Everything works as described as long as I'm connected via the same wifi network, if I try to connect over LTE I am not able to successfully connect to openvpn server..... any help?

Hi lawrence, thanks for great video. Issue - My connection establish locallay nut when i try connect on any other network or mobile hotspot it fails with error (TCP: connect to [AF_INET]x.x.x.x:1194 failed: Unknown error). please suggest. thanks

Thank you for your videos, I very like the way you explain! I'm wondering if you could do any OpenVPN video with tap Layer 2? Thank you!

Very well presented information. Thank you.

Do u have a video where u show how u installed pfsense for this network?

Ok thats great, thanks but need to know just 1 thing i’ve been wanting to do: what do I have to do in your senario to access the windows 10 entire subnet 10.0.2.0/24 from the ovpn server end
If you can explain that in a video that would be great as that would be very useful
On a “remote access vpn server” as you have there not a site to site ovpn server

Having problem connecting to pfsense's openvpn from host machine. VM Wan interface is bridged but cannot ping from host although in same subnet. Any workaround? Thanks.

You mention you did a video on authentication backend, i honestly can't find it on the pfsense playlist(i don't see it on the basic pfsense install video for example)

Did I space out or was there no explanation on how he signs into the VPN with auth credentials? Where do you create those accounts?

Have you ever explained how you configure your “pseudo internet” network? I’d like to use something similar in my home lab.

I have a question. Because the firewall I want to connect to with OpenVPN is behind another firewall (assignment for school). The connection worked before I created the second firewall but now i can't connect anymore. Do you maybe know the cause of this?

Hi Tom, what are your thoughts on correct open VPN settings for OpenVPN Client using PIA servers with regards to mssfix, link-mtu and tun-mtu in order to prevent IP fragmentation?
(WAN is PPPoE with MTU of 1492). Do these need to be set manually or just let OpenVPN figure it out? This is pfSense 2.5.0 dev version. Thanks from Australia. 🦘

Could you make a version using LDAP? thanks love the videos!

again, another great video!

My internet provider puts me behind their nat (CGNAT) so it will work in that condition? pls make a video there is so much confusion there is no perfect form out there

can i get help on how to configure the openvpn on mobile phone for both android and ios?

Hi, can we run VPN server on shared internet it have dynamic IP's for accessibility from Home to Office .

Thank you tom

Guys
I need your help to be able to configure Openvpn multi Wan or create two VPN servers that work with different WAN to make it redundant
I have already done several configurations and all without success
This is what I have done
1.- Multiwan VPN using two Wan Networks with Fixed IP
2. -VPN Server with a Wan network for example WAN1 using port 1194 (It works)
3.- VPN Server with WAN2 network using port 1195 (It does not work)
Any suggestion?

Does this work if your ISP has a nat behind your home router?

Is this safe to do? Will I expose my network to the internet too much with OpenVPN?

Hi Tom, been having a problem pinging a server that is assigned a static IP on the lan side. When connected on open VPN I can ping any lan side ips assigned via dhcp but cannot ping those assigned statically on the lan side

Is it possible to get OpenVPN to autoconnect at Win10 startup before loggging in, so that it will log in to the domain and get all the drive maps? Everything I've seen that is supposed to accomplish this hasn't worked. :(

Thank you tom. Perfect tutorial. If i set the local network in the openvpn wizard to a vlan network. Is then the client automatically in the right vlan and has access? Is there any other step necessary? My plan is to create the vpn direct in the vlan.

Nice episode, but I have a problem.
I've got a client who is connected to a ISP who don't gave him a public ip adress.
This local ISP is running a sort of nat to the client, who's adresse is 192.168.35.220 !!!
So now, to get to this opensense firawall, I wrote a script to establish a reverse ssh to a DigitalOcean instance to forward the 80 and 22 ports, but is less than ideal.
Can you make a tutorial for a better solution: IpSec, or something else.
It would be greate to have ZeroTier working on Pfsense, but until now, I was unable to get it working.

Is there a way to monitor the bandwidth going through OpenVPN? I tried to see it in Ntopng, but the addresses don't show up.

Hello sir,
"Can't connect to OpenVPN (TCP: connect to [AF_INET]192.168.x.x:1194 failed: Unknown error..."
I installed it to another laptop and get this error

@10:58 When you do the client export you have two users "admin" and "tom" - where did those come from? I'm following the tutorial step by step and I see no users at all at this step.

I have no clients - did this go over the client setup? My client export is empty.

Hi, great video, however i face issues such as disconnecting using openVPN on my pfsense : i read that came from keepalive but, i don't how to configure this... Do you have any idea?

Can you show your firewall rules in PFSense ?

HI, on the 17.54, the username and password comes from where?

i can't find the video about openvpn with AD

Is "redirect-gateway def1" on the remote config still required if redirecting all traffic?

Tom, Is there a way I can access my home NAS using this? Or maybe I am doing something wrong! Thanks man! I love your videos!!!

What to do when I got double-nat.....basically the WAN of pfSense is in the DMZ of my router, which then has public IP. Because in the server config the IP clients would connect to is an internal IP. Should I just change that to the public IP

Tom, first thank you for your videos.
I have the following issue: every time the ISP changes the IP address I have to export a new config file and reinstall on the client's computers this is a no brainer if you only have one or two clients but in my case is like 15.
can you do a followup with that scenario, please?
Thanks you.

openvpn TLS handshake failed

Im unsure if ill get a reply but I was able to get it connected. Theres a route made for the internal network but I cant ping anything. I can ping the pfsense interface(192.168.5.1) but am not able to ping the clients ip in the network(192.168.5.10). Any suggestions?

any idea why im getting TCP: connect to [AF_INET]192.168.100.111:1194 failed: Unknown error?

So sorry is this LAN traffic only or does all Internet traffic get routed?

Where can i find the video on "Custom options" as mentioned at 22:08 ?

As of December 2022 this is not working

On a client machine, like a laptop, how do you load multiple OpenVPN clients. Example, you are a tech that supports many clients and you need to access their systems ( not at the same time of course). How do you load the clients?

Is it possible to do this with a double NAT? If so, could you direct me to a guide or information regarding this? Thank you.

Thank you sir :)