Certificates on pfSense

1. Login to the pfSense WebGUI, and go to the OpenVPN config page. Click on the + to add a new OpenVPN rule.
   1. Dynamic IP: If it applies to your users, enable this option. More than likely, you will want this enabled.
   2. Address pool: This should be a unique subnet, no other interfaces or networks should share this subnet!
   3. Local network: In most cases, this should be your LAN subnet. If you have other subnets that vpn users will need to access we will have to push routes via custom options, push "route n.n.n.n 255.255.255.0";, where n.n.n.n is the subnet address of another interface on your pfSense.
   4. Authentication Method: PKI (Public Key Infrastructure)
   5. 
   6. Go back to the certificates we generated, and get the contents of keys/ca.crt. Paste that in the field CA certificate (you must include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).
   7. Grab the contents of keys/server.crt (only from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----), and paste that into Server certificate.
   8. Do the same for keys/server.key. This goes in Server key.
   9. And last (but definately not least), copy keys/dh1024.pem to the field DH parameters.
   10. 
   11. Enable LZO compression if you want. The client must match this setting.
   12. Hit Save.
   13. 
2. Go to the firewall rules for the WAN interface, and open up the TCP (or UDP) port you defined for your OpenVPN instance.
3. Apply changes. 

Add to Favourites
Print this Article