Configuring a VPN Server with pfSense - A Step-by-Step Guide

ARTICLES

Winston.I

12/10/20244 min read

In today’s interconnected world, securing your network is essential. One of the most powerful tools for achieving this is a Virtual Private Network (VPN). This blog will guide you through configuring a VPN server using pfSense—a robust, open-source firewall and router software. We'll also show how to configure firewall rules to secure VPN traffic effectively. Let’s dive in!

What is a VPN and Why is it Important?

A VPN creates a secure, encrypted tunnel over the internet, connecting remote users to a private network safely. It safeguards sensitive data from prying eyes, ensuring that hackers can't intercept communications. Whether it's employees accessing company files or individuals seeking online privacy, VPNs are a cornerstone of modern cybersecurity.

Setting Up an IPsec VPN Server

1. Creating a Certificate Authority (CA)

The first step in configuring a VPN is setting up a Certificate Authority (CA), which validates the server for client connections.

  1. Log in to pfSense Web GUI:

    • Open your browser and navigate to http://172.30.0.1.

    • Enter the credentials:

      • Username: admin

      • Password: pfsense

  2. Create the CA:

    • Navigate to System > Cert Manager > CAs.

    • Click Add and input the following details:

      • Descriptive Name: IPsecVPN_yourname

      • Key Length: 2048 bits

      • Digest Algorithm: SHA256

      • Lifetime: 3650 days

      • Fill in details like your country, state, and organization.

    • Click Save.

Adding a Server Certificate

Once the CA is set up, you’ll create a server certificate to authenticate the VPN server.

  1. Go to System > Cert Manager > Certificates.

  2. Click Add/Sign and use the following details:

    • Descriptive Name: IKEv2VPN_pfSense

    • Certificate Authority: Select IPsecVPN_yourname

    • Key Length: 2048 bits

    • Digest Algorithm: SHA256

    • Lifetime: 3650 days

    • Common Name: Enter your firewall’s WAN IP address, e.g., 202.20.1.1.

  3. Save the certificate and return to the Certificates page.

Enabling IPsec Mobile Client Support

  1. Navigate to VPN > IPsec > Mobile Clients.

  2. Enable IKE Extensions by checking the box.

  3. Configure the following:

    • Virtual Address Pool: 172.31.1.0/24

    • Enable the Network List for accessible networks.

  4. Click Save and then Apply Changes.

4. Setting Up the VPN Tunnel

The VPN tunnel facilitates secure communication between clients and the network.

  1. Go to VPN > IPsec > Tunnels and click Create Phase 1.

  2. Use these configurations:

    • Key Exchange Version: IKEv2

    • Interface: WAN

    • Authentication Method: EAP-MSChapv2

    • Identifier: WAN IP address (202.20.1.1).

  3. Save the configuration and click Apply Changes.

  4. Create a Phase 2 entry to define how traffic flows through the VPN:

    • Local Network: 0.0.0.0/0 (routes all traffic through the VPN).

    • Use AES-256 encryption for enhanced security.

Adding a Pre-Shared Key

  1. Navigate to IPsec > Tunnels > Pre-Shared Keys.

  2. Add a new key:

    • Identifier: remoteworker01

    • Key: password1

  3. Save and apply changes.

Configuring OpenVPN

In this section, you’ll configure OpenVPN, another widely-used VPN protocol known for its flexibility and security.

1. Launching the OpenVPN Wizard

  1. Navigate to VPN > OpenVPN > Wizards.

  2. Select Local User Access as the authentication backend and proceed.

2. Creating a Certificate Authority

  1. At the CA Selection page, click Add new CA.

  2. Input the following details:

    • Descriptive Name: OpenVPN_CA_yourname

    • Use default key length (2048 bits) and lifetime (3650 days).

  3. Save and proceed.

3. Adding a Server Certificate

  1. On the Server Certificate Selection page, click Add new Certificate.

  2. Fill in:

    • Descriptive Name: OpenVPN_SC_yourname

    • Save and continue.

4. Configuring Tunnel Settings

  1. Input these settings:

    • Tunnel Network: 172.31.1.0/24

    • Local Network: 172.30.0.0/24

    • Concurrent Connections: 2

    • Enable Inter-Client Communication.

5. Setting Up Firewall Rules

  1. At the Firewall Rule Configuration page, allow traffic through the OpenVPN tunnel.

  2. Verify the new rules under Firewall > Rules > OpenVPN.

Congratulations! You’ve successfully configured a secure VPN server using pfSense. This step-by-step guide has equipped you with the skills to create and secure VPN connections, allowing remote users to safely access network resources. Regularly review and update your VPN configurations to stay ahead of evolving threats.