Setting up an OpenVPN server with pfSense and Viscosity
Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.
Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.
This guide will walk you through the steps involved in setting up an OpenVPN server on a pfSense instance that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.
This guide won't treat any issues related to setting up your router. A server running pfSense is likely to be acting as a router itself, so we will assume that the pfSense server is directly connected to the internet with its own IP address.
For this guide, we assume:
- You have already installed the latest version of pfSense (2.3 at time of writing)
- pfSense has been set up with at least a WAN interface and a LAN interface
- You are connected with your client device to the pfSense server via its LAN interface during this guide
- This installation of pfSense is a fresh install
- You already have a copy of Viscosity installed on your client device
If you need to download and install a copy of pfSense, information can be found at https://www.pfsense.org/download/. We won't be covering the details of setting up a pfSense instance, many guides can be found online. If you are running a different version of pfSense, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.
Your client device needs to be connected to the pfSense server via the LAN interface. This is necessary so that you can access the webConfigurator to set up the pfSense configuration. The specifics of how you can achieve this depend on your particular network configuration.
Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
pfSense offer both community and commercial support if you are looking for more information or help, take a look at their options at https://www.pfsense.org/get-support/
First you need to log in to the webConfigurator from your client device connected to the LAN interface of the pfSense server. Open a browser on your client and navigate to the IP address of the LAN interface of your pfSense server (something like
https://192.168.0.1). You will need to login. The default credentials are:
User: admin Password: pfsense
If this is your first time logging in to the webConfigurator, it will attempt to walk you through a wizard. Skip this step by clicking on the pfSense logo to navigate to the main dashboard.
For security the pfSense admin password should be changed. Click
User Manager. Edit the password by clicking the edit icon under Actions for the admin account.
Change the password by entering a new password and its confirmation and then click
Save at the bottom.
Set the IP address of the DNS servers we will use:
- In the DNS Server Settings section, set the first two DNS servers to 220.127.116.11 and 18.104.22.168 (Google DNS). If you want to use different DNS servers, feel free to use them here instead.
Saveat the bottom.
To enable these DNS servers:
- In the General configuration section, set the IPv4 Configuration Type to 'Static IPv4'.
- In the Static IPv4 configuration section, set the IPv4 address to the WAN IP address of your pfSense server.
Saveat the bottom.
- A yellow box will appear at the top of the page, click
Apply changesto reset the WAN interface with the new DNS settings.
These DNS servers will be handed to connected clients as the DNS Resolver is enabled by default.
- Click on
DNS Resolverto modify the DNS Resolver settings.
- Check the DNS Query Forwarding box to enable forwarding mode.
Saveat the bottom.
- A yellow box will appear at the top of the page, click
The OpenVPN server can be setup by the built-in wizard.
OpenVPNand click on the
- You will be instructed to select an Authentication Backend Type. Click
Nextto accept the default of 'Local User Access'.
- Now we will need to create a New Certificate Authority (CA) Certificate. Set the descriptive name to 'pfSense-CA'.
- Leave the key length at 2048 bit and the lifetime at 3650 days.
- The remaining parameters are to identify the person or organization controlling this certificate authority. Set them appropriately for your situation.
Add new CAto move on to the server certificate.
- Set the descriptive name to server and keep the key length as 2048 bits and lifetime as 3650 days.
- The person / institution information will already be filled from the previous page. Leave it as it is.
Create new Certificate.
- On the next page, in the General OpenVPN Server Information section, set the Description to 'server'.
- In the Cryptographic Settings section deselect the TLS Authentication.
- Leave the Encryption Algorithm as 'AES-256-CBC (256 bit key, 128 bit block)'.
- In the Tunnel Settings enter the Tunnel Network address as 10.8.0.0/24.
- To allow access to machines on the local network, enter your local IP range in the Local Network setting. It will probably be something like 10.0.0.0/24.
- Set Compression to 'Disabled - No Compression'
- Check the Inter-Client Communication checkbox.
- In the Client Settings section, set the DNS Server 1 to point to the OpenVPN server (10.8.0.1).
- In the Advanced text box, add the line:
push "route 10.0.0.0 255.255.255.0";mute 10;
- where we assume your LAN subnet is 10.0.0.0/24. Adjust it accordingly.
- We can leave the remaining settings as they are and click
- Now accept the default firewall rules by checking both the Firewall Rule and OpenVPN rule boxes and clicking
Next. These rules will allow your client to connect to the OpenVPN server and allow VPN traffic between the client and server.
- You will now be shown a completion screen. Click
You have now created the server certificate. Before we move on, we need to modify a few settings that were not covered in the wizard.
- Click the edit icon next to the server row to edit the configuration.
- In the General Information section, change the Server Mode to 'Remote Access ( SSL/TLS )'.
Saveto save these changes.
Firewall settings are generated automatically by the wizard. However, depending on your firewall setup and version, you may have to check the setting the wizard has created. First, navigate to
Rules and select
WAN. You should see a firewall rule permitting IPv4 traffic incoming through the WAN via the OpenVPN port. This will allow clients to connect to the VPN via the external WAN interface.
If you are having issues routing traffic through the VPN, navigate to
Outbound and ensure the Mode is set to "Automatic outbound NAT rule generation. (IPsec passthrough included)".
To connect to our OpenVPN server, we need to generate a client certificate for each device we want to connect to the server.
User Managerand click the
+ Addbutton to add a user.
- Fill in the username and password. For our example, we will set the username to client1.
- Make sure to check the Certificate box to create a user certificate. This will cause the section to expand.
- Give the certificate a descriptive name (client1).
- Leave the certificate authority, key length and lifetime to their default values.
Setting Up Viscosity
If you have made it this far, you should now be able to connect to your OpenVPN server, congratulations! We can now setup Viscosity.
Exporting Connection from pfSense
pfSense provides an OpenVPN Client Export Package that you can use to create a Viscosity connection without directly dealing with any certificates or keys.
- To install the export package click
Package Managerand click on the
Available Packagestab. This will show you a list of all the packages you can install.
- Scroll down to find the 'openvpn-client-export' and click on the
+ Installbutton to install it.
- It will ask you to confirm, click
Confirmto begin installation.
- When the installation completes, you can export a configuration by clicking
OpenVPNand clicking on the
- Select the server in the Remote Access Server section. Keep the default values for the other parameters.
- Scroll down to the OpenVPN Clients section and find the row corresponding to the Certificate Name of the user you created (client1).
- Download the Viscosity configuration by clicking on 'Viscosity Inline Config'. This will download a .ovpn configuration file to your client device.
Import Connection into Viscosity
Click the Viscosity icon in the menu bar (Windows: system tray) and select 'Preferences...':
This shows you the list of available VPN connections. We assume you recently installed Viscosity, so this list is empty. Click on the '+' button and select
Import Connection >
Navigate to the location of the Viscosity configuration file and open it. You will see a pop up message to indicate that the connection has been imported.
(Optional) Allowing Access to the Internet
By default the VPN connection will allow access to the file server and other computers on the home/office (LAN) network. However if you also wish to have all internet traffic sent through the VPN connection it's necessary to make a final edit to the connection:
- Double-click on your connection in the Viscosity Preferences window to open the connection editor
- Click on the Networking tab.
- Click the "All Traffic" drop down and select the "Send all traffic over VPN connection" option. It is not necessary to enter a Default Gateway.
- Click the
Connecting and Using Your VPN Connection
You are now ready to connect. Click on the Viscosity icon in the macOS menu bar or Windows system tray to open the Viscosity Menu, select the connection you imported, and Viscosity will connect.
To check that the VPN is up and running, you can open the Details window from the Viscosity Menu. This will allow you to view connection details, traffic and the OpenVPN log.
That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!