Openvpn on tunnel mode in pfsense

Step 1– Create Certificate for VPN server

1. Login to the web admin(Firewall)
2. System>>certificate manager>>CAs
3 Press Plus button
4 Give it descriptive name
5 Next you can either Import an existing CA you might have or create a new one. If you have an existing cert paste it into the box. Otherwise choose Create an Internal Certificate Authority and fill in the information below.

Once thats done we need to create our certificates for the OpenVPN server as well as any users we want to connect.




Step 2–

1. While still in System –> Cert Manager, click the Certificates tab

The process for creating a Cert for the server and users are almost identical.

2. In the Method — “Create an Internal Cert”
3. Descriptive name— specify server/username
4. In the Certificate Authority drop down choose the CA you just created.
5. In Certificate Type drop down specify whether this Cert is for the server or a user.
6. Fill out the rest of the info for location
7. Repeat process again for other users keeping in mind the OpenVPN server (pfsense) must have its own cert as well as any users. Create as many certs as you need based off the original CA created earlier

Step 3–

To install this package:

1. goto System —> Packages
2. Click the Available Packages Tab
3. Install the OpenVPN-client-export


Step 4—

1. Goto VPN —> OpenVPN
2. Make sure you’re on the server tab. And click the + button to add a server.
3.Uncheck that disables the serer
Server Mode: Remote Access (SSL/TLS)
Protocol: UDP
Device Mode: TUN
Interface: WAN
Local port: 1194 (default port but you can choose whatever port you like)
Description: give description

Crypto Settings:

TLS Authentication-Check both check boxes
Peer Certificate Authority- Use the CA we created ealier
Server Certificate: This is where you use the Server Certificate created ealier, NOT any of the user certs
DH Paramters Length: I use 1024
Encryption Algorithm: I use AES-128-CBC
Hardware Crypto: No Hardware Crypto
Cert Depth: One


tunnel Settings
Tunnel Network: give any ip address for tunnel like (
IPv4 Local network– your firewall local IP address
Inter-client communication: If you want different remote clients to be able to talk to each other check this box
Client Settings:
Dynamic IP: checked
Address Pool: unchecked
DNS Default domain: if you have one enter it here
Advance config is left blank.

Press save, and your OVPN server is created.


The next thing to do is create a Firewall Rule to allow your OpenVPN traffic to pass.

1. GoTo Firewall —> Rules
2. Click the plus button to add a rule
3. Going down the line:
Action: Pass
Disabled: unchecked
Interface: WAN
Protocol: UDP
Source: any
Destination: WAN Address
Destination Port Range: This is the port of your OpenVPN server






Leave a Reply