This guide will explain how to configure OpenVPN Remote Access for clients.
We need to create a Certificate Authority and a Server Certificate to be used by our VPN.
Go to System - Cert. Manager. Click on the green Add button to add a new CA.
Change method to Create an internal Certificate Authority. The image shows an example of a working configuration, you do not have to follow it to the letter.
On the same page, go to the Certificates tab and click the green Add button.
Change method to Create an internal Certificate and make sure to change Certificate Type to Server Certificate.
Alternative names are optional.
In the pfSense web UI, go to VPN - OpenVPN.
Click on the green Add button to create a new VPN.
The following images will show a working OpenVPN setup. You do not have to copy the configuration to the letter.
Remote Access (User Auth) will use your username and password in pfSense to authenticate against the VPN. For every VPN user you will need to create a new pfSense user.
You can also choose to authenticate by a certificate, or both User Auth and Certificate.
You can also configure VPN users to authenticate against AD or LDAP, that will not be covered in this guide.
Change Server certificate to your newly created one. The other options are just a recommendation, it's up to you to decide how secure you want it to be.
IPv4 Tunnel Network is the virtual network the VPN clients will connect to. It can not be the same as your local network.
IPv4 Local Network is your local network in Openstack.
Compression is optional.
Client settings, Advanced client settings, and Advanced configuration can be left at default.
Now press Save.
Go to Firewall - Rules and click the right Add button. Now we need to add a rule that allows OpenVPN traffic.
Hit save and then go to the tab called OpenVPN and click the Add button.
This rule is for allowing traffic from the VPN to the Openstack network.
We still have one firewall left to configure, the one in Openstack.
In the MyELITS portal, go to Infrastructure - Servers - Access & Security -> Create Security Group, give the security group a name (like OpenVPN) and a good description (if you already have a openvpn rule you can go ahead and attach the rule to the VPN server).
Click on Add Rule.
Click Add and then go to Infrastructure - Servers - List Servers.
Click the arrow to the right of your VPN Server and select Edit Security Groups.
Add the new security group to your server and hit Save.
Right now, the other servers in your project do not know where to go if they get traffic from your virtual network. We can solve that by adding a new route in MyELITS Portal.
Go to Infrastructure - Network - Networks.
Click on default-network and then Edit Subnet.
On the Subnet Details tab we find the host routes.
Here you want to add the virtual subnet you chose in the VPN configuration, followed by the VPN server's local IP.
To export VPN configuration in an easy manner there is a package that can help us.
In pfSense, go to System - Package Manager - Available Packages.
Find the package called openvpn-client-export and hit the install button, then confirm.
Exporting user configuration
Go to VPN - OpenVPN and then click the Client Export tab.
Choose Other in Host Name Resolution and enter the floating (public) IP of your VPN server.
Check Use Random Local Port if you use more than one VPN on your computer.
Then press Save as default.
On the bottom of this page you will find VPN configurations to export and install in you preferred VPN client.
For Windows you can choose Windows Installer which will install the OpenVPN client and install your VPN automatically. If you already have OpenVPN installed you can choose Archive.
For Mac we recommend the Viscosity Bundle.
If you want to use an external authentication source like MS Active Directory you can follow the official pfSense guide for OpenVPN with RADIUS via Active Directory