Setting up an OpenVPN server with pfSense and Viscosity

Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You
can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on
your favourite websites. And you can even connect to your home or office network from
anywhere in the world, as if you were sitting right at your desk. This guide will walk you through
the process of setting up your own OpenVPN server, and connecting to it with your copy of
Viscosity.

Running your own OpenVPN server will allow you to encrypt everything you do on the internet,
so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything
you send over the VPN connection will be encrypted from your device until it reaches your
OpenVPN server at home. Setting up your OpenVPN server to access your home or office
network gives you full access to all your files on your network.

This guide will walk you through the steps involved in setting up an OpenVPN server on a
pfSense instance that allows you to securely access your home/office network from a remote
location and optionally send all of your network traffic through it so you can access the internet
securely as well.

This guide won't treat any issues related to setting up your router. A server running pfSense is
likely to be acting as a router itself, so we will assume that the pfSense server is directly
connected to the internet with its own IP address.

Preparation

For this guide, we assume:

 You have already installed the latest version of pfSense (2.3 at time of writing)
 pfSense has been set up with at least a WAN interface and a LAN interface

 You are connected with your client device to the pfSense server via its LAN interface
during this guide

 This installation of pfSense is a fresh install

 You already have a copy of Viscosity installed on your client device

If you need to download and install a copy of pfSense, information can be found
at https://www.pfsense.org/download/. We won't be covering the details of setting up a
pfSense instance, many guides can be found online. If you are running a different version of
pfSense, it's very likely that many or even all of the steps outlined in this guide will still apply. If
you are looking to setup an OpenVPN server on a different operating system, please check out
our other guides.

Your client device needs to be connected to the pfSense server via the LAN interface. This is
necessary so that you can access the webConfigurator to set up the pfSense configuration. The
specifics of how you can achieve this depend on your particular network configuration.

If you don't have a copy of Viscosity already installed on your client, then please check out this
setup guide for installing Viscosity (Mac | Windows).

Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We
provide this guide as a courtesy to help you get started with, and make the most of, your copy of
Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the
instructions detailed below, you should be well on your way to enjoying the benefits of running
your own OpenVPN server.

Getting Started

First you need to log in to the webConfigurator from your client device connected to the LAN
interface of the pfSense server. Open a browser on your client and navigate to the IP address of
the LAN interface of your pfSense server (something like https://10.0.0.1
or https://192.168.0.1). You will need to login. The default credentials are:

User: admin
Password: pfsense

If this is your first time logging in to the webConfigurator, it will attempt to walk you through a
wizard. Skip this step by clicking on the pfSense logo to navigate to the main dashboard.
For security the pfSense admin password should be changed. Click System > User Manager.
Edit the password by clicking the edit icon under Actions for the admin account.

DNS Server

Set the IP address of the DNS servers we will use:

1. Click System > General Setup.

2. In the DNS Server Settings section, set the first two DNS servers to 8.8.8.8 and
8.8.4.4 (Google DNS). If you want to use different DNS servers, feel free to use them
here instead.

3. Click Save at the bottom.

To enable these DNS servers:

1. Click Interfaces > WAN.

 2. In the General configuration section, set the IPv4 Configuration Type to 'Static
IPv4'.

3. In the Static IPv4 configuration section, set the IPv4 address to the WAN IP
address of your pfSense server.

4. Click Save at the bottom.

A yellow box will appear at the top of the page, click Apply changes to reset the WAN interface
with the new DNS settings.

These DNS servers will be handed to connected clients as the DNS Resolver is enabled by default.

1. Click on Services > DNS Resolver to modify the DNS Resolver settings.
2. Check the DNS Query Forwarding box to enable forwarding mode.
 3. Click Save at the bottom.

4. A yellow box will appear at the top of the page, click Apply changes.

OpenVPN Wizard

The OpenVPN server can be setup by the built-in wizard.

1. Click VPN > OpenVPN and click on the Wizards tab.

2. You will be instructed to select an Authentication Backend Type. Click Next to
accept the default of 'Local User Access'.

3. Now we will need to create a New Certificate Authority (CA) Certificate. Set the
descriptive name to 'pfSense-CA'.

4. Leave the key length at 2048 bit and the lifetime at 3650 days.

5. The remaining parameters are to identify the person or organization controlling this
certificate authority. Set them appropriately for your situation.
6. Click Add new CA to move on to the server certificate.
7. Set the descriptive name to server and keep the key length as 2048 bits and lifetime as
3650 days.

8. The person / institution information will already be filled from the previous page. Leave
it as it is.

9. Click Create new Certificate.

10. On the next page, in the General OpenVPN Server Information section, set
the Description to 'server'.

11. In the Cryptographic Settings section deselect the TLS Authentication.

12. Leave the Encryption Algorithm as 'AES-256-CBC (256 bit key, 128 bit
block)'.

13. In the Tunnel Settings enter the Tunnel Network address as 10.8.0.0/24.

14. To allow access to machines on the local network, enter your local IP range in
the Local Networksetting. It will probably be something like 10.0.0.0/24.

15. Set the Compression to 'Enabled without Adaptive Compression'.

16. Check the Inter-Client Communication checkbox.

17. In the Client Settings section, set the DNS Server 1 to point to the OpenVPN server
(10.8.0.1).

18. In the Advanced text box, add the line:

push "route 10.0.0.0 255.255.255.0";mute 10;comp-lzo;where we assume your

LAN subnet is 10.0.0.0/24. Adjust it accordingly.

19. We can leave the remaining settings as they are and click Next below.
20. Now accept the default firewall rules by checking both the Firewall Rule and OpenVPN
rule boxes and clicking Next. These rules will allow your client to connect to the
OpenVPN server and allow VPN traffic between the client and server.

21. You will now be shown a completion screen. Click Finish.

You have now created the server certificate. Before we move on, we need to modify a few
settings that were not covered in the wizard.

1. Click the edit icon next to the server row to edit the configuration.
2. In the General Information section, change the Server Mode to 'Remote Access
( SSL/TLS )'.

3. Press Save to save these changes.

Firewall

Firewall settings are generated automatically by the wizard. However, depending on your
firewall setup and version, you may have to check the setting the wizard has created. First,
navigate to Firewall -> Rules and select WAN. You should see a firewall rule permitting IPv4
traffic incoming through the WAN via the OpenVPN port. This will allow clients to connect to the
VPN via the external WAN interface.

If you are having issues routing traffic through the VPN, navigate to Firewall -> Nat,
select Outbound and ensure the Mode is set to "Automatic outbound NAT rule generation.
(IPsec passthrough included)".

Client Certificate

To connect to our OpenVPN server, we need to generate a client certificate for each device we
want to connect to the server.

1. Click System > User Manager and click the + Add button to add a user.
2. Fill in the username and password. For our example, we will set the username
to client1.

3. Make sure to check the Certificate box to create a user certificate. This will cause the
section to expand.

4. Give the certificate a descriptive name (client1).

5. Leave the certificate authority, key length and lifetime to their default values.
 6. Click Save to finish.

pfSense provides an OpenVPN Client Export Package that you can use to create a Viscosity
connection without directly dealing with any certificates or keys.
1. To install the export package click System > Package Manager and click on
the Available Packages tab. This will show you a list of all the packages you can
install.
2. Scroll down to find the 'openvpn-client-export' and click on the + Install button to
install it.

3. It will ask you to confirm, click Confirm to begin installation.

4. When the installation completes, you can export a configuration by

clicking VPN > OpenVPN and clicking on the Client Export tab.

5. Select the server in the Remote Access Server section. Keep the default values for the
other parameters.

6. Scroll down to the OpenVPN Clients section and find the row corresponding to
the Certificate Name of the user you created (client1).

7. Download the Viscosity configuration by clicking on 'Viscosity Bundle'. This will

download a zip of the configuration file to your client device.
8. Unzip this archive on your client device to find the 'Viscosity.visc' file. This file can
be imported into Viscosity.
Setting Up Viscosity

The interface provided by the Mac and Windows versions of Viscosity is intentionally very
similar. As such, we will focus our guide on the Mac version, pointing out any differences with
the Windows version as they arise.

If you do not have Viscosity already running, start Viscosity now. In the Mac version you will
see the Viscosity icon appear in the menu bar. In the Windows version you will see the
Viscosity icon appear in the system tray.

Click the Viscosity icon in the menu bar (Windows: system tray) and select
'Preferences...':
This shows you the list of available VPN connections. We assume you recently installed
Viscosity, so this list is empty. Click on the '+' button and select Import Connection > From
File...:

Navigate to the location of the Viscosity configuration file and open it. You will see a pop up
message to indicate that the connection has been imported.

Configuring the Connection

Double click on the connection in the Preferences window to bring up the connection settings.
You will now need to set the connection parameters as outlined below:

1. In the General tab, replace the connection name with your desired name for the
connection, for example "DemoConnection".
2. Click on the Networking tab and enter "10.8.0.1" into the "Servers" field in the DNS
Settings section.
3. Click on the Options tab and check the 'No Bind' box and make sure
the Compression drop down is set to LZO.
 4. Click the Save button to save these changes.

(Optional) Allowing Access to the Internet

By default the VPN connection will allow access to the file server and other computers on the
home/office (LAN) network. However if you also wish to have all internet traffic sent through the
VPN connection it's necessary to make a final edit to the connection:

1. Double-click on your connection in the Viscosity Preferences window to open the

connection editor
2. Click on the Networking tab.

3. Click the "All Traffic" drop down and select the "Send all traffic over VPN
connection" option. It is not necessary to enter a Default Gateway.

4. Click the Save button.

Connecting and Using Your VPN Connection

You are now ready to connect. Click on the Viscosity icon in the menu bar (Windows: system
tray) and select 'Connect DemoConnection'. That's it, you should see a notification that you're
now connected!

To check that the VPN is up and running, you can use the Viscosity details window. Click the
Viscosity menu bar (Windows: system tray) icon and select 'Details...'. This will bring up the
details window.
This window will show you the traffic passing through the VPN connection.

Accessing Network Resources

Once connected to your VPN, you can access your files or other services by using the LAN IP
address you would use if you were connected to them via your home/office local network.
Connect via Mac
To connect to a shared network directory from your Mac connected to the VPN:

1. Open a Finder window

2. Click Go on the menu bar and select "Connect to Server..."

1. In the Server Address, type the LAN IP address of your network resource (something
like 192.168.0.x) and click Connect.
2. Enter the username and password for the network resource

3. Select the shared volume you want to access and click OK

Network resources you would normally find appearing in the Finder sidebar will not appear
when connected to via the VPN. You can find connected network resources in
the Computer directory. In a Finder window, press ⌘ + shift + c to jump to the Computer
directory.
Connect via Windows

To connect to a shared network directory from your PC connected to the VPN:

1. Type the \\lan-ip-address into the Search the web and Windows box in the taskbar
and press Enter (something like \\192.168.0.x)
2. Enter the username and password for the network resource
3. You will then see the folders shared by this host
That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to
enjoy the benefits of operating your own OpenVPN server!