- Log in to the client section of OpenVPN-AS as the user you want to use and download the “Yourself (autologin profile)” file. If you don’t have this, log into the admin panel and enable autologin for the user.
- Open up client.ovpn in notepad or similar.
- Copy the contents of the <ca></ca> block into a new CA cert in pfSense.
- Copy the contents of the <cert></cert> & <key></key> blocks into a new cert in pfSense.
- Create a new OpenVPN Client.
- Fill out the server and & port as appropriate.
- Uncheck “Automatically generate a shared TLS key” and copy the contents of the <tls-auth></tls-auth> block into the box that appears.
- Pick the CA & Cert you created in steps 3 & 4.
- Set the encryption algorithm to whatever you’re using in OpenVPN-AS. The default is BF-CBC unless you changed it.
- Check the box for Compression if you enabled it in OpenVPN-AS.
- Save the OpenVPN Client connection and verify that the tunnel comes up.
- Create a new interface and assign the VPN tunnel to it.
- Edit the interface, enable it, and make sure that None is set for IPv4 Configuration Type.
- Add an outbound NAT rule for your new interface.
- Assign the new gateway to whatever firewall rules you want to force through the VPN tunnel.
Copying the certificates is mostly self explanatory. Set up in the pfSense System> Cert Manager menu, CA and Certificate sections as appropriate.
The auto-login never worked for me. I had to use the regular profile, enter my username and password in the pfSense client setup, and most importantly, enable compression on the client! Without this, I kept getting “auth failed”. No settings in the “Tunnel Settings” section and below are required. Server port is most likely 1194, protocol is most likely UDP.
Now, for the routing – this is what sends your LAN traffic over the VPN tunnel.
If you do all of this and traffic is going over your regular internet connection rather than the VPN (i.e. you go to whatismyip.com/ipchicken.com and see your regular ISP address rather than the VPN’s public IP address), REBOOT PFSENSE. Trust me.
The key things are
1) setting up the OpenVPN interface/gateway
2) setting up the NAT rule
3) setting up the firewall rule to forward all LAN traffic to the OpenVPN interface/gateway – which can also be narrowed down to only forward certain protocols, ports, or hosts.