Configuring OpenVPN Server on pfSense with LDAP authentication

Last Updated on August 14, 2022 by Thiago Crepaldi

A OpenVPN server is useful if you want to safely connect to your house/office’s network from a remote place, say Disneyland or from abroad. In this article we are going to setup an OpenVPN server on your pfSense using LDAP for authentication based on Synology’s LDAP server.

Getting ready

A brief word on performance running

VPN depends on cryptography which can be really hard on your CPU. The following commands are not required for your VPN server, but it does help you determine RSA key length, crypto devices, etc that will make your appliance’s life less busy.

RSA Key Length

SSH into your pfSense device and run: openssl speed rsa2048 rsa4096 to test how many messages your CPU can sign and verify per second. Results varies depend on your hardware, but here is what I’ve got on my Netgate SG-2440:

              sign    verify    sign/s verify/s
rsa 2048 bits 0.006880s 0.000246s 145.4 4068.6
rsa 4096 bits 0.048953s 0.000834s 20.4 1198.6

As you can see, by doubling the key length from 2048 to 4096 bits caused a 7x slow down for signing messages and around 3x to verify incoming messages. As a general rule, unless you really need 4096 bit for a special application, a key length of 2048 bit should be more than enough.

Crypto devices

Depending on your CPU, you can take advantage of special instructions set for cryptography, such as AES-NI. OpenSSL has a way to list all hardware or software implementation used for performing cryptographic available.

SSH into your pfSense and run openssl engine -t -c. Results varies depending on your setup. My Netgate SG-2440 returned the following:

(cryptodev) BSD cryptodev engine
[RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
[ available ]
(rdrand) Intel RDRAND engine
[RAND]
[ available ]

As we can see, my system has support for both BSD crypto (cryptodev) and Intel RDRAND (rdrand) engines. Between square brackets we can see all capabilities that each engine supports. BSD cryptodev supports AES-XXX-CBC encryption algorithms, which we will leverage when configuring OpenVPN server:

Running openssl speed -evp aes-256-cbc on my pfSense I got the following:

The 'numbers' are in 1000s of bytes per second processed.
type          16 bytes   64 bytes   256 bytes  1024 bytes  8192 bytes
aes-256-cbc   14736.50k  55675.86k  189614.37k 773839.01k  6153626.51k

Running openssl speed -evp aes-256-cbc -engine rdrand on my pfSense I got the following:

The 'numbers' are in 1000s of bytes per second processed.
type          16 bytes  64 bytes   256 bytes  1024 bytes  8192 bytes
aes-256-cbc   14008.64k 50313.22k  235134.98k 960143.36k  6944325.63k

Running openssl speed -evp aes-256-cbc -engine cryptodev on my pfSense I got the following:

type          16 bytes   64 bytes   256 bytes  1024 bytes  8192 bytes
aes-256-cbc   12968.82k  64247.92k  223889.18k 769165.66k  6966214.66k

As we can see, using crypto devices didn’t improve numbers on my Netgate SG-2440, but if you see better numbers on your system, take note of which engine worked better!

Misc tweaks

Do test/tweaking with different values *after* your OpenVPN server is up and running.

Send/Receive Buffer is worth experimenting as it depends in your hardware and internet link. Start with 512 KiB, run speed test and experiment increasing/decreasing and re-running speed test until you find a good balance

UDP Fast I/O tries to optimize package writing, but it is not compatible with all hardware. On my Netgate SG-2440, for example, it seems to cause some upload hiccups (upload spikes really quick and seems to freeze for brief moments before resuming).

Server certificate

A safe VPN server requires certificates to encrypt data. OpenVPN recommends using self-signed Certificate Authority (CA) and Certificates for better security. The explanation for this choice as opposed to using Let’s Encrypt SSL certificates is to restrict certificates issue by third-parties to be accepted by your VPN server. If a public CA is compromised, any malicious certificates issues by them could be used to try to access your network. Not cool. That doesn’t mean you cannot use Let’s Encrypt, though; chances of a their CA being compromised is very low.

On your pfSense, go to System >> Cert. Manager >> CAs and click on Add to create the CA as follows and click on Save at the bottom of the page.

Create / Edit CA:

Descriptive Name: Self-signed CA for OpenVPN Server
Method: Create an Internal Certificate Authority
True store: unchecked
Randomize Serial: unchecked

Internal Certificate Authority

Key type: RSA
- Length: 2048 (as per the RSA key length discussion)
Digest algorithm: sha256 (as per crypto devices discussion)
Lifetime (days): 3650
Common Name: pfSense_RootCA
Country code, State or Province, City, Organization, Organizational Unit are optional and you can leave them blank

Now that you have your CA, go to System >> Cert. Manager >> Certificates tab and click on Add/Sign to create the certificate as follows and click Save at the bottom of the page

Add/Sign a new certificate

Method: Create an internal certificate
Descriptive Name: Self-signed Certificate for OpenVPN Server

Internal certificate

Certificate Authority: Self-signed CA for OpenVPN Server
Key length: 2048 (must match key length of your CA)
Digest algorithm: sha256 (must match digest algorithm of your CA)
Lifetime (days): 3650
Common Name: pfSense_Cert
Country code, State or Province, City, Organization, Organizational Unit are optional and you can leave them blank

Certificate attributes

Certificate Type: Server Certificate
Alternative names: leave blank

VPN Server

As soon as you get your CA and Certificate, you are good to go to create your VPN server. Go to VPN >> OpenVPN >> Servers page, click on Add to create your VPN server as follows and click on Save once you are done.

General Information

Disabled: uncheck
Description: OpenVPN server for remote access

Mode Configuration

Server mode: Remote Access (User Auth)
DCO: unchecked
Backend for authentication: Select your LDAP server
Device mode: tun – Layer 3 tunnel mode

Endpoint configuration

Protocol: UDP on IPv4 Only
Interface: WAN
Local port: 1194

Cryptographic Settings

TLS Configuration:
- check Use a TLS Key
- check Automatically generate a TLS Key.
Peer Certificate Authority: Select your self signed CA
Peer Certificate Revocation list: empty
OSCP Check: unchecked
Server certificate: Select your self-signed Certificate
DH Parameter Length: 2048 bit
ECDH Curve: Use default
Data Encryption Algorithm: AES-256-CBC (as per crypto devices discussion)
Fallback Data Encryption Algorithms: same as above – we don’t allow weaker settings
Auth digest algorithm: sha256
Hardware Crypto: Select one as per crypto devices discussion
Certificate Depth One (Client+Server)
Client Certificate Key Usage Validation: unchecked

Tunnel Settings

IPv4 Tunnel Network: 10.1.0.0/24 (or any other network not in use by your LAN/WAN)
IPv6 Tunnel Network: empty
Redirect IPv4 Gateway: checked
Redirect IPv6 Gateway: unchecked
IPv4 Local network(s): empty
IPv6 Local network(s): empty
IPv4 Remote network(s): empty
IPv6 Remote network(s): empty
Concurrent connections: 5 (or any other number)
Allow Compression: Omit preference (faster, less secure) or Refuse any non-stub compression (most secure)
Type-of-Service: unchecked
Inter-client communication: unchecked (or checked if you want to connect to non-VPN devices)
Duplicate Connection: checked (as you may connect from more than you device)

Client Settings

Dynamic IP: checked
Topology: Subnet – One IP address per client in a common subnet

Ping settings

Inactive: 0
Ping method: keepalive
Interval: 5
Timeout: 30

Advanced Configuration

Custom options: empty (or mssfix 1400 if you are experiencing often connections drops)
UDP Fast I/O: unchecked (check misc tweaks)
Exit Notify: Disabled
Send/Receive Buffer: 256 KiB (check misc tweaks)
Gateway creation: IPv4 ONLY
Verbosity level: 3

Once you click on Save, your VPN server will start to run.

Configuring Clients

First, we need to install a new package to simplify VPN clients configuration. Go to System >> Package Manager >> Available Packages e click on Install for the openvpn-client-export package.

Go to VPN >> OpenVPN >> Client Export page and do as follows:

OpenVPN Server

Remote Access Server: Select the OpenVPN server you created

Client Connection Behavior

Host Name Resolution: Pick your DDNS client (CloufFlare or DuckDNS)
Verify Server CN: Automatic
Block Outside DNS: checked
Legacy Client: unchecked
Use Random Local Port: unchecked

Certificate Export Options

PKCS#11 Certificate Storage: unchecked
Microsoft Certificate Storage: unchecked
Password Protect Certificate: unchecked

Proxy Options

Use A Proxy: unchecked

Advanced

Additional configuration options: empty

Click on Save as default and scroll down until you see OpenVPN Clients section. In the user table you will see an entry for each user you created before. In the export column you will find several buttons for different OS and VPN Clients. Pick one that suits you and download the configuration file. Use that file to import the VPN connection on your VPN client. I enjoy Viscosity which is not free, but very worth the money! OpenVPN client is free and a good alternative too.

Assigning an Interface to VPN server

Up to this point, your VPN server is working well. The next steps will assign a virtual interface to your VPN server so that you can monitor traffic, its uptime and create fine grained firewall rules.

Go to Interfaces >> Assignments >> Interface Assignments page. At the bottom of the table, you should see a line such as Available network ports in the Interface column. On its Network port column you have to select the VPN server you just created and click on Add and Save. This will create an interface that will be probably named OPT1 (or any other OPTn).

Click on the OPT1 link and do as follows:

Enable: checked
Description: Rename OPT1 to VPNServer_1 or something meaningful

Click Save and then Apply changes. This will create a virtual interface with the new name. Your VPN server will be able to connect, but won’t pass in any traffic until you fix the firewall rules. Let’s fix it!

Allow VPN connections from WAN

We need to create a firewall rule so that VPN connections coming from internet are allowed to passthrough and reach the OpenVPN server service. Go to Firewall >> Rules >> WAN page. Click on Add to create a new rule at the bottom and do as follows:

Edit Firewall Rule
- Action: Pass
- Disabled: unchecked
- Interface: WAN
- Address family: IPv4
- Protocol: UDP
Source
- Source: Any
Destination
- Destination: WAN Address
- Destination Port Range: 1194
Extra Options
- Log: unchecked
- Description Allow OpenVPN server

Click on Save and Apply changes.

Allow traffic through VPN interface

Go to Firewall >> Rules >> OpenVPN page. There will be one rule listed, which is used by all VPN servers that don’t have interface assigned. But you just assigned a rule, so you need to move (not duplicate!) from OpenVPN to OpenVPN_1 interface. Click on edit icon, then change Interface from OpenVPN to VPNServer_1 and click on Save. Depending on the pfSense version, the rules list is empty. In this case, we will create a new one. Click on the interface name (aka VPNServer_1), click on Add and do as follows:

Edit Firewall Rule
- Action: Pass
- Disabled: unchecked
- Interface: VPNServer_1
- Address family: IPv4
- Protocol: Any
Source
- Source: Any
Destination
- Destination: Any
Extra Options
- Log: unchecked
- Description Default allow all