Setting up OpenVPN on OPNsense delivers a robust method for establishing secure remote connections to your private network. This guide walks through the essential configuration steps required to implement a reliable and secure tunnel. You will find specific details regarding certificate generation, server settings, and client configuration files.
Initial Server Preparation and Access
Before diving into the specific OpenVPN settings, ensure your OPNsense appliance is updated and running a stable firmware version. Access the webGUI by navigating to the IP address of your firewall using HTTPS. Log in with your administrative credentials to reach the main dashboard where all configuration menus are available.
It is recommended to assign a static IP address to the interface that will host the VPN service. This prevents IP conflicts and ensures clients can always reach the server. Navigate to the interface configuration section to set this static address if it has not been done already.
Establishing the PKI Infrastructure
The foundation of any OpenVPN deployment is a secure Public Key Infrastructure (PKI). OPNsense includes a robust Certificate Authority manager to handle this process automatically. You will generate a CA, server certificates, and individual client keys directly within the interface.
Navigate to System > Certification Authorities to create or import your Root CA.
Go to System > Certificates to generate the server certificate signing request (CSR).
Complete the process by assigning the issued certificate to the OpenVPN service under VPN > OpenVPN.
Configuring the OpenVPN Server
With the certificates in place, you can configure the actual VPN server settings. This involves selecting the protocol, defining the tunnel network, and specifying which interfaces and protocols to use. Careful attention to the cryptographic settings ensures optimal security and performance.
Under VPN > OpenVPN, create a new server instance. Choose the tun device type for a routed configuration, which is generally preferred for remote access. Define the tunnel network, typically a subnet like 10.8.0.0/24, ensuring it does not overlap with your local LAN.
Defining User Authentication and Client Settings
Managing user access is a critical component of the setup. You must create individual certificates for every user or device that requires connection. This process links each client to the server via a unique cryptographic key pair.
Generate a certificate for each user under System > Certificates.
Export a configuration package that includes the client certificate, CA certificate, and TLS key.
Assign the exported file to the client section of the OpenVPN server settings.
Additionally, configure the compression and encryption settings to match the security requirements of your environment. AES-256-GCM is a strong choice for modern hardware, providing a balance of speed and security.
Client Configuration and Connection Testing
Once the server is active, you need to configure the client devices to connect. Download the generated client configuration file from OPNsense or create one manually. The configuration file instructs the OpenVPN client software on how to establish a tunnel with your server.
