Given that I’ll be returning to school again shortly after the holiday season I decided that the next homelab task for myself would be to access my network from anywhere by setting up a home VPN. After some quick research I realized that the number of options to achieve such a thing are numerous and vary greatly in complexity as well as level of security being provided. In my particular situation I decided that the fun thing to do would be to use my pfSense firewall along with OpenVPN to give myself a relatively secure VPN connection from anywhere in the world.
Laying The Ground Work
pfSense continues to make my life pretty easy by providing an OpenVPN setup wizard. The first order of business is to create a Certificate Authority (CA) out of the pfSense firewall, which of course in simple terms, means it will be able to issue it’s own certificates. You need a certificate to create a secure connection to your VPN server (in this case pfSense) to prevent man in the middle attacks from someone trying to hijack your connection to your server. All that pfSense needs to become a certificate authority is a descriptive name, key length (longer is better but it can affect performance), lifetime, and values for your location.
Once pfSense is up and running as a CA you now need to create a certificate for the server VPN itself, later another certificate will have to be made for the client as well. Luckily much of the information for creating a new certificate is already in place because it will carry over from what you entered into the certificate authority portion of the setup.
For the OpenVPN server configuration itself there are 3 important settings that need to be paid attention to: TLS Authentication, Tunnel Network, and Local Network.
TLS Authentication (Transport Layer Security for anyone curious) is used to encrypt your communications and provides some measure of security if someone is trying to sniff your data as it’s moving through the internet.
Your Tunnel Network is the network that your VPN clients will be joining. You want this to be different from your primary network, it doesn’t really matter which network address you prefer but make sure that it’s something you can easily identify from your usual network traffic because of the next section…
Local Network. This is the network that your computers are currently on behind your firewall, or more specifically it’s going to be the network that you want your VPN clients to be able to access. Be mindful of the fact that devices on this network will be visible to someone who has connected to you using the VPN.
Assuming you’re following the wizard than you’d realize that pfSense has almost made things too easy, the final step of the process is just configuring the firewall rules, which will be done automatically for you. Essentially the rules that are created allow traffic from the OpenVPN client (1194) to access the OpenVPN server (which is also the firewall in this case), as well as a rule that allows traffic from your OpenVPN connection to your local network. Keeping in mind of course this needed to be done because the default is to block all communication from outside the firewall unless initiated from inside your network first. This concludes the OpenVPN Wizard.
Ok. Now what?
I know that was a little long winded but we’re almost there. We actually have a fully functional VPN server running right at this very moment. The downside? We have absolutely no users which can access it.
If you navigate to System > User Manage you simply need to click on the “plus” symbol to add a user. Simply fill in a username and a password and create a new user certificate. As long as you select the certificate authority we created earlier there shouldn’t be any problems at all.
Back under VPN > Client Export you have the ability to export the settings in several different forms of installer supporting most major operating systems. You can simply use a USB drive or a network share to transfer the program or configuration settings over to the computer you wish to run the OpenVPN client on and run the program.
But Did it Work?
I hope so! But one easy way to check is to disconnect the device from your current network and create a mobile hot spot with your phone. The idea is to get the device onto an external network and test to make sure that it can properly initiate a connection with your server using the certificate (built-in to the installer) and your username and password that you set while you were creating the user. Assuming everything connects just fine run a quick ipconfig if you’re running windows or ifconfig on linux to make sure that you have an ip address in the tunnel network you set and try to ping a few things in your network for connectivity purposes. Be sure to disconnect from your mobile hot spot after to avoid any data overage costs!
Thanks for reading!