Introduction
The main advantages of using OpenVPN for remote access instead of IPsec are:
- Easy setup on almost all mobile clients using OPNsense’s Client Configuration Export.
- Fine-grained access control by using multiple servers or Client Specific Overrides.
- No issues with NAT or without NAT-T
Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:
Prerequisites
- Dynamic DNS (DDNS). Follow this tutorial if you do not have a DDNS setup: https://bit.ly/3RCeAPp
- OPNSense Local User Account. You can create one under System ‣ Access ‣ Users.
➡️ Step 1: Adding a Local Certificate Authority
- The VPN server needs a certificate authority to sign client or server certificates.
- To set up a new certificate authority, go to System ‣ Trust ‣ Authorities and click Add in the top right corner of the form.
- Click Save to add new certificate authority.
➡️ Step 2: Adding a Server Certificate
- After creating the Authority, we will also need a certificate. To create a new certificate, go to System ‣ Trust ‣ Certificates and click Add in the upper right corner of the form.
➡️ Step 3: Adding User Certificates
- To set up a new certificate authority, go to System ‣ Access ‣ Users and click Edit on the user to whom you want to add the certificate.
- Under User Certificates, click Add
➡️ Step 4: Adding a VPN Server
- Go to VPN ‣ OpenVPN ‣ Servers and click the Wizard Icon in the top right corner of the form. The benefit of using the Wizard is that it will automatically generate the Firewall Rules for your Server.
- Select Local User Access or another Authentication Backend that you use.
- Select the Certificate Authority you created in step 1 and click Next.
- Select the Server Certificate and click Next.
- The setting should be similar to the screenshot below. Everything else not mentioned should be blank or a default value.
- Adding DNS Default Domain and Local DNS Server IP (10.13.2.1 is my OPNsense LAN IP) will let you access the local host using FQDN.
- Leave DNS Default Domain blank if you don’t have one.
- DNS Server 1: use your router IP address or your DNS server IP address.
- Click Next to continue.
- Click Next to Continue
➡️ Step 5: Exporting a client
- You can Export clients using the Client Export.
- File Only – for use with Mobile phone.
- Host Name: your DDNS Address or Static Public IP Address.
➡️ Step 6: Test your newly created VPN server using OpenVPN mobile app or Apple computer
- If you are on an Apple computer. You can export and download the certificate and then Airdrop the certificate to your iPhone.
- Let’s run a Speed test:
- Google Fi 5G is fast (well, it is faster than my current internet plan at home).
- If you would like to switch to Google Fi, please use the below referral code:
DV6MHF
We will both get a $20 Fi credit.
With the Unlimited Plus plan. I have the free text and up to 50GB of fast internet, including a hotspot, while traveling abroad.
➡️ If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or by using the Amazon/eBay/ClouDNS Affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:
🚀 Things I used for my server: https://amzn.to/3hudohP
🚀 Tools I used: https://amzn.to/3uXaSUr
🚀 Devices I used: https://amzn.to/3FYlfxk
🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0
🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ