Connect the pfSense machine and the remote workstation to the VPN server as clients. You should have a network like 10.0.8.0/24 with three nodes. Let’s say the VPN server is 10.0.8.1, the pfSense machine is 10.0.8.2 and the remote workstation is 10.0.8.3. Suppose the private network at the pfSense machine you want to reach is 192.168.0.0/24.
Now you have to decide whether you want to enable the client-to-client option in the OpenVPN server. You can still achieve client to client communication even with this option disabled (cf. this ServerFault post 10) and this is what I would do because it allows for more fine grain traffic control on the server machine. This is also assumed for the rest of this post.
On the remote workstation, you need a route 192.168.0.0/24 via 10.0.8.2.
On the VPN server, you need a firewall rule to allow traffic coming in on the VPN interface destined for 192.168.0.0/24. Forwarding may have to be enabled in the kernel.
On the pfSense machine, you need a firewall rule on the VPN interface to allow traffic coming in on that interface destined for 192.168.0.0/24.
For the phone connection I generated an ovpn file on the server to import to the phone app to set up the certificates and such. I think I should make the pfsense box a different user and need to generate a ovpn file specific for that user and when I went to do that I didn't find a place to do that - It should be possible, I just wasn't sure how to navigate to the proper place. I also think pfsense may not have the capability to import the ovpn file so may have to do the certificates individually.
Reading a bit on the PFSense documentation and see this which has caused some issues for PFSense CE users..
The OpenVPN client import package can take a unified OpenVPN client configuration file as exported by an OpenVPN server and automatically turn it into an OpenVPN client instance on pfSense Plus software. The unified OpenVPN configuration file format includes all of the certificates and keys required for the connection, allowing the client instance to be created with minimal effort.
In many cases the newly imported client instance starts and passes traffic on completion of the import, but in some cases adjustments must be made to the imported client configuration by editing the resulting OpenVPN client instance.
The package can be installed using the Package Manager on a pfSense Plus installation. Once the package is installed, it can be accessed at VPN > OpenVPN on the Import tab.
Guessing this is a push to purchase pfSense Plus.
Maybe using Wireguard would work. I have been using it here and it is faster than OpenVPN and IPSec VPN.
IE: so you can leave the OpenVPN server configuration along on the Oracle VPS and build a new configuration as a Wireguard server and connect PFSense to the Wireguard server.
Yes yesterday configured buddy's PFSense box remotely for OpenVPN server via Teamviewer. Initially used IPSec VPN on PFSense. Its been so many years that I forgot how to do this. Initially my issue was forgetting the creation of the certs. It is all built in to PFSense today.
Later PFSense added the Wizard for creating client ovpn files.
Now to run an OpenVPN client on PFSense the folks there only integrated the wizard in the premium version of PFSense.
Now seeing that long math way is documented but easier to use the PFSense Openvpn client wizard.
Initially it looks like you could only get PFSense + on a purchased appliance. BUT now see this:
pfSense Plus software is available for white box or third-party hardware — either bare metal or virtual machine — by migrating from a pre-installed pfSense CE image to pfSense Plus software. For more information on this process visit our migration guide here.
Migrate from pfSense CE software to Netgate pfSense Plus software! Written by: Jamie Thompson
Date: February 14, 2022
In 2012, Netgate® forked the pfSense® project to make it easier for us to focus on delivering software tuned specifically for our hardware. Netgate not only sells appliances, but employs several dozen software architects, developers and test engineers - who develop or port software, test, benchmark, contribute to FreeBSD and other open source projects - that ultimately benefit everyone in the ecosystem and community.
Last year we announced we were changing the name of Netgate’s fork to pfSense Plus and would make it available for non-Netgate hardware. With the pfSense Plus 22.01 release, we’re making the software available under both a no-charge Home or Lab evaluation license, as well as a paid commercial license.
Here is a breakdown of what this means - depending on your current use of pfSense software:
If you have a Netgate appliance, nothing changes for you. If you’re running the current version of the pfSense software on your Netgate appliance, you have pfSense Plus software today. You have complimentary pfSense Plus software updates for your appliance for the life of the product. You have complementary TAC Lite support. You can upgrade your technical support subscription based on your business requirements just as before. You are our customer, and we thank you for your purchase and support.
If you are a Netgate TAC customer with an active subscription, you are our customer, and will have access to pfSense Plus software during the full term of your subscription.
If you are not using a Netgate appliance, or do not have an active TAC subscription, you can access pfSense Plus software in two ways:
A no cost, non-commercial Home or Lab license A paid commercial use license with one of three support options No pfSense Plus software distribution is allowed with either license.
The terms ‘Home’ and ‘Lab’ mean exactly what you would expect:
pfSense Plus Home software is for users who wish to use pfSense Plus in their home to protect themselves and their families pfSense Plus Lab software is for users with commercial intent, but who first wish to test the product in a non-production lab setup prior to purchasing a commercial license
Users selecting one of these options agree to the terms outlined in the pfSense Plus Evaluation Agreement
Here have 3 micro multiple NIC boxes with PFSense installed. 2 are in production and 1 is off.
I also have 2 DIY'd mITX PFSense boxes with BCM dual NIC motherboards with Intel server 4 port Gb cards in them.
Going to backup my current production build of PFSense CE then upgrade it to PFSense + in the next few days.
Here are the steps:
1 - create an account on Netgate store here ==> Account
2 - purchase (free) a token for your new build of PFSense + for home use (you)
Just created store login and purchase of PFSense +
1 - backed up currently running PFSense
2 - Go to PFSense ==> System ==> register and enter token
Thank you for choosing Netgate pfSense[SIZE=10.5px]®[/SIZE]
Your firewall has been successfully registered. On your next visit to the System/Update page, select pfSense[SIZE=10.5px]®[/SIZE] Plus software from the list of repositories.
3 - then do a software upgrade to PFSense + V 2.6.0 base system 22.01
Installed packages to be UPGRADED:
pfSense-kernel-pfSense: 2.6.0 -> 22.01 [pfSense-core]
Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-kernel-pfSense from 2.6.0 to 22.01...
[1/1] Extracting pfSense-kernel-pfSense-22.01: .......... done
===> Keeping a copy of current kernel in /boot/kernel.old
>>> Removing unnecessary packages... done.
System is going to be upgraded. Rebooting in 10 seconds.
Next installing the AWS VPC wizard...
This guide will explain how to use the AWS VPC Wizard, available in pfSense® Plus, to simplify the configuration of a VPN to a remote VPC. The administrator is asked for the minimum amount of basic information required to establish the VPN. The configurations, both on the AWS VPC side and on the pfSense® Plus side are then automatically created. When the wizard is finished executing, a functioning VPN connection to a VPC should be established.
Afterwards you will see a dropdown for under VPN for this AWS VPC wizard.