Using SysAdminMan OpenVPN template with pfSense

I’ve had a few customers recently using the SysAdminMan VPN:PBX template with an existing on-site pfSense gateway. The VPN:PBX template has Asterisk, FreePBX and A2Billing installed, along with OpenVPN setup to allow secure connections to the VPS.

pfSense can be used as an OpenVPN client/gateway so this makes a great combination for a secure off-site PBX.

Here are some setup instructions for configuring pfSense with the SysAdminMan VPN:PBX template.

1 – Obtaining the OpenVPN client certificates

When your SysAdminMan server is created 3 files will be generated that are required to configure pfSense as an OpenVPN client. These files can be e-mailed to you or retrieved from the VPS using a program like WinSCP. The 3 files are –

/etc/openvpn/keys/ca.crt
/etc/openvpn/keys/tplink.key
/etc/openvpn/keys/tplink.crt

These 3 files identify an individual OpenVPN client. If you are just connecting a single gateway this is all you will need. If you’d like instructions for creating more certificates please open a support ticket.

2 – Installing the Certificates on pfSense

Next we need to install the 3 certificates above in pfSense. The 3 files (ca.crt, tplink.key and tplink.crt) are text files which we can open with notepad, or something similar, and copy and paste the contents in to the correct place in pfSense.

First select “System/Cert Manager” from the pfSense menu. Then we click to add a CA –

pfsense add CA

Call the new CA ‘sysadminman’ and paste the contents of the file ca.crt in to the ‘Certificate data’ box –

pfsense CA data

After saving that go back to Cert Manager and click on the ‘Certificates’ tab. There will probably be a default one, but we need to add a new certificate –

Add a certificate in pfsense

Call the new certificate ‘sysadminman’ and paste the contents of tplink.crt in to the ‘Certificate data’ box and the contents of tplink.key in to the ‘Private key data’ box –

pfsense add certificate for OpenVPN

If we save that we should now be able to see our new certificate configured on the Certificates page –

pfSense certificate

3 – Configuring OpenVPN in pfSense

Now we can configure OpenVPN on pfSense. Select ‘VPN/OpenVPN’ from the pfSense menus and then click on the ‘Client’ tab. Then click to add a new OpenVPN client –

pfSense add OpenVPN client

Now we need to enter our VPN connection details. Under General information the only thing you should need to change is the Server address. Here you should enter the IP address of your SysAdminMan VPS –

pfSense OpenVPN details

Under Cryptographic Settings you should ensure TLS Authentication is not selected, you select the 2 ‘sysadminman’ certificates we created and that the Encryption algorithm is set to ‘BF-CBC (128-bit)’ –

pfSense OpenVPN settings

Once that’s done pfSense should connect to our VPS. We can see the status of the connection by going to OpenVPN Client and clicking on the ‘s’ button –

pfSense OpenVPN status

4 – Telling OpenVPN about our local LAN

By default OpenVPN on the SysAdminMan VPN:PBX template assumes that your local network is using 10.99.99.0/24. If you are setting up a new site and can use this then there is nothing more to change.

If you are using an existing numbering block then we need to tell OpenVPN on the VPS what that is. So let’s assume you are using 192.168.10.X at your site. There are 2 files we need to change on the VPS. If you’d like this doing for you please open a support ticket.

The first is /etc/openvpn/server.conf where we need to change –

...
route 10.99.99.0 255.255.255.0
...

to

...
route 192.168.10.0 255.255.255.0
...

The second file to change is ¬†/etc/openvpn/ccd/tplink where we need to change –

iroute 10.99.99.0 255.255.255.0

to

iroute 192.168.10.0 255.255.255.0

And then just restart OpenVPN with –

service openvpn restart

5 – Testing!

Now from a local PC you should be able to ping your SysAdminMan VPS over the VPN. The IP address of the server is¬†10.98.0.1, so we can –

ping over OpenVPN

Now when you are connecting a phone to Asterisk over SIP, or managing the server over HTTPS you can use the VPN address of 10.98.0.1 instead of the servers public IP address.

6 РTroubleshooting 

If you are having problems getting this working then check the error log at /var/log/messages for OpenVPN system messages or open a support ticket for us to take a look.