PfSense: reverse proxy all the things. Part 1: OpenVPN on tcp port 443


5 min read

In this part we configure OpenVPN on PfSense running on localhost tcp port 443 ( we use localhost to run the server since we want to use WAN tcp port 443 for the HA-Proxy. )
Other Parts in this series:
- PfSense: reverse proxy all the things. Part 2: Install HA-Proxy and configure frontend and backend for OpenVPN
- PfSense: reverse proxy all the things. Part 3: Configure HA-Proxy for SSL traffic
- PfSense: reverse proxy all the things. Part 4: Install AMCE for automatic SSL certificates
- PfSense: reverse proxy all the things. Part 5: Configure HA-Proxy for SSL-Offloading

Part 1: OpenVPN on tcp port 443

Setup Internal CA

before we can setup our vpn we first need a Certificate Authority, we use this to encrypt our authentication and traffic when we communicate through the vpn tunnel.

In Pfsense go to: System -> Cert. Manager -> CAs
Click on the ADD button and change the following
Descriptive Name: OpenVPN
Randomize Serial: Checked
Key Type: RSA - 4096
Digest algorithm: sha512
Common Name: OpenVPN
Country Code: Select the country where you are located. (fields like country, state, etc are optional )

Click Save to create the CA.
You should now see the just created CA: (certificate from the CA is valid for 10 Years)

Create Server Certificate

Now go to the Tab 'Certificates' to create the server certificate for the VPN server
(NOTE: Server certificates should not have a lifetime over 398 days or some platforms may consider the certificate invalid. - THIS NEED TO BE RENEWED MANUALLY EVERY YEAR TO KEEP THE SERVER RUNNING.)
Click on 'Add/Sign' to create the certificate, the options should be:
Descriptive name: Server
Certificate authority: OpenVPN
Key Type: RSA - 4096
Digest Algorithm: sha512
Lifetime (days): 398
Common Name: server
Certificate Type: Server Certificate

Click 'Save' to create the server certificate.

Create new user for login and certificate for vpn

We need a new user that we can use to login via the VPN.
Goto: System -> User Manager and click on 'Add' to create a new user.
Username: Mine is demo, you can create anything you like.
Password: please use a strong at least 16 character password for services like this.
Certificate: checked
Descriptive name: demo -> should be same as your username !!!
Certificate authority: OpenVPN
Key Type: RSA - 4096
Digest Algorithm: sha512
Lifetime: 3650

Click 'Save' to create the account and the certificate.

Configure OpenVPN server

We now have all we need to create the VPN server.
Goto: VPN -> OpenVPN -> Servers and click 'Add' to create the server with options:
Server mode: Remote Access (SSL/TLS + User Auth)
Protocol: TCP on IPv4 Only
Interface: Localhost
Local Port: 443

For Cryptographic Settings these are mine, you can set this up various ways. ( I'm going for a secure setup)
Double check all is setup ok!!

on the 'Tunnel Settings" I'm pushing all the traffic through the VPN, alternative you could do split-tunnel VPN where you only route certain subnets through the VPN.

Only thing changed on the rest of the settings is the 'Gateway creation: IPv4 Only'

If you want to push traffic through an internal DNS server ( for example Pi-Hole ) you can change that in the advanced settings and provide the ip address in the dns field and check the box 'Block Outside DNS'
Click 'Save' to create the server.

We need to change 1 setting in the server. Click the edit button. ( the setting wasn't available when we did the initial setup since there was no TLS key yet)
Scroll down to 'Cryptographic Settings' and select the options: ( you should see a TLS key )
TLS Key Usage Mode: TLS Encryption and Authentication
TLS keydir direction: Both directions

And 'Save' the new configuration on the end of the page.
The server is now running on localhost TCP port 443. we can't test it yet since the reverse proxy is not yet configured.
We will install and configure the HA-Proxy in Part2 of this series then we can test if the VPN works, see you there...