Using SysAdminMan OpenVPN template with pfSense

I’ve had a few customers recently using the SysAdminMan VPN:PBX template with an existing on-site pfSense gateway. The VPN:PBX template has Asterisk, FreePBX and A2Billing installed, along with OpenVPN setup to allow secure connections to the VPS.

pfSense can be used as an OpenVPN client/gateway so this makes a great combination for a secure off-site PBX.

Here are some setup instructions for configuring pfSense with the SysAdminMan VPN:PBX template.

1 – Obtaining the OpenVPN client certificates

When your SysAdminMan server is created 3 files will be generated that are required to configure pfSense as an OpenVPN client. These files can be e-mailed to you or retrieved from the VPS using a program like WinSCP. The 3 files are -

These 3 files identify an individual OpenVPN client. If you are just connecting a single gateway this is all you will need. If you’d like instructions for creating more certificates please open a support ticket.

2 – Installing the Certificates on pfSense

Next we need to install the 3 certificates above in pfSense. The 3 files (ca.crt, tplink.key and tplink.crt) are text files which we can open with notepad, or something similar, and copy and paste the contents in to the correct place in pfSense.

First select “System/Cert Manager” from the pfSense menu. Then we click to add a CA -

Call the new CA ‘sysadminman’ and paste the contents of the file ca.crt in to the ‘Certificate data’ box -

After saving that go back to Cert Manager and click on the ‘Certificates’ tab. There will probably be a default one, but we need to add a new certificate -

Call the new certificate ‘sysadminman’ and paste the contents of tplink.crt in to the ‘Certificate data’ box and the contents of tplink.key in to the ‘Private key data’ box -

If we save that we should now be able to see our new certificate configured on the Certificates page -

3 – Configuring OpenVPN in pfSense

Now we can configure OpenVPN on pfSense. Select ‘VPN/OpenVPN’ from the pfSense menus and then click on the ‘Client’ tab. Then click to add a new OpenVPN client -

Now we need to enter our VPN connection details. Under General information the only thing you should need to change is the Server address. Here you should enter the IP address of your SysAdminMan VPS -

Under Cryptographic Settings you should ensure TLS Authentication is not selected, you select the 2 ‘sysadminman’ certificates we created and that the Encryption algorithm is set to ‘BF-CBC (128-bit)’ -

Once that’s done pfSense should connect to our VPS. We can see the status of the connection by going to OpenVPN Client and clicking on the ‘s’ button -

4 – Telling OpenVPN about our local LAN

By default OpenVPN on the SysAdminMan VPN:PBX template assumes that your local network is using 10.99.99.0/24. If you are setting up a new site and can use this then there is nothing more to change.

If you are using an existing numbering block then we need to tell OpenVPN on the VPS what that is. So let’s assume you are using 192.168.10.X at your site. There are 2 files we need to change on the VPS. If you’d like this doing for you please open a support ticket.

The first is /etc/openvpn/server.conf where we need to change -

to

The second file to change is  /etc/openvpn/ccd/tplink where we need to change -

to

And then just restart OpenVPN with -

5 – Testing!

Now from a local PC you should be able to ping your SysAdminMan VPS over the VPN. The IP address of the server is 10.98.0.1, so we can -

Now when you are connecting a phone to Asterisk over SIP, or managing the server over HTTPS you can use the VPN address of 10.98.0.1 instead of the servers public IP address.

6 – Troubleshooting 

If you are having problems getting this working then check the error log at /var/log/messages for OpenVPN system messages or open a support ticket for us to take a look.