I set the VPN client up in the following order:pratik wrote:Now I'm at OpenVPN client config page and it's quite overwhelming, I'm trying to find some useful info online but if anyone know exactly what each field on the page means, I would really appreciate it.
1) Set 'Hybrid Outbound NAT rule generation' (Firewall > NAT > Outbound)
2) Setup Sonic.net CA and certificate (System > Certificate Manager > CAs & Certificates)
3) Setup and enable virtual interface for Sonic VPN (Interfaces > Assign (I named mine SONICVPN - IPv4 & IPv6 configuration types both set to 'none'. Leave the other settings default)
4) Add Sonic.net VPN client (VPN > OpenVPN > Clients).
Pertinent settings:
Server mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device mode: Tun
Interface: WAN
Server host or address: ovpn.sonic.net
Server port 1194
Description: (SONICVPN or whatever)
Username: Sonic username
Password: Your Sonic password
TLS authentication: Checked
Key: Paste from your Sonic client.opvn file (starts with -----BEGIN OpenVPN Static key V1-----)
Peer certificate authority: the CA certificate you created within pfSense during step 2
Client certificate: the certificate you setup during step 2
Encryption Algorithm: AES-128-CBC (128-bit)
Auth digest algorithm: SHA1 (160-bit)
Compression: Enabled with Adaptive Compression
Disable IPv6: checked
Don't pull routes: unchecked
Don't add/remove routes : unchecked
Custom options (these are mine):
setenv FORWARD_COMPATIBLE 1;
server-poll-timeout 4;
dev-type tun;
ns-cert-type server;
verify-x509-name 'CN=OpenVPN Server';
reneg-sec 604800;
sndbuf 100000;
rcvbuf 100000;
keepalive 10 60;
comp-lzo no;
verb 3;
setenv PUSH_PEER_INFO;
auth-nocache;
Make sure to SAVE.
If you want to route only certain clients though the VPN you can specify the Sonic VPN as your gateway in your firewall rules for those clients... If you have quite a few network devices I strongly suggest you utilize aliases (Firewall > Aliases). Makes life a bit simpler :)
For any connection issues make sure to check your OpenVPN log (Status > System Logs > OpenVPN). And also make sure pfSense is not behind another router unless that router is in bridge mode... This will alleviate double NAT, etc. Good luck!