Create secure VPN with OpenVPN and pFsense on EDIS KVM plans

VPS
This is a basic guide to install pFSense, set up an OpenVPN server and install the connection on a Windows or macOS computer in less than 30 minutes. pfSense has a simple to use WebGUI und is pretty much self-explanatory. 

EDIS KVM plans are available in 30+ locations around the globe.
Pick the server-location closest to you and/or the location you'd like to connect to.
Order a KVM product starting on our website at https://www.edis.at/en/server/location/europe/austria/vienna?technology=kvm
If you own one already, you can skip forward to the next step. If you need one, use coupon code WorkFromHome during checkout to get 5% discount on your first month.
 
To start the installation please log in to our control panel:
https://manage.edis.at/vps/ and login with your email address and password.
 
In the overview please select the server you would like to install with the pfSense.
Go to the CD-ROM dropdown menu and select the pfSense-CE-XXX-XXX.iso
 
 
A pop-up window appears on the screen please confirm with "Insert CD"
 
 
Now please enable the VNC for that click on the button "enable VNC"
 
 
Please set a password of your choosing (the button "enable VNC" appears after you inserted the password and confirmed it)
 
 
Now start you favoured VNC Viewer and use the IP and the port to connect to your KVM or press the button "Start browser-based terminal" this will open a new window where you insert the password and connect directly to your KVM.
 
 
After you are connected you can make soft reset via the control panel or you can send a Ctrl-Alt-Del to the server and it should reboot.
On the first screen press ESC or F12 to get into the Boot menu
In the boot menu please select the ata0-1 which is number 2 or 3 in the menu. 
 
 
Press 1 and with for the system to boot into the installation menu
 
 
Confirm the Copy and distribution rights with Accept (press Enter)
 
 
Confirm with ENTER the start of the install
 
 
After you selected the keyboard layout select "Continue with XX.YYY keymap"
 
 
Select the “Auto (UFS)” installation and click OK to start
 
 
Wait for the installation to finish
With "NO" confirm the end of the installation process and Reboot the server
 
 
After the server reboots you will see:
Should VLANs be set up now [y|n]? N <-- We don't use VLANs
 
Enter the WAN interface name or 'a' for auto-detection
(vtnet0 or a): vtnet0 <-- This is the public interface
 
 
Enter the LAN interface name or 'a' for auto-detection
 
(a or nothing if finished): <-- Just press enter 
 
 
Do you want to proceed [y|n]? y <-- this will take some time since the server is waiting for a DHCP which it will not get
 
 
 
In the menu select the 2nd option (Set interface(s) IP address)
 
 
 
Configure IPv4 address WAN interface via DHCP? (y/n) n <-- We will configure the static IP in the next step
 
Enter the new WAN IPv4 address. Press <ENTER> for none:
> XXX.XXX.XXX.XXX <-- you can find your public IP in the CP
 
Enter the new IPv4 subnet bit count (1 to 31):
> 24 <-- usually it is 24 in some subnets it is 25 you can find this information in the CP in the "IPv4 Network properties"
 
For WAN, enter the new WAN IPv4 upstream gateway address.
For a LAN, press <ENTER> for none:
> XXX.XXX.XXX.1 <-- You can find the Gateway properties in the CP  in the "IPv4 Network properties"
 
Configure IPv6 address WAN interface via DHCP6? (y/n) n
 
Enter the new WAN IPv6 address. Press <Enter> for none:
> <-- Press enter since we will not configure an IPv6 in this tutorial
 
Do you want to enable DHCP server on WAN? (y/n) n <-- select NO since EDIS doesn't allow DHCP servers for public IPs
 
In the first set up you will be asked if the WebGUI should be activated please confirm with Yes
 
As the last step press ENTER to return to the main menu
 
 
You will now see the WAN IP in the main menu
 
 
Please go to your favourite browser and go to http://XXX.XXX.XXX.XXX <-- replace the XXX.XXX.XXX.XXX with your WAN IP which you just set. 
 
You will see a login screen. Please login with the default credentials:
user: admin
pass: pfsense
 
 
Please follow the setup wizard:
Press next:
 
 
In the general information, you need to set the Hostname of the server, the domain and the Primary and Secondary DNS:
You can find the DNS in the CP  in the "IPv4 Network properties"
 
 
Select the time zone and the NTP server
 
 
In the next step, we recommend you select the option on the bottom Block private networks from entering via WAN
 
 
Select you admin password please use a secure password and don't lose it. 
 
 
Press "Reload" to save and apply the changes. 
 
 
 
Press Finish to complete the setup
 
 
Accept the terms and conditions
 
 
 
Now select from the menu System -> Advanced 
Set the Protocol to HTTPS
and press Save on the bottom
 
 
The side will reload and you will have to confirm the accept for the SSL certificate which is a local one and re-login  
 
Go to the System -> Advanced menu and select the Networking tab and check the box Disable hardware checksum offload
 
Press Save on the bottom.
 
 
Go to the Miscellaneous tab and select from the Cryptographic Hardware dropdown menu AES-NI and BSD Crypro Device
 
 
 
Please go to Diagnostics -> reboot and press the reboot button.
Confirm the reboot. This takes around 2 minutes
 
 
Please re-login after the reboot. 
 
Go to System -> Package Manager and select the Available Package tab
Into the search field enter VPN and press + Install on the OpenVPN-client-export plugin 
 
 
Confirm the installation and wait for it to complete
 
 
 
 
Now select from the main menu VPN -> OpenVPN and select the Wizard tab
Select Local User access for the Type of server
 
 
Now we need to create a new Certificat Authority Certificat short (CA)
We recommend you use an 8192-bit Key length. Fill the rest of the information and click create CA
 
 
The next step is creating the Server certificate.
Select also a Key length of 8192-bit the rest ist wat you need
Click Create new Certificate
 
 
Set a description for your server 
Set the DH Paramerts Length to 8192-bit
Encryption Algorithm to a 256 bit key of your choosing
The Auth Digest Algoridem to SHA 512-bit 
In the Tunnel Settings section:
Set your VPN IP rang like 10.33.5.0/24
If you set the option Redirect Gateway all the traffic from your clients will be tunnelled via the OpenVPN server else only the local traffic for the IP range 10.33.5.0/24 will send into the VPN tunnel.
Check the box Inter-Client Communication so your clients can talk to each other. 
The rest can be set if needed. 
Click next.
 
 
Check the box Firewall Rule and OpenVPN rule.
Click next.
 
 
finish the installation by clicking the Finish button.
 
 
You will be redirected to the Servers tab in the OpenVPN menu
Select the edit option left of the newly created VPN server
and Save
 
 
You can select the Server mode here
Remote Access (SSL/TLS + User Auth) <-- For this option, the client needs an SSL certificate (we will create it in the next steps) and his username and password
Remote Access (User Auth)  <-- For this option, the client needs only his username and password
Remote Access (SSL/TLS)  <-- For this option, the client needs only the SSL
 
Depending on the level of security choose one of the Server modes.
Scroll down to the 
 
 
Go to Related status icon (top left)
 
 
 
In the action section press, the reload button.
 
 
Now go to System -> User Manager press the + Add button
 
 
Set a username and password and check the Certificate box.
in the Description type in the username, so you can locate the certificate later for the export and set the Key Lenght to 4096-bit
Click Save
 
 

Client configuration:

To export the configuration for a client please go to VPN -> OpenVPN and select the Client Export tab
 
Since we only have one VPN server active you don't need to change the server in the drop-down menu Remote Access Server. Scroll down to the bottom of the page where you will see OpenVPN Clients.
 

Windows-based clients:

For a Windows OS select Current Windows installer (XXXXX)
and select the correct version of OS
 
Your browser will download a .exe file.
Run the file on a clients computer. Simply click next until you finish the installation.
You will find a new Icon on the clients desktop
 
 
Run it and a new Icon will appear near the clock in the tasks menu bar.
 
 
Click on it with a right-click and select Connect
 
A new window will appear and text will run down when the connection is established it will disappear again
 
 
If the connection was successful the OpenVPN Icon will be Green
 
 
If the Icon is Yellow the connection is establishing or there is a problem. 
 
If you set the Redirect Gateway you can go to https://www.whatsmyip.org/ and you should see the WAN IP of your server.
 

macOS clients:

Download the OpenVPN client software https://tunnelblick.net/downloads.html <-- Free client
You also can use Viscosity https://www.sparklabs.com/viscosity/
Install the client.
 
In the OpenVPN Clients list select Most Clients or Viscosity Bundle depending on your client.
 
 
Find the configuration file you just downloaded and run it. You OpenVPN client will automatically add the connection.
Go to your OpenVPN client and start the VPN connection.
 
 
If you used SSL/TLS + Auth a window will appear so you can enter you login information
Press OK and wait for the connection to be established 
 
 
If the connection is established successfully you will see
Viscosity:
 
Tunnelblick:
 
 
 
This support article was created on 18.3.2020

Add Feedback