Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Help about MediaWiki
FUTO
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
(section)
Main Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Step 2: Set up Certificates === <span id="make-a-certificate-authority"></span> ==== 2.1 – Make a Certificate Authority ==== The Certificate Authority (CA) is what signs and verifies the server and client certificates used to establish secure connections. You don’t have to have any idea what that means to use a VPN. Here’s how we create the CA in '''pfSense''': <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_12971ff0.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_20129d0a.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_d4a33a40.png </gallery> </div> # '''Log into pfSense:''' # Open your browser and go to your '''pfSense''' IP address (e.g., <code>https://192.168.5.1</code> or <code>https://pfSense.home.arpa</code>). # Log in with your credentials (default: <code>admin</code> / '''pfSense''' unless changed). # '''Navigate to the Certificate Manager:''' # Go to '''System > Cert Manager''' in the top navigation menu. # '''Create a New CA:''' # Under the CAs tab, click the '''+ Add''' button to create a new Certificate Authority. # '''Fill in the CA Details:''' #* '''Descriptive Name:''' OpenVPN-CA (or any name you choose) #* '''Method:''' Create an Internal Certificate Authority #* '''Key Length:''' 4096 bits (recommended for strong security) #* '''Digest Algorithm:''' SHA-512 (for secure hashing) #* '''Lifetime (days):''' 3650 (about 10 years) #* '''Distinguished Name:''' #** '''Country Code:''' Your country’s two-letter code (e.g., US for the United States) #** '''State or Province:''' Your state or province #** '''City:''' Your city or locality #** '''Organization:''' Your organization name # '''Common Name:''' OpenVPN-CA (or another descriptive name) # '''Save the CA:''' <span id="creating-the-openvpn-server-certificate"></span> ==== 2.2 - Creating the OpenVPN Server Certificate ==== Next, create the server certificate that the OpenVPN server will use for secure client connections. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_bfc83cc1.png File:lu55028jxb9s_tmp_fe565fd6.png File:lu55028jxb9s_tmp_ffd201ba.png </gallery> <ol style="list-style-type: decimal;"> <li><p>Navigate to the <code>Certificates</code> tab in Cert Manager.</p> <ul> <li>'''Add a New Server Certificate:'''</li></ul> </li> <li><p>Click '''+ Add/Sign''' to create a new certificate.</p></li> <li><p>'''Fill in the Server Certificate Details:'''</p> <ul> <li><p>'''Method:''' Create an Internal Certificate</p></li> <li><p>'''Descriptive Name:''' OpenVPN-ServerCert – name it something that makes it easy to identify as a '''SERVER''' certificate later for OpenVPN</p></li> <li><p>'''Certificate Authority:''' Select OpenVPN-CA (the CA you just created)</p></li> <li><p>'''Key Length:''' 4096 bits</p></li> <li><p>'''Digest Algorithm:''' SHA-512</p></li> <li><p>'''Certificate Type:''' Server Certificate.</p> <blockquote><p>'''WARNING:''' Make sure you do not leave this set to user certificate, which is the default option.</p></blockquote></li> <li><p>'''Lifetime (days):''' 3650</p></li> <li><p>'''Distinguished Name:''' Match the details you used for the CA</p></li> <li><p>'''Common Name:''' louis.chickenkiller.com (you can use whatever you put for your dynamic DNS domain name here)</p></li></ul> </li> <li><p>Click '''Save'''. You should now see OpenVPN-ServerCert listed under the Certificates tab.</p></li></ol> <span id="create-a-vpn-group-for-your-vpn-users"></span> ==== 2.3 Create a VPN Group for your VPN users ==== To connect your Android phone to the VPN, create a user account with an associated client certificate. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_25f3872b.png File:lu55028jxb9s_tmp_838eb68a.png File:lu55028jxb9s_tmp_1e4e6e6e.png File:lu55028jxb9s_tmp_8a57a6ce.png </gallery> '''Log into pfSense:''' * Open your browser and navigate to your '''pfSense''' IP address (e.g., <code>https://192.168.5.1</code> or <code>https://pfSense.home.arpa</code> or <code>pfSense.home.arpa</code>). * Log in using your admin credentials. '''Open User Manager:''' Go to '''System > User Manager'''. '''Add a New Group:''' * In the '''Groups''' tab of User Manager, click the '''+ Add''' button to create a new Group. * '''Fill Out the Group Information:''' ** '''Group name:''' Choose a group name that makes sense for VPN users (e.g., <code>vpnusers</code>). ** Click '''Save'''. <span id="create-a-vpn-user"></span> ==== 2.4 Create a VPN user ==== <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_260205ab.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_bc14297e.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_cd15d249.png </gallery> </div> # In the '''Users''' tab of User Manager, click the '''+ Add''' button to create a new user. # '''Fill Out the User Information:''' ## '''Username:''' Choose a username (e.g., <code>vpnuser1</code>). ## '''Password:''' Enter a strong password. # Add the user to the <code>vpnusers</code> group you just made. # For '''Certificate''', check '''“Click to create a user certificate”'''. '''DO NOT FORGET TO CREATE A USER CERTIFICATE FOR THE USER.''' # Create a name for the user certificate, such as <code>vpnuser_client_cert</code> so you can recognize it as the USER cert later. '''BEFORE YOU HIT SAVE:''' ''Before you hit save on adding a new user account:'' # Scroll to the '''Certificates''' section of the user creation form: # Click '''+ Add''' to generate a new certificate for this user. # '''Configure the User Certificate:''' ## '''Certificate Authority:''' <code>OpenVPN-CA</code> ## '''Key Length:''' 4096 bits ## '''Digest Algorithm:''' <code>SHA-512</code> # '''Save the user with the certificate:''' # Click '''Save'''. # Verify User Creation. You should now see the user listed under '''System > User Manager > Users'''. <span id="step-3-configure-openvpn-server"></span>
Summary:
Please note that all contributions to FUTO may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
FUTO:Copyrights
for details).
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)