Editing Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software (section)

=== Step 3: Configure OpenVPN Server ===

<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxb9s_tmp_ebaec37d.png
</gallery>

</div>
<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxb9s_tmp_91ffd839.png
File:lu55028jxb9s_tmp_eb0c6c58.png
File:lu55028jxb9s_tmp_f489358.png
File:lu55028jxb9s_tmp_bb26515e.png
File:lu55028jxb9s_tmp_8d38ee89.png
File:lu55028jxb9s_tmp_b8064fd8.png
File:lu55028jxb9s_tmp_a7ea3e22.png
File:lu55028jxb9s_tmp_72e7ba8d.png
File:lu55028jxb9s_tmp_6ed741ea.png
</gallery>

<span id="open-the-openvpn-wizard-and-set-settings-according-to-what-you-see-below-in-section-3.2-and-in-images-above"></span>
==== 3.1 Open the OpenVPN Wizard, and set settings according to what you see below in section 3.2 and in images above ====

# '''Log into '''pfSense''':'''
# Go to '''VPN &gt; OpenVPN'''.
# Click on the '''Wizards''' tab.
# Fill out details according to what you see above. Keep in mind that when you are DONE, you will have to go back in &amp; edit settings for that VPN server that were NOT EDITABLE while you were creating the VPN.

<span id="openvpn-server-configuration"></span>
==== 3.2 OpenVPN Server Configuration ====

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxb9s_tmp_1be84c25.png
File:lu55028jxb9s_tmp_1ed49b8.png
File:lu55028jxb9s_tmp_a3fa0f3a.png
</gallery>

After you have finished, go back and edit that server you just made to make sure all of this matches:

# '''Description:''' openvpn server itself
#* This is for your reference only. You can name it something descriptive like “HomeVPN” or “MyVPNServer.”
# '''Protocol:''' UDP on IPv4 only
#* UDP is faster and more efficient for VPN traffic, and IPv4 only is typically sufficient unless you have a specific need for IPv6.
# '''Interface:''' WAN
#* This setting makes sure that your OpenVPN server will listen for incoming VPN connections on the WAN interface.
# '''Local Port:''' 1195
#* Default is 1194 and TOTALLY FINE. I chose 1195 because I already use 1194 for another system.
# '''TLS Authentication:''' Enabled

'''Cryptographic Settings'''

# '''DH Parameters Length:''' 4096 bits
#* Stronger than the default 2048-bit encryption.
# '''Data Encryption Algorithms:'''
#* The following algorithms are listed in the priority you selected:
#** AES-256-GCM
#** AES-128-GCM
#** CHACHA20-POLY1305
# '''Fallback Data Encryption Algorithm:''' AES-256-CBC
#* Used for compatibility if a client doesn’t support GCM encryption algorithms.
# '''Auth Digest Algorithm:''' SHA-512
#* SHA-512 provides a high level of integrity protection for your VPN packets, making sure that the data hasn’t been altered.
# '''Hardware Crypto:''' Intel RDRAND engine - RAND

'''Tunnel Settings'''

# '''IPv4 Tunnel Network:''' <code>192.168.6.0/24</code>
#* This is the virtual network that your VPN clients will use.
# '''Redirect IPv4 Gateway:''' Checked
#* This forces all client traffic through the VPN tunnel.
# '''IPv4 Local Network:''' <code>192.168.5.0/24</code>
#* This allows VPN clients to access your local network.
# '''Allow Compression:''' Refuse any non-stub compression (Most Secure)
# '''Type-of-Service:''' Unchecked
# '''Inter-Client Communication:''' Unchecked
# '''Duplicate Connections:''' Unchecked

'''Client Settings'''

# '''Topology:''' Subnet
# '''DNS Default Domain:''' newvpn
# '''DNS Server 1:''' <code>192.168.5.1</code>
# '''DNS Server 2:''' <code>94.140.14.14</code> (AdGuard DNS)
# '''DNS Server 3:''' <code>94.140.15.15</code> (another AdGuard DNS server)

'''Advanced Client Settings'''

<ol style="list-style-type: decimal;">
<li><p>'''Dynamic IP:''' Checked</p></li>
<li><p>'''Advanced Configuration:'''</p>
<ul>
<li><p>Custom Options:</p>
<pre>tun-mtu 1200; mssfix 1160; push &quot;dhcp-option DNS 192.168.5.1&quot;;</pre></li></ul>
</li>
<li><p>'''Gateway Creation:''' IPv4 only</p>
<blockquote><p>'''For the <code>Gateway creation</code> OpenVPN server setting:''' CHOOSE ''IPv4 only'' This will save you lots of hassle and misery later! Explanation at the end of the OpenVPN section.</p></blockquote></li></ol>

<blockquote>'''NOTE:''' Let’s talk about RDRAND. This is the hardware random number generator (RNG) built into Intel processors. It’s fast, easy to use &amp; pfSense might already be using it. '''WARNING: For 99% of the people reading, this will be a total waste of time.'''
</blockquote>
<blockquote>'''1. What is RDRAND? Why care?'''
RDRAND makes random numbers using your CPU. but it’s a closed source black box. You can’t see how it works, and there have been [concerns that some random number generators might not be as random as you’d like. There are all sorts of [https://www.theregister.com/2013/09/10/torvalds_on_rrrand_nsa_gchq/ pissing matches] going on over this stuff on the internet by people way smarter than you or I.

'''Point being, if you care about privacy or you’re handling sensitive data, you might not want to rely ''solely'' on a system you can’t inspect.''' At the same time, if you’re reading this guide, you’re enough of a newbie that rdrand is not going to be how someone “gets” you.
</blockquote>
<blockquote>'''2. Why not use just RDRAND?'''
While it is fast, if the hardware random number generator fails or is compromised, your security goes down without noticing. A VPN depends on top-notch [https://www.youtube.com/watch?v=9mxE9sEGNmA randomness] for encryption, so you need more than one source of entropy to stay safe.
</blockquote>
<blockquote>'''3. How do I make it safer?'''
pfSense already mixes entropy from several sources which includes rdrand. In most cases, you’re good to go.
</blockquote>
<blockquote>'''4. Should I disable it?'''
Probably not. RDRAND is fine. Think of it as an ingredient rather than the entire thing.

'''5. THen why did you mention it?'''

The ''“uhm, akshually”'' people. They’re in the bushes, always waiting.
</blockquote>
<blockquote>'''TL;DR:''' RDRAND isn’t bad, but don’t trust it alone. Let pfSense do its thing and mix it with other entropy sources. If you’re running anything highly sensitive and don’t like trusting Intel, you can disable it—but for most people, you’ll be fine with the default settings.
</blockquote>
<span id="step-4-get-.ovpn-file-to-connect-your-phone-to-the-vpn"></span>