pfSense OpenVPN Cheat Sheet

So I'm not going to put every detail. Just the stuff that hung me up. So firstly setup all the certificates etc as per any of the numerous directions on the web. Make sure and get the copies of the certs etc to your local box.

Also, in the OpenVPN rule that you create, you can add the following at in the custom options box:

push "redirect-gateway def1"

This will disable split tunneling which is my preference. I want to force all my traffic over the VPN so I can surf freely when I'm remote without worrying about violating policies or having my traffic sniffed.

When using this option, you'll also need to make sure to set your DNS server info in the OpenVPN config screen.

So firstly, below is a copy of my working client config:

float
#normally set to 1194, but I like to use 443 as it gets past more client filters. Make sure and change the binding of your local firewall gui and restart the FW. Otherwise it won't work.
port 443
dev tun
#The name "ovpn" below is the name of the connection that you will create as per the standard documentation.
dev-node ovpn
proto tcp-client
remote vpn.mysite.com 443
ping 10
persist-tun
persist-key
tls-client
#Obviously replace the cert names etc below with whatever you create.
ca ca.crt
cert mine.crt
key mine.key
ns-cert-type server
#This is something that really messed me up. I had set AES-256 on the FW, but in none of the instructions it mentioned that you have to set the cipher on the client side. Even worse, the client side logs don't mention cipher issues. So I eventually found out this was an issue in the server logs.
cipher AES-256-CBC
comp-lzo
pull
verb 4

You have to create an incoming rule allowing 443 or whatever port you are using. You don't have to create an incoming NAT though.

This will get you VPN'd into your network. However, if you want to be able to tunnel out to the internet you have to add a manual NAT for the VPN IP Address pool you created. Go into your NAT settings and click on the Outbound tab.

You'll have to set it to manual outboud NAT and add a rule. You will leave the first option to WAN and just enter your VPN IP pool.

You should be ready to rock and roll fully tunneled now.