Connect to Pritunl OpenVPN server from pfsense

This guide will help you connect to Pritunl OpenVPN server from pfsense.

I was looking for an easy way to make new OpenVPN users, adjust server settings, view logs, etc. I was thinking how nice it would be if I could do all of this from a web interface, so I began searching around for what was available. To be honest there were not many options out there, especially not mature ones. From what I could see it came down to OpenVPN Access Server, or Pritunl. I ended up going with Pritunl because it was free and open source, no user restrictions, decent documentation, etc.

This guide does not cover the actual Pritunl server setup, you can reference their docs for that. What this guide covers is connecting pfsense to your new Pritunl server.


  1. First login to Pritunl and note down which port, network, Encryption Cipher, and Hash Algorithm you are using for your OpenVPN virtual network. We will need this for step 8.

Pritunl pfsense guide image 01

  1. Make a new client only for pfsense, name it pfsense or something else descriptive. To go this, in Pritunl go to ‘users’ on the top bar, then click ‘Add user’.

Pritunl pfsense guide image 02

  1. Download the client configuration, we will need the cert details for the next step.

Pritunl pfsense guide image 03

  1. We need to do two things before we can begin creating the OpenVPN client connection, we need to make a new CA and server certificate in the Certificate Manager. This is needed before making the OpenVPN client connection. When you use the .ovpn file directly the cert information is in the config already, but with pfsense we cannot do that. Instead we need to put that same certificate information in a different place. Lets start with the CA.

Between <ca> and </ca> copy the from the beginning of the line where it says BEGIN CERTIFICATE and to the very end of the line where it says END CERTIFICATE. Assure to include all the dashes, do not have a space at the beginning or end of the dashes.

Pritunl pfsense guide image 04

  1. After the CA is done, its time for the server certificate.

Between cert> and </cert> copy the from the beginning of the line where it says BEGIN CERTIFICATE and to the very end of the line where it says END CERTIFICATE. Paste this into the Certificate data field.

Do the same for the Private key field, copy between <key> and </key>. Assure to include all the dashes, do not have a space at the beginning or end of the dashes.

Pritunl pfsense guide image 05

  1. Go to the VPN tab and then select OpenVPN. In the client tab select to make a new client.

Pritunl pfsense guide image 06

  1. Before starting with the general configuration, we need one more detail from the OpenVPN client config and that is the static TLS key. Copy between <tls-auth> and </tls-auth>, assure to include all the pound signs, do not have a space at the beginning or end of the dashes or pound signs.

Pritunl pfsense guide image 07

  1. For the client configuration fill out the following details. Keep the default settings for everything else that is not mentioned here. Change these settings only.
ConfigDescription
Server host or addressEnter the DNS name or server IP of your Pritunl server.
Server portEnter the Pritunl OpenVPN server port number you noted down from step one.
DescriptionOpenVPN client to Pritunl VPN server
Automatically generate a TLS Key.Uncheck this checkbox.
TLS KeyWe will copy the TLS key from step seven into this field.
Peer Certificate AuthoritySelect the CA from the list that you made in step four.
Client CertificateSelect the CA from the list that you made in step five.
Encryption AlgorithmDefaults to AES-128-CBC in Pritunl, GCM is used when available. Enter the Encryption Cipher you noted down from step one.
Auth digest algorithmDefaults to SHA-1 in Pritunl. Enter the Hash Algorithm you noted down from step one.
IPv4 Tunnel NetworkEnter the network address you noted down from step one.
Don’t pull routesCheck this box.
Gateway creationIPv4 only
Verbosity level3 (recommended)
  1. Click save and then go to check the status and log pages in PfSense. The connection should establish. If not check the logs in both Pritunl and pfsense.

Notes:

  • Once the client is configured, you need rules setup to direct traffic to this new network interface.
  • pfSense OpenVPN docs