@@rpsmith some people just don’t have the time to learn or don’t care to learn. i don’t know their particular situation but it’s not impossible that they just needed a vpn deployed and it was more cost effective to hire LTS rather than learning how to do it
Thank you for the updated video! I just deployed a new pfSense system at home and have been having issues. I no longer feel like an idiot after watching this video. I have everything working now with the exception of one device. I will deal with it at another time.
While I have a Tailscale connection(inactive) to the work network from my home network, I still connect using openVPN. I have to make some changes to it. Thank you Tom for this timely video.
Every CPU made in the last 10 years supports AES-NI instructions (including mobile), usually with multiple gigaBYTEs per second of encryption throughput. AVX-512 is needed to accelerate ChaCha, so I'm sticking with OpenVPN for the foreseeable future.
I'm stuck in the user certificate part. I don't see my created user in the client export section. Do I need to paste an Authorized SSH Key in the Keys section of the user?
The Reason you would USE AES-256 is because it is HIPPA secure. Last i checked, If you store patient files or transfer files for healthcare system, you need to use AES-256 by HIPPA law.
OpenVPN GUI client on Windows now includes Pre-Logon Access Provider support. Would love to see you cover configuration for PLAP (aka Start Before Login or SBL)...
Thanks for videos like this, very easy to follow. I have a Cisco RV220W. Pf sense installed on a protecli box. Is there a way to have in and out traffic flow thru the RV220 vpn? Vs using norvpn or openvpn?
I just want to be able to connect to my home network so things like CZcams tv sees me as home when I am away. What is the best and easiest way to do that in pfsense?
Thanks Tom. Great video. The only problem is pfblockerng blocks my client access via openvpn. I can overcome this issue by placing my openvpn firewall rule on top of the pfblockerng rules but every time I do it, pfblockerng reorders the rules and put the openvpn rule below pfblockerng rules. So, I could not find a solution. Any help?
@@LAWRENCESYSTEMS Yes, if I remove the GeoIP Top Spammers rule then openvpn works. But, I would prefer to be able to change the orders of rules instead of removing Top Spammers rule. However, pfblocker does not let me change the rule orders and I do not know how to do that. Anyway, thank you so much Tom.
Have an issue with this. I followed the steps you did and after finish, I get "No configuration found, please try again" and it took me to Step 2 of 11 to create a LDAP Server configuration? Not sure what I did wrong. Any guidance would be appreciated.
Hi Tom, thank for this. I'm considering per user certificate auth and this is quite useful. Any disadvantage for using OpenVPN Connect (GUI). Our users find that easier to use than the default OpenVPN client downloaded through the export wizard in pfsense.
I have used both in production daily for 24/7 monitoring, and I can attest that both work flawlessly compared to other VPNs. Troubleshooting from either is a breeze. I even prefer it over global protect, forticlient, and all the others I've used over the years in work and in my home lab. Would love to hear any other insights other viewers have to offer!
Hi, how can I get that cool footer on the terminal dysplaying IP addresses and other info? I tryed to search online but I found nothing like that... FOUND IT IN ANOTHER VIDEO! Tmux!!
I would like to monitor all my VPN Clients currently on pfsense Status/OpenVPN i see "Client Connections" if they are connected but i would also like to see client that arent connected on the Status Dashboard, any suggestions?
Question. I have PFSense set up for our Web Servers. I do not want to mess with anything on that box that will take down our web servers. So, my question is this. Would it be best to install PFSense in VMWare ESXi VM and then route my traffic through that machine instead of messing with the existing working PFSense box? Thanks.
So, I should be able to run the VPN on that same machine without an issue? Do you have an article or something I can read or watch where these two things have run on the same machine? Just want to cover all bases before I do this.
Every time I setup Surfshark on my PFSense router, it cuts my download speeds drastically from 600-800 Gbs to 15-25Gbs. No one seems to know why. Only thing I can figure is I’m setting something wrong forcing it to eat up my speeds.
What if you want your staff openvpn users to different Subnet access than your admin account, can you create a second server setup and simply change the port during setup?
@@LAWRENCESYSTEMS Thank you, if I simply copied the current server and changed port and added one of the same subnets in the other server will that cause my admin account to possibly drop? Since we will both have access to the same subnet.
Probably, depending on how it's implemented. I'd say it's at the ISP level and connecting to a VPN outside the ban zone would allow downloading and usage of the app. I don't like toktok but I don't support the ban and I'm hopeful that it will be repealed.
@@Destroyer954 cuz no user management. Wireguard is good for homelabbers. Not so ideal for business use with multiple users. Wireguard isn't insecure, though it lacks a certain level of security that OpenVPN does not
I just added TOTP to opnsense in a sitting. There's docs and some forum discussions available. Just set up the users, generate seeds, switch vpn auth on the server and add the challenge option to client config
Rather than set it up myself, I clicked the "Hire Us" button, and his people did it for me!
This is fairly basic stuff if you just follow Tom's video. Sounds like you missed a great opportunity to learn something new.
@@rpsmith some people just don’t have the time to learn or don’t care to learn. i don’t know their particular situation but it’s not impossible that they just needed a vpn deployed and it was more cost effective to hire LTS rather than learning how to do it
@@majoryoshi What keeps us in business and relevant.
Thank you for the updated video! I just deployed a new pfSense system at home and have been having issues. I no longer feel like an idiot after watching this video. I have everything working now with the exception of one device. I will deal with it at another time.
Another great video. It's one thing to know this stuff, it's quite another to be able to give instructions in an easy to follow manner.
While I have a Tailscale connection(inactive) to the work network from my home network, I still connect using openVPN. I have to make some changes to it. Thank you Tom for this timely video.
Worked perfectly, thank you. I always enjoy your pfsense content !
Every CPU made in the last 10 years supports AES-NI instructions (including mobile), usually with multiple gigaBYTEs per second of encryption throughput. AVX-512 is needed to accelerate ChaCha, so I'm sticking with OpenVPN for the foreseeable future.
Great alternative to paying for OpenVPN Access Server
I'm stuck in the user certificate part. I don't see my created user in the client export section. Do I need to paste an Authorized SSH Key in the Keys section of the user?
Nice vids, the client export is so nice, click, clack, take the file : )
You are very smart I'm looking for vpn firewall rules
Excellent video, really helpful and clearly explained. Many thanks!
11:07 User Auth: no need to re-generate a new certicate for everybody, just change the password of the compromised user.
This will save me so much time tomorrow, I thank you!
Thank you for this updated video.. It helped me in earlier setup and this will help me in future.. ✌️
The Reason you would USE AES-256 is because it is HIPPA secure. Last i checked, If you store patient files or transfer files for healthcare system, you need to use AES-256 by HIPPA law.
OpenVPN GUI client on Windows now includes Pre-Logon Access Provider support. Would love to see you cover configuration for PLAP (aka Start Before Login or SBL)...
Even though you don't use L2TP/IPsec, is there any chance you could still do a video walk through on how to setup one up?
Thanks for sharing
Thanks for yet another awesome video!!!!!! 🙂
Thanks for videos like this, very easy to follow. I have a Cisco RV220W. Pf sense installed on a protecli box. Is there a way to have in and out traffic flow thru the RV220 vpn? Vs using norvpn or openvpn?
Hi. Your explanation about User Auth vs TLS/SSL + User Auth was VERY confusing. I could not distinguish the difference from your description.
Personally, I like to add geo blocking to my server, its setup to only allow inbound from AU IP ranges.
I need a tutorial about certificates ^ self/CA/SC...?
Nice update!!!
Thanks!
Thank you very much!
I just want to be able to connect to my home network so things like CZcams tv sees me as home when I am away. What is the best and easiest way to do that in pfsense?
Thanks Tom. Great video. The only problem is pfblockerng blocks my client access via openvpn. I can overcome this issue by placing my openvpn firewall rule on top of the pfblockerng rules but every time I do it, pfblockerng reorders the rules and put the openvpn rule below pfblockerng rules. So, I could not find a solution. Any help?
Remove the rules in pfblocker that is blocking clients
@@LAWRENCESYSTEMS Yes, if I remove the GeoIP Top Spammers rule then openvpn works. But, I would prefer to be able to change the orders of rules instead of removing Top Spammers rule. However, pfblocker does not let me change the rule orders and I do not know how to do that. Anyway, thank you so much Tom.
The QAT 3 link specifically says NO QAT used to get the speed up...unless I am misinterpreting, " no QAT here. Just CPU."
Current available versions of QAT DO NOT but version three which I don't think is available yet is supposed to work
A NAT rule forwarding ports to my honeypot (SANS dshield) is interfering with the configuration. Not sure how to solve this.
Great as always thanks for the guide
Thanks for that! Please how can i fix this problem "enable to retrieve package information"
Have an issue with this. I followed the steps you did and after finish, I get "No configuration found, please try again" and it took me to Step 2 of 11 to create a LDAP Server configuration? Not sure what I did wrong. Any guidance would be appreciated.
Hi Tom, thank for this. I'm considering per user certificate auth and this is quite useful.
Any disadvantage for using OpenVPN Connect (GUI). Our users find that easier to use than the default OpenVPN client downloaded through the export wizard in pfsense.
Not sure, we just use the download from pfsense.
I have used both in production daily for 24/7 monitoring, and I can attest that both work flawlessly compared to other VPNs. Troubleshooting from either is a breeze. I even prefer it over global protect, forticlient, and all the others I've used over the years in work and in my home lab. Would love to hear any other insights other viewers have to offer!
Hi, how can I get that cool footer on the terminal dysplaying IP addresses and other info? I tryed to search online but I found nothing like that...
FOUND IT IN ANOTHER VIDEO! Tmux!!
the windows client is using the DCO interface by default which is very annoying , i have to always configure this for our staff
Openssl speed -avg cipher in my case chachapoly always give less results than aes-128 / 256.
Great video, thx Tom. If I change Cipher Choices, will I have to reissue the client configs via export?
Yes, or you could edit the configs on each client so they match.
HI Tom, I am beijg ptompted to enter a key password as well when trying to connect where would Ibget this from?
I would like to monitor all my VPN Clients currently on pfsense Status/OpenVPN i see "Client Connections" if they are connected but i would also like to see client that arent connected on the Status Dashboard, any suggestions?
nope, it only shows connected clients.
Question.
I have PFSense set up for our Web Servers. I do not want to mess with anything on that box that will take down our web servers.
So, my question is this.
Would it be best to install PFSense in VMWare ESXi VM and then route my traffic through that machine instead of messing with the existing working PFSense box?
Thanks.
Setting up OpenVPN should not break pfsense and I always prefer to run pfsense on bare metal.
So, I should be able to run the VPN on that same machine without an issue?
Do you have an article or something I can read or watch where these two things have run on the same machine?
Just want to cover all bases before I do this.
@@WayneBarroncffcs I have OpenVPN on the system that I did this video with.
Tom - do you guys use/recommend using compression with ovpn? or only do you enable it in your demos?
As stated in the video leaving it off is most secure so we leave it off.
If you're just using vpn for one user, is there still a need for SSL/TLS + user auth?
Not really a need for just one user.
Every time I setup Surfshark on my PFSense router, it cuts my download speeds drastically from 600-800 Gbs to 15-25Gbs. No one seems to know why. Only thing I can figure is I’m setting something wrong forcing it to eat up my speeds.
Can surfShark servers even handle faster connections than that?
What if you want your staff openvpn users to different Subnet access than your admin account, can you create a second server setup and simply change the port during setup?
Yes, you can have multiple servers.
@@LAWRENCESYSTEMS Thank you, if I simply copied the current server and changed port and added one of the same subnets in the other server will that cause my admin account to possibly drop? Since we will both have access to the same subnet.
Hi Tom, is it possible to use an external DHCP Server instat of the ip pool?
I am not aware of a way to do that.
I'm not and I don't but can VPN technology overcome Montana's Tik Tok ban?
Probably, depending on how it's implemented. I'd say it's at the ISP level and connecting to a VPN outside the ban zone would allow downloading and usage of the app. I don't like toktok but I don't support the ban and I'm hopeful that it will be repealed.
Why not just use Wireguard? It's been out long enough to prove itself.
Does wireguard have good auth options for end users? I know tailscale solves that but native wireguard doesn't
@@Destroyer954 TailScale and similar are magic but you lose a lot of performance from native WireGuard line speeds.
@@Destroyer954 cuz no user management. Wireguard is good for homelabbers. Not so ideal for business use with multiple users. Wireguard isn't insecure, though it lacks a certain level of security that OpenVPN does not
22 years vs 8. And why do people care so much about what other people use? He does have wireguard videos you know.....
Because OpenVPN can do things that Wireguard can't.
With wireguard being a thing now. What / if any performance benefit is there to openvpn vs wireguard?
Depends on use case.
different use case..really.
I used OpenVPN in pfSense and it was great. But then I changed ISP and now I'm behind CGNAT so can't use it anymore.
Can't you buy a static IPv4 off your ISP?
@@TheCheshireCat. not possible on Starlink :)
dynamic dns?
@@sammo7877 not working behind CGNAT
Purchase a VPS and send a static ip over a gre tunnel
What about adding mfa to the vpn?
Having certificate and user authentication is MFA.
I just added TOTP to opnsense in a sitting. There's docs and some forum discussions available. Just set up the users, generate seeds, switch vpn auth on the server and add the challenge option to client config
First