One way you can set up an OpenVPN server easily is to use the server configuration wizard. To do so, click on the Wizards tab. The first option is the Type of Server drop-down box. The options are as follows:

• Local User Access: OpenVPN access with authentication through certificates, managed through the pfSense Certificate Authority Manager
• LDAP: Authentication through an LDAP (Lightweight Directory Access Protocol, a vendor-neutral protocol for directory services) server
• RADIUS: Authentication through a RADIUS (Remote Authentication Dial-In User Service) server

If you choose Local User Access, the wizard allows you to choose an existing CA/ server certificate (if any exist), or you can create a new CA in this step. If you opt for the latter, you must enter a non-parsed descriptive name, the Key length (in bits), Lifetime (in days), as well as the Country Code, State or Province, City, Organization, and E-mail. When you have entered all this information, click on the Add new CA button. On the next screen, the wizard will prompt you to create a new server certificate. The fields will be auto filled with the information you entered in the previous step. If you do not need to make any changes, you can click on the Create new Certificate button and move on to the next screen.

The final screen is the Server Setup screen. This screen mirrors the server configuration page we covered in the previous section, although it does have some options not available from that page. The Inter-Client Communication checkbox, if checked, allows communication between clients connected to the server. The Duplicate Connections checkbox, if checked, allows multiple concurrent connections using the same common name.

The Client Settings section has several more options not available on the server configuration page. The Dynamic IP option allows connected clients to retain their connections if their IP address changes. If you want to force reauthentication if the client changes IP addresses, uncheck this option. The Address Pool option provides a virtual IP address to clients (the IP subnet is defined in Tunnel Network in the previous page section). The Topology drop-down allows you to choose the method used to supply a virtual IP address to clients when using TUN mode on IPv4. There are two modes available:

• Subnet – One IP address per client in a common subnet: This is the default option.
• net30 – Isolated /30 network per client: This gives each client a subnet with two IP addresses (2^2 – 2 = 4 – 2 = 2). This may be necessary for older versions of OpenVPN (before 2.0.9) or some older clients.

In the DNS Default Domain edit box, you can provide a default domain to clients. There are four edit boxes where you can enter DNS server IP addresses. There are also two edit boxes where you can enter IP addresses for NTP servers. The Enable NetBIOS over TCP/IP checkbox, if checked, allows you to use NetBIOS over a TCP/IP network (if you intend to do so, you should choose TCP as your protocol).

The NetBIOS Node Type allows you to select the way pfSense resolves NetBIOS names to IP addresses. The options are:

• b-node: Broadcast
• p-node: Point-to-point, or peer, queries to a WINS server
• m-node: Mixed; broadcast first, then WINS
• h-node: Hybrid; WINS first, then broadcast

NetBIOS Scope ID allows you to provide an ID for an extended naming service, which isolates NetBIOS traffic onto a single network to only those nodes with the same scope ID. Finally, there are two edit boxes for WINS servers. You can click on the Next button when you are done making changes.

The next step of the wizard covers configuration of the firewall rules. You need two rules for an OpenVPN tunnel: a rule to permit connections on the OpenVPN port, and a rule to allow traffic to pass inside the VPN tunnel. This page enables you to easily create both rules, simply by checking the appropriate checkboxes. If you previously set up an OpenVPN tunnel, you probably don't need to create these rules. When you are done making changes, click on the Next button. You should see a message on the next page acknowledging that the configuration is complete; click on the Finish button on this page.