Author: Rico Wu
Environment: OPNsense 25.x
Use case: Remote work, branch office connectivity, employee VPN
1️⃣ Why OPNsense + OpenVPN?
OpenVPN is an open-source, SSL-based VPN protocol that’s secure, cross-platform, and reliable.
OPNsense provides a built-in GUI for managing OpenVPN — allowing administrators to quickly deploy:
- ✅ Remote Access VPN for employees
- ✅ Site-to-Site VPN between offices
- ✅ User-based certificate authentication
- ✅ One-click
.ovpnconfiguration export
This makes OPNsense a strong, cost-free VPN gateway for modern hybrid work.
2️⃣ Create the OpenVPN Server
Step 1 — Create a Certificate Authority (CA)
System → Trust → Authorities → +Add
Descriptive name: VPN_CA
Method: Create an internal Certificate Authority
Key length: 4096
Digest algorithm: SHA256
Lifetime: 3650
Step 2 — Create the Server Certificate
System → Trust → Certificates → +Add
Descriptive name: VPN_Server
Method: Create an internal Certificate
Certificate Authority: VPN_CA
Type: Server Certificate
Lifetime: 1095
Step 3 — Configure the OpenVPN Server
VPN → OpenVPN → Servers → +Add
Recommended settings:
| Field | Value |
|---|---|
| Server Mode | Remote Access (SSL/TLS + User Auth) |
| Protocol | UDP |
| Interface | WAN |
| Tunnel Network | 10.8.0.0/24 |
| Local Network | 192.168.1.0/24 |
| Encryption | AES-256-GCM |
| Auth Digest | SHA256 |
| TLS Authentication | Enabled |
| Redirect Gateway | ✅ |
Save and Apply.
3️⃣ Create Users and Certificates
System → Access → Users → +Add
Username: rico
Password: *****
Click “Create Certificate” → choose VPN_CA → type: User Certificate.
4️⃣ Export Client Configuration
VPN → OpenVPN → Client Export
Select your VPN server and user, then choose:
- “File Only” →
.ovpnfile - or “Windows Installer” for prepackaged setup
5️⃣ Client-Side Setup
🪟 Windows
- Install OpenVPN Connect
- Import
.ovpn - Click Connect
🐧 Linux
sudo apt install openvpn
sudo openvpn --config rico.ovpn
🍏 macOS / iOS / Android
Use OpenVPN Connect App, import file, and connect.
6️⃣ Allow Access to Multiple Internal Networks
If your internal network has multiple subnets:
LAN1: 192.168.1.0/24
LAN2: 192.168.2.0/24
In VPN → OpenVPN → Servers → Routing → Local Network:
192.168.1.0/24,192.168.2.0/24
Then add a firewall rule:
Firewall → Rules → OpenVPN
Action: Pass
Source: 10.8.0.0/24
Destination: any
7️⃣ Firewall and NAT Configuration
WAN Rule
Action: Pass
Protocol: UDP
Port: 1194
Outbound NAT (Hybrid Mode)
Source: 10.8.0.0/24
Translation: Interface Address (WAN)
8️⃣ Troubleshooting Checklist
| Problem | Solution |
|---|---|
| Cannot connect | Ensure UDP/1194 is open |
| Connected but no Internet | Enable “Redirect Gateway” or adjust NAT |
| Certificate error | Check CA relationships |
| Multi-subnet access fails | Add routes or update Local Network |
| Gateway offline | Verify upstream connectivity |
9️⃣ Network Topology Example
[ Internet ]
|
(WAN)
[ OPNsense VPN Server ]
| \
| [192.168.1.0/24]
| [192.168.2.0/24]
|
[ Remote Client 10.8.0.x ]
✅ Conclusion
With OPNsense’s integrated OpenVPN management, building a secure enterprise VPN is straightforward.
You can easily control users, manage certificates, and support multiple internal networks — all from a clean web GUI.
This combination delivers secure, stable, and scalable remote access for distributed teams and branch offices.