Create a Certificate of Authority (hint, use an existing one if you want)
System | Trust | Authorities
Add and select Create Internal
Name - System CA (or something)
Lifetime - 3650 (10 years)
Fill in rest of stuff
Click Save
Set up local authentication
System | Settings | Administration | Server = Local Database
Create a Server Certificate (recommend you create a new one)
System | Trust | Certificates
Add and select Create Internal
Descriptive Name - VPN Road Warrior Server Certificate
Certificate authority - Select System CA
Type Server Certificate
Lifetime - 3650 (10 years)
Common Name - roadwarriorservercert
Server Settings.
VPN | Open VPN | Servers
Use wizard to create
Type of Server - Local User Access
Certificate Authority - System CA
Server Certificate - VPN Road Warrior Server Certificate
General Settings
Interface - WAN
Protocol - UDP
Local Port - Choose one around 1190 which is not used by something else
Description - Road Warrior
Cryptographic Settings - I just leave them at default
Tunnel Settings
IPv4 Tunnel Network - any subnet defined for private use (ie, 10., 172., 192)
IPV6 Tunnel Network - I don't use
Redirect Gateway - check if you want all traffic to be forced through the tunnel. More secure, but uses more bandwidth
IPv4 Local Network - the subnet on your LAN
Concurrent Connections - maximum number of simultaneous VPN connections allowed at one time (all users)
Inter-Client Communication - Check if you want VPN users to “see” each other
Duplicate Connections - Check if you want one user to be able to use the same settings simultaneously on different computers
I generally leave the rest of it alone; you can change it later if you want.
Firewall Rule Configuration
Check the first box to get it to automagically create the firewall rules to allow VPN connections
After creation, you can go to Firewall | Rules | WAN and see the rule to allow entry
You can also go to Firewall | Rules | OpenVPN to see the rule to allow traffic after the connection is created
Check the second if you want users to be forced to pass all traffic through the VPN connection
System | Access | Groups (optional, allows RoadWarriors to change their passwords)
Add
Group Name - Road Warrior
Description - Road Warrior Users
Save
Edit
Assign Privileges (hint, use the filter
Lobby: Login / Logout / Dashboard
GUI: System:User Password Manager
System | Access | Users
Add
Username - I use all lower case, no special chars (including spaces)
Password - Put in a good password (user can change it is if you set up the group)
If the user should be able to log in from the cli or ssh, change login shell
Expiration Date - Leave blank to not expire
Group Memberships - RoadWarrior
Certificate - Click to create a user certificate
Save, it will go to the Create a Certificate page
Method - Create an internal certificate
Lifetime
3650 = 10 years, or whatever you want
When the Cert expires, user will no longer be able to use VPN and you must generate a new cert
Change the stuff below if you want; the default is usually sufficient
Click Save, you will return to the User screen for that user
Add an SSH authorized_keys file (with public ssh key) if you want.
VPN | OpenVPN | Client Export
Change Remote Access Server if you have more than one and want to select one
Host Name Resolution - choose how the client knows what to connect to
Since I try to set up my firewalls using a DNS name as it's name, I usually select “installation hostname”
If you have a static IP, you can use the Interface IP Address
If you need to manually put something in, choose “Other”
You can protect the certificate with a password by checking Use a password to protect pkcs12 file. Users will have to use that password, then use their username/password to make a connection
For each user, select Export type. “Others” fits about anyplace and is a single file, but if you are using Viscosity, or are using on a tablet/phone, use one of the specific options.