Skip to main content

Tutorial: Configure a PfSense Router To Connect to CloudConnexa

Abstract

This tutorial contains instructions on how to use a PfSense router and configure it to use a Connector profile to connect to CloudConnexa and make the network part of your WPC.

Introduction

Many of our Users have expressed interest in using CloudConnexa compatible routers to connect to CloudConnexa instead of using the Connector application.

While connecting in this manner may not yield the best performance, due to the limited processing power and memory of the router, it could be useful in cases where convenience, rather than high throughput, is required.

Important

The information provided here is for EDUCATIONAL and INFORMATIONAL purposes only. We are not responsible for any damages you incur as a result of using these instructions here. For technical support, you need to contact the supplier of the router or the appropriate community forums. It is not guaranteed that all versions of the firmware will work as expected with CloudConnexa and some features may be incompatible. It is best to update the firmware to the latest version.

Downloading the Connector Profile

Sign in to the CloudConnexa Administration portal at https://cloud.openvpn.com.

  1. Navigate to Networks.

  2. Select Networks.

  3. Click the name of the router Network.

  4. Click the Connectors tab.

  5. Click the Deploy drop-down menu of the Connector you wish to modify.

  6. Select Deploy Connector.

  7. Click the Connector Type drop-down menu.

  8. Select pfSense.

  9. Click Download OVPN Profile.

Alternatively, you may download the profile by clicking the Network name, and the edit icon for the Network.

Or from the Connectors menu.

Open the downloaded Profile file in a text editor. In Windows, the file must be opened in a text editor other than Notepad (e.g. Wordpad / Notepad++).

Configuring pfSense

  1. From the main menu go to SystemCert. Manager

  2. Next, go select CAsAdd

  3. Select Method Import an existing Certificate Authority

  4. Set some “Descriptive name”

  5. In the Certificate Data space, copy the data from the Connector’s Profile: everything between Certificate Authority  <ca> and </ca>

  6. Click Save

  7. CertificatesAdd

  8. Select Method Import an existing Certificate

  9. Set some “Descriptive name”

  10. In the Certificate Data space, copy the data from the Connector’s Profile: everything between the Certificate data and between the Private key data <cert> and <cert>.

    1. In the Private key data space, copy the data from the Connector’s Profile: everything between <key> and <key>.

    2. In certificate type, choose: X.509 (PEM)

  11. Click Save

  12. From the main menu go to VPNOpenVPN

  13. Select Clients Add a client

  14. Enter preferable PGMT Hostname of the Cloud Connexa server in the Server Host or address field. Refer to Region Locations to find hostnames if needed.

  15. Uncheck Automatically generate a TLS Key

  16. In the TLS Key space, copy the data from the Connector’s Profile: everything between the TLS Key <tls-auth> and <tls-auth>.

  17. Select your Certificate Authority in the Peer Certificate Authority drop-down menu

  18. Select your Certificate in the Client Certificate drop-down menu

  19. Select AES-256-GCM in the Encryption Algorithm Data Encryption Algorithms drop-down menu

  20. Select SHA256 in the Auth Digest Algorithm drop-down menu

  21. Select Disable Compression in the Compression drop-down menu

    1. In Allow compression drop-down choose: Decompress Incoming, do not compress outgoing (asymmetric)

    2. In Compression drop-down choose: Disable Compression [Omit Preference].

  22. Click Save

  23. From the main menu go to StatusOpenVPN

  24. Ensure that OpenVPN service is up and Virtual IP Addresses are assigned

Steps after the tunnel is ONLINE

Enable the tunnel interface by carrying out the steps below:

  1. Interfaces > assignment

  2. Add > Choose the tunnel created for CloudConnexa. It will be shown as LAN. Click on the name > Enable it and change the name if desired.

  3. Click Save.

  4. Apply changes.

  5. On Status > Interfaces check that the tunnel interface is added with status: Up.

tunnel_interface_enable.png

Enable NAT by carrying out the steps below:

  1. Firewall > NAT > Outbound

  2. Outbound NAT Mode: Hybrid

  3. Add > interface Pointing to local resources

  4. Interface > WAN

    Address Family > IPv4+IPv6

    Protocol > Any

    Source > Any

    Destination > Any

  5. Click Save

  6. Apply Changes

Note

If there are any problems, please check Status > System logs > Firewall  to ensure that there are no firewall rules blocking traffic.

outbout_nat.png
Configuration Screenshots
62eadda4762e6.jpg
62eadda62b53c.jpg
62eadda80645b.jpg
62eadda9ba953.jpg
62eaddad095fc.jpg
62eaddaecb504.jpg
62eaddb09413b.jpg
62eaddb229627.jpg
62eaddb39f590.jpg
62eaddb534198.jpg
62eaddb6bcd99.jpg
62eaddb841143.jpg
62eaddb9f2960.jpg
62eaddbbacbf8.jpg
62eaddbd45846.jpg
62eaddbf0183c.jpg
62eaddc09b1b2.jpg
compression_settings.png
62eaddc234943.jpg
62eaddc385c99.jpg
62eaddc51e843.jpg