First, we must create the CA and certificates on the server:

1. Navigate to System | Cert. Manager.
2. From the default tab, CAs, click on the Add button to create the CA.

3. In the Descriptive name text field, enter a brief name:

4. In the Method drop-down menu, select Create an Internal Certificate Authority.
5. In the Internal Certificate Authority section, make sure the required fields are completed. You can also complete the optional fields (Country Code, State or Province, and so on).

6. When you are done, click on the Save button.
7. Click on the Certificates tab. We need to create two certificates: one for the server, and one for the client.
8. Click on the Add/Sign button to add a new certificate.
9. Enter a name in the Descriptive Name text field (for example, OpenVPN server certificate):

10. In the Certificate Authority drop-down menu, select the CA we created in the earlier steps.
11. Make sure the Certificate Type is set to Server Certificate:

12. Click on the Save button.
13. Click on the Add/Sign button to add a new certificate.

14. Enter a name in the Descriptive Name text field (for example, OpenVPN client certificate).
15. In the Certificate Authority drop-down menu, select the CA we created in the earlier steps.
16. Make sure the Certificate Type is set to User Certificate.
17. Click on the Save button.
18. The table on the Certificates tab should list both the newly created server certificate and user certificate. Click on the Export Certificate button for the user certificate and save the certificate to a safe place:

19. Click on the Export Key button for the user certificate and save the key to a safe place. You will need to import both the certificate and the key onto the client later.
20. Click on the CA tab and click on the Export CA button for the CA we created earlier. Save the CA.
21. Repeat this process for the CA’s key. We will need to import the CA onto the client, and we need both the CA and the key.

Now we can begin configuration of the OpenVPN server:

1. Navigate to VPN | OpenVPN.
2. From the Servers tab, click on the Add button.
3. In the General Information section, we can leave all settings at their default values. Be sure that Server mode is set to Peer to Peer (SSL/TLS). You can keep Local port set to 1194 (the default OpenVPN port) unless you have reason to select a different port. You can enter a brief description in the Description text field:

4. In the Cryptographic Settings section, make sure the Use a TLS Key and Automatically Generate a TLS Key checkboxes are checked. You will need to paste the autogenerated key into the client settings later:

5. In the Peer Certificate Authority drop-down menu, select the CA created in step 1.
6. In the Server certificate drop-down menu, select the server certificate created in step 1.
7. The remaining settings in Cryptographic Settings can remain unchanged.
8. In the Tunnel Settings section, specify a virtual IPv4 network in the IPv4 Tunnel Network text field. The virtual network must be big enough to accommodate the server virtual address and at least one client, so the smallest IPv4 network you can specify is a /30 network.
9. In the IPv4 Local network(s) text field, specify the IPv4 networks that will be accessible from the remote endpoint. Usually you should just specify the LAN network, but you may specify more than one network, separated by commas.
10. In the IPv4 Remote network(s) text field, specify the IPv4 remote networks that will be routed through the tunnel. As with IPv4 Local network(s), you can specify more than one network, separated by commas.
11. In the Client Settings section, for Topology, select net30 in the drop-down menu.
12. When you are done making changes, click on the Save button.

OpenVPN server configuration is complete, but we still need to create firewall rules to allow OpenVPN traffic to pass:

1. Navigate to Firewall | Rules.
2. On the WAN tab, click on the first Add button (the one with the up arrow). The Firewall Edit page will load.
3. For Protocol, select UDP in the drop-down menu.
4. For Destination, select WAN address in the drop-down menu.
5. Enter a brief description in the Description text field (for example, OpenVPN rule for WAN).
6. When you are done, click on the Save button.
7. Click on the Apply Changes button.
8. Click on the OpenVPN tab.
9. We only need to create one rule for the OpenVPN tunnel, so click on either Add button. The Firewall Edit page will load.
10. For Protocol, select any in the drop-down menu.
11. Enter a brief description in the Description text field.
12. Click on the Save button.

13. Click on the Apply Changes button:

Next, we switch to the other firewall and import the CA and client certificate:

1. Navigate to System | Certificate Manager.
2. From the CAs tab, click on the Add button.
3. In the Descriptive name text field, enter the same name for the CA as you did on the server.
4. Make sure Import an existing Certificate Authority is selected in the Method drop-down menu.
5. Paste Certificate data and Certificate Private Key into the corresponding text boxes.
6. When done, click on the Save button.
7. Click on the Certificates tab.
8. Click on the Add/Sign button to add the client certificate.
9. For Method, make sure Import an existing Certificate is selected.
10. In the Descriptive name text field, enter the name used when the certificate was created on the server.
11. Paste Certificate data and Certificate Private Key (for the user certificate) into the corresponding text boxes.
12. When done, click on the Save button.

Next, we begin OpenVPN client configuration:

1. Navigate to VPN | OpenVPN.
2. Click on the Clients tab.
3. Click on the Add button.
4. In the General Information section, enter the IP address of the OpenVPN server in the Server host or address text field.
5. All other settings in the General Information section can be kept at their default values. Make sure Server mode is set to Peer to Peer (SSL/TLS), and make sure Server port is set to 1194. You may enter a brief description in the Description edit box.
6. In Cryptographic Settings, make sure Use a TLS Key is checked. Uncheck Automatically Generate a TLS Key; this will cause the TLS Key text box to appear. Paste the TLS Key generated by the OpenVPN server into this box.
7. In the Peer Certificate Authority drop-down menu, select the CA created in step 1 (and imported to the client in step 4) as the CA.
8. In the Client Certificate drop-down menu, select the client (user) certificate created in step 1 (and imported to the client in step 4).
9. In the Tunnel Settings section, in the IPv4 Tunnel Network edit box, specify the same virtual IPv4 network you specified for this setting on the server side in step 2.
10. In the IPv4 Remote network(s) text field, specify the remote IPv4 networks that will be routed through the VPN tunnel. This is typically identical to the IPv4 networks specified for IPv4 Remote network(s) on the server side in step 2.
11. In the Topology drop-down menu, select net30.
12. When you are done making changes, click on the Save button.

Next, we need to create a firewall rule to allow OpenVPN traffic to pass:

1. Navigate to Firewall | Rules and click on the OpenVPN tab.
2. Click on one of the Add buttons to add a new rule.
3. Keep the Action set to Pass.
4. Set the Protocol to any.
5. Leave the Source and Destination set to any.
6. Enter a brief description in the Description text field (for example, Allow OpenVPN traffic).
7. Click on the Save button.

8. Whereas we have to explicitly connect IPsec tunnels, with OpenVPN, the tunnel will connect automatically as soon as we complete configuration, assuming the OpenVPN service is running. To verify that this is the case, navigate to Status | OpenVPN on the client. The newly created tunnel should be listed in the table with a Status of up. If the tunnel is not up, there are several possible reasons:
   • The OpenVPN service is not running.
   • The CA and certificates were set up incorrectly.
   • A configuration error was made.