Configuring SSL/TLS Client Side

On the client, import the CA certificate along with the client certificate and key for that site. This is the same CA and client certificate made on the server and exported from there. This can be done under System > Cert Manager. For specifics on importing the CA and certificates.

After importing the certificates, create the OpenVPN client:

  • Navigate to VPN > OpenVPN, Client tab
  • Click   Add to create a new client
  • Fill in the fields as follows, with everything else left at defaults

Server Mode Select Peer to Peer (SSL/TLS)

Protocol Select UDP Device Mode Select tun Interface Select WAN

Server host or address Enter the public IP address or hostname of the OpenVPN server here (e.g. 198.51.100.3)

Server Port Enter 1194 or whichever port was configured on the server

Description Enter text here to describe the connection

TLS Authentication Check Enable authentication of TLS packets, Uncheck Automatically generate a shared TLS authentication key, then paste in the TLS key for the connection here using the key copied from the server instance created previously

Peer Certificate Authority Select the CA imported at the beginning of this process

Client Certificate Select the client certificate imported at the beginning of this process

  • Click Save

A rule must also be added to the OpenVPN interface to pass traffic over the VPN from the Client-side LAN to the Server-side LAN. An “Allow all” style rule may be used, or a set of stricter rules. In this example allowing all traffic is OK so the following rule is made:

  • Navigate to Firewall > Rules, OpenVPN tab
  • Click  Add to create a new rule at the top of the list
  • Set Protocol to any
  • Enter a Description such as Allow all on OpenVPN
  • Click Save
  • Click Apply Changes

The configuration of the client is complete. No firewall rules are required on the client WAN because the client only initiates outbound connections.

Note: With remote access PKI configurations, routes and other configuration options are not usually defined in the client configuration but rather they are pushed from the server to the client. If there are more networks to reach on the server side, configure them on the server to be pushed.

© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.