Netgate is offering COVID-19 aid for pfSense software users, learn more.

Permitting traffic to the OpenVPN server

After setting up an OpenVPN server, a firewall rule to permit traffic to the OpenVPN server is required.

  • Navigate to Firewall > Rules, WAN tab

  • Click fa-level-up to create a new rule at the top of the list

  • Set Protocol to UDP

  • Leave the Source set to any

  • Set the Destination to WAN Address

  • Set the Destination port to 1194 in this instance

  • Enter a Description, such as Allow traffic to OpenVPN Server

  • Click Save

  • Click Apply changes

This rule is depicted in Figure OpenVPN Server WAN Rule.


OpenVPN Server WAN Rule

If the client source addresses are known and do not change, then the source of the rule could be altered to limit traffic from only those clients. This is more secure than leaving the server exposed to the entire Internet, but that is necessary to accommodate clients with dynamic IP addresses, roaming clients, and so on. The risk of leaving the service exposed with most OpenVPN configurations is minimal, especially in cases where TLS Authentication is employed. With certificate based authentication there is less risk of compromise than password- based solutions that are susceptible to brute forcing. This presumes a lack of security holes in OpenVPN itself, which to date has a solid security track record.