VPNs and Firewall Rules

VPNs and firewall rules are handled somewhat inconsistently in pfSense® software. This section describes how firewall rules are handled for each of the individual VPN options. For the automatically added rules discussed here, the addition of those rules may be disabled by checking Disable all auto-added VPN rules under System > Advanced on the Firewall/NAT tab.

IPsec

Traffic necessary to establish configured and enabled IPsec tunnels is automatically allowed into the firewall as described in Outer IPsec Traffic.

Traffic encapsulated within an active tunnel mode IPsec connection is controlled via user-defined rules on the IPsec tab under Firewall > Rules. Traffic for VTI mode works the same way by default but can operate on a per-interface basis in certain conditions. See Tunneled IPsec Traffic from Remote to Local for details.

OpenVPN

OpenVPN does not automatically add rules to WAN interfaces. The OpenVPN remote access VPN Wizard offers to optionally create rules to pass WAN traffic and traffic on the OpenVPN interface.

Traffic encapsulated within an active OpenVPN connection is controlled via user-defined rules on the OpenVPN tab under Firewall > Rules.

OpenVPN interfaces may also be assigned similar to other interfaces. In such cases the OpenVPN tab firewall rules still apply, but there is a separate tab specific to the assigned VPN instance that controls traffic only for that one VPN.

WireGuard

WireGuard does not automatically add rules to WAN interfaces. Rules must be added to the appropriate WAN interface(s) to allow traffic to reach the ports for WireGuard instances.

Traffic encapsulated within WireGuard is controlled via user-defined rules on the WireGuard tab under Firewall > Rules.

WireGuard interfaces may also be assigned similar to other interfaces. In such cases the WireGuard tab firewall rules still apply, but there is a separate tab specific to the assigned VPN instance that controls traffic only for that one VPN.