VPNs and Firewall Rules¶
VPNs and firewall rules are handled somewhat inconsistently in pfSense® software. This section describes how firewall rules are handled for each of the individual VPN options. For the automatically added rules discussed here, the addition of those rules may be disabled by checking Disable all auto-added VPN rules under System > Advanced on the Firewall/NAT tab.
Traffic necessary to establish configured and enabled IPsec tunnels is automatically allowed into the firewall as described in Outer IPsec Traffic.
Traffic encapsulated within an active tunnel mode IPsec connection is controlled via user-defined rules on the IPsec tab under Firewall > Rules. Traffic for VTI mode works the same way by default but can operate on a per-interface basis in certain conditions. See Tunneled IPsec Traffic from Remote to Local for details.
OpenVPN does not automatically add rules to WAN interfaces. The OpenVPN remote access VPN Wizard offers to optionally create rules to pass WAN traffic and traffic on the OpenVPN interface.
Traffic encapsulated within an active OpenVPN connection is controlled via user-defined rules on the OpenVPN tab under Firewall > Rules.
OpenVPN interfaces may also be assigned similar to other interfaces. In such cases the OpenVPN tab firewall rules still apply, but there is a separate tab specific to the assigned VPN instance that controls traffic only for that one VPN.
WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.
If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes
WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.
The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel
WireGuard does not automatically add rules to WAN interfaces. Rules must be added to the appropriate WAN interface(s) to allow traffic to reach the ports for WireGuard instances.
Traffic encapsulated within WireGuard is controlled via user-defined rules on the WireGuard tab under Firewall > Rules.
WireGuard interfaces may also be assigned similar to other interfaces. In such cases the WireGuard tab firewall rules still apply, but there is a separate tab specific to the assigned VPN instance that controls traffic only for that one VPN.