Virtual Private Networks¶
- OpenVPN
- OpenVPN Data Channel Offload (DCO)
- OpenVPN Configuration Options
- OpenVPN Firewall Rules
- OpenVPN clients and Internet Access
- Assigning OpenVPN Interfaces
- OpenVPN and Multi-WAN
- OpenVPN and High Availability
- Sharing a Port with OpenVPN and a Web Server
- Controlling Client Parameters via RADIUS
- OpenVPN Adapter Address ICMP Behavior
- OpenVPN and Certificates
- IPsec
- IPsec Terminology
- IPsec Configuration
- Choosing a Mobile IPsec Style
- NAT with IPsec Phase 2 Networks
- Routed IPsec (VTI)
- IPsec and firewall rules
- Using IPsec with Multiple Subnets
- Configuring IPsec Keep Alive
- Testing IPsec Connectivity
- Client Routing and Gateway Considerations
- Configuring Third Party IPsec Devices
- Accessing Firewall Services over IPsec
Warning
WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.
If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes
WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.
Note
The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel
VPNs provide a means of tunneling traffic through an encrypted connection, preventing it from being seen or modified in transit. pfSense® software offers several VPN options: IPsec, OpenVPN, WireGuard and L2TP. This section provides an overview of VPN usage, the pros and cons of each type of VPN, and how to decide which is the best fit for a particular environment. Subsequent sections discuss each VPN option in detail.
L2TP is purely a tunneling protocol and does not offer any encryption of its own. It is typically combined with another method of encryption such as IPsec in transport mode. Because of this, it doesn’t fit in with most of the discussion in this chapter. See L2TP VPN for more information on L2TP.
PPTP Warning¶
pfSense software does not include a PPTP server. Despite the attraction of its convenience, PPTP must not be used under any circumstances because it is no longer secure. This is not specific to the implementation of PPTP that was in pfSense software; Any device that utilizes PPTP is no longer secure.
PPTP relies upon MS-CHAPv2 which has been completely compromised. Intercepted traffic can be decrypted by a third party 100% of the time, so consider any traffic carried in PPTP unencrypted. Migrate to another VPN type as soon as possible. More information on the PPTP security compromise can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/.