Virtual Private Networks

• Common deployments
• Choosing a VPN solution
• Remote Access Mobile VPN Client Compatibility
• VPNs and Firewall Rules
• IPv6 VPN and Firewall Rules
• VPN Scaling

• OpenVPN
  • OpenVPN Data Channel Offload (DCO)
  • OpenVPN Configuration Options
  • OpenVPN Firewall Rules
  • OpenVPN clients and Internet Access
  • Assigning OpenVPN Interfaces
  • OpenVPN and Multi-WAN
  • OpenVPN and High Availability
  • Sharing a Port with OpenVPN and a Web Server
  • Controlling Client Parameters via RADIUS
  • OpenVPN Adapter Address ICMP Behavior
  • OpenVPN and Certificates

• IPsec
  • IPsec Terminology
  • IPsec Configuration
  • Choosing a Mobile IPsec Style
  • NAT with IPsec Phase 2 Networks
  • Routed IPsec (VTI)
  • IPsec and firewall rules
  • Using IPsec with Multiple Subnets
  • Configuring IPsec Keep Alive
  • Testing IPsec Connectivity
  • Client Routing and Gateway Considerations
  • Configuring Third Party IPsec Devices
  • Accessing Firewall Services over IPsec

• WireGuard
  • WireGuard Settings
  • Design Considerations
  • WireGuard Limitations
  • Configure a WireGuard Tunnel
  • Assign a WireGuard Interface
  • WireGuard and Rules / NAT
  • WireGuard Routing
  • WireGuard Overview

Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

Note

The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel

See also

• L2TP Server Configuration

• Troubleshooting Cisco VPN Pass Through

VPNs provide a means of tunneling traffic through an encrypted connection, preventing it from being seen or modified in transit. pfSense® software offers several VPN options: IPsec, OpenVPN, WireGuard and L2TP. This section provides an overview of VPN usage, the pros and cons of each type of VPN, and how to decide which is the best fit for a particular environment. Subsequent sections discuss each VPN option in detail.

L2TP is purely a tunneling protocol and does not offer any encryption of its own. It is typically combined with another method of encryption such as IPsec in transport mode. Because of this, it doesn’t fit in with most of the discussion in this chapter. See L2TP VPN for more information on L2TP.

PPTP Warning

pfSense software does not include a PPTP server. Despite the attraction of its convenience, PPTP must not be used under any circumstances because it is no longer secure. This is not specific to the implementation of PPTP that was in pfSense software; Any device that utilizes PPTP is no longer secure.

PPTP relies upon MS-CHAPv2 which has been completely compromised. Intercepted traffic can be decrypted by a third party 100% of the time, so consider any traffic carried in PPTP unencrypted. Migrate to another VPN type as soon as possible. More information on the PPTP security compromise can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/.