Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Assigning OpenVPN Interfaces

In order to do complex NAT, policy routing, or tunnel-specific filtering, the OpenVPN interface must be assigned as an OPT interface and configured accordingly.

Assigning the OpenVPN interface enables several beneficial changes for advanced control of VPN traffic:

  • Adds a firewall tab under Firewall > Rules

  • Adds reply-to to rules on the VPN interface tab to help with return routing

  • Adds a Gateway entry for the far side of the VPN for policy routing

  • Allows the interface to be selected elsewhere in the GUI and packages

  • Allows more fine-grained control of Port Forwards and Outbound NAT for the VPN

Interface assignment and configuration

  • Navigate to Interfaces > Assignments

  • Select the appropriate ovpns or ovpnc interface in Available network ports, the description of the VPN is printed for reference.

  • Click fa-plus Add to assign the interface as a new OPT interface (e.g. OPT1)

Figure Assign OpenVPN Interface shows ovpns1 assigned as OPT1.

../../_images/openvpn-ovpn-assign-interfaces.png

Assign OpenVPN Interface

  • Navigate to the Interface configuration page, Interfaces > OPTx

  • Check Enable

  • Enter an appropriate Description which will become the interface name (e.g. VPNServer)

  • Select none for both IPv4 Configuration Type and for IPv6 Configuration Type

    Note

    This will not configure any IP address information on the interface, which is necessary since OpenVPN itself must configure these settings.

  • Click Save

  • Click Apply Changes

This does not change the functionality of OpenVPN, it makes the interface available for firewall rule, NAT, and gateway purposes, among other uses.

After assigning the OpenVPN interface, edit the OpenVPN server or client and click Save once there as well to reinitialize the VPN. This is necessary for the VPN to recover from the assignment process.

Filtering with OpenVPN

When the OpenVPN interface is assigned, a tab is present under Firewall > Rules dedicated to only this single VPN. These rules govern traffic coming in from the remote side of the VPN and they even get the pf reply-to keyword which ensures traffic entering this VPN interface will exit back out the same interface. This can help with some more advanced NAT and configuration scenarios.

Note

Rules added here are processed after the OpenVPN tab rules, which are checked first. In order to match the rules on an assigned VPN tab, the traffic must not match any rules on the OpenVPN tab. Remove any “Allow All” style rules from the OpenVPN tab and craft more specific rules instead.

See also

For more information on firewall rules, refer to Firewall.

Policy Routing with OpenVPN

When the OpenVPN interface is assigned and enabled, an automatic gateway entry is added under System > Routing, on the Gateways tab. With this, traffic can be directed into the VPN using the Gateway field on LAN or other internal interface firewall rules.

When used with a VPN to reach Internet sites, more configuration may be required. Either outbound NAT must be performed on the VPN interface before it leaves (for VPN services such as PIA, StrongVPN and similar) or the NAT must be done on the other side before it reaches the actual Internet connection.

See also

See Policy routing for more information on policy routing.

Warning

Do not use this automatic gateway for static routes. Use the Remote Network field in the VPN configuration. Defining a static route using the automatic OpenVPN gateway will not work properly.

NAT with OpenVPN

When the OpenVPN interface is assigned NAT rules can also be applied the same as with any other interface. This is useful when connecting two conflicting subnets or for making NAT rules specific to this one VPN connection (outbound NAT, port forwards, or 1:1 NAT)