Netgate is offering COVID-19 aid for pfSense software users, learn more.
Assigning OpenVPN Interfaces¶
In order to do complex NAT, policy routing, or tunnel-specific filtering, the OpenVPN interface must be assigned as an OPT interface and configured accordingly.
Assigning the OpenVPN interface enables several beneficial changes for advanced control of VPN traffic:
Adds a firewall tab under Firewall > Rules
Adds reply-to to rules on the VPN interface tab to help with return routing
Adds a Gateway entry for the far side of the VPN for policy routing
Allows the interface to be selected elsewhere in the GUI and packages
Allows more fine-grained control of Port Forwards and Outbound NAT for the VPN
Interface assignment and configuration¶
Navigate to Interfaces > Assignments
Select the appropriate
ovpncinterface in Available network ports, the description of the VPN is printed for reference.
Click Add to assign the interface as a new OPT interface (e.g. OPT1)
Figure Assign OpenVPN Interface shows
ovpns1 assigned as OPT1.
Navigate to the Interface configuration page, Interfaces > OPTx
Enter an appropriate Description which will become the interface name (e.g.
Select none for both IPv4 Configuration Type and for IPv6 Configuration Type
This will not configure any IP address information on the interface, which is necessary since OpenVPN itself must configure these settings.
Click Apply Changes
This does not change the functionality of OpenVPN, it makes the interface available for firewall rule, NAT, and gateway purposes, among other uses.
After assigning the OpenVPN interface, edit the OpenVPN server or client and click Save once there as well to reinitialize the VPN. This is necessary for the VPN to recover from the assignment process.
Filtering with OpenVPN¶
When the OpenVPN interface is assigned, a tab is present under Firewall >
Rules dedicated to only this single VPN. These rules govern traffic coming in
from the remote side of the VPN and they even get the pf
which ensures traffic entering this VPN interface will exit back out the same
interface. This can help with some more advanced NAT and configuration
Rules added here are processed after the OpenVPN tab rules, which are checked first. In order to match the rules on an assigned VPN tab, the traffic must not match any rules on the OpenVPN tab. Remove any “Allow All” style rules from the OpenVPN tab and craft more specific rules instead.
For more information on firewall rules, refer to Firewall.
Policy Routing with OpenVPN¶
When the OpenVPN interface is assigned and enabled, an automatic gateway entry is added under System > Routing, on the Gateways tab. With this, traffic can be directed into the VPN using the Gateway field on LAN or other internal interface firewall rules.
When used with a VPN to reach Internet sites, more configuration may be required. Either outbound NAT must be performed on the VPN interface before it leaves (for VPN services such as PIA, StrongVPN and similar) or the NAT must be done on the other side before it reaches the actual Internet connection.
See Policy routing for more information on policy routing.
Do not use this automatic gateway for static routes. Use the Remote Network field in the VPN configuration. Defining a static route using the automatic OpenVPN gateway will not work properly.
NAT with OpenVPN¶
When the OpenVPN interface is assigned NAT rules can also be applied the same as with any other interface. This is useful when connecting two conflicting subnets or for making NAT rules specific to this one VPN connection (outbound NAT, port forwards, or 1:1 NAT)