VPN Routing in pfSense
How to setup pfSense to route all traffic for one or more networks through an OpenVPN connection.
Setup and tested using PrivateVPN and pfSense Community Edition 2.6.0.
Create the Certificate Authority (CA)
Go to System > Cert. Manager > CAs
Click add to create a new CA for the VPN provider.
Give a descriptive name and for method choose: Import an existing Certificate Authority
Enter the certificate data as supplied by the VPN provider.
Typically, that is all you ever need to do. Then save.
Create the OpenVPN Client
Go to VPN > OpenVPN > Clients
Click add to create a new client. Each client is a single VPN connection to a single server/country. You might want to create many of these for connecting to different server locations or as a failover if one VPN connection fails.
These are the key options I used for my scenario, but options will vary depending on the VPN provider.
Give a description. It's useful to state the location (country, city) and/or maybe the host of the VPN server here.
Server mode - Peer to Peer (SSL/TLS).
Device mode - tun - Layer 3 Tunnel Mode.
Protocol - UDP on IPv4 only.
Interface - WAN (or your external interface of choice).
Server host or address - IP or hostname of the OpenVPN server.
Server Port - the port used by the OpenVPN server.
Username/Password - enter as required and supplied by VPN provider.
TLS Configuration - ensure "Use a TLS Key" is checked.
TLS Key - enter as supplied by VPN provider.
Peer Certificate Authority - select the CA created earlier.
Data Encryption Algorithms - ensure correct ones are allowed.
Fallback Data Encryption Algorithm - might also be important.
Don't pull routes - this should be checked/enabled.
Don't add/remove routes - also should be checked/enabled.
Pull DNS - up to you, might be useful.
Custom options - supplied by VPN provider. Also available from an .ovpn file.
Then save and apply changes if necessary.
Create the Interface
Go to Interfaces > Assignments
Select and add new interface for the new VPN client just created.
Edit the interface, ensure it is enabled.
Give a useful description.
Then save and apply changes if necessary.
Setup Outbound NAT
Go to Firewall > NAT > Outbound
Select mode: Hybrid Outbound NAT rule generation
Then save.
Then add new mapping.
Interface - select the one created earlier.
Address Family - IPv4 only is usually adequate.
Protocol - any
Source - network, enter source network that will be using the VPN.
Then save and apply changes if necessary.
Create Firewall Rule
Go to Firewall > Rules and select the network to setup the rule for. This should be the same network that you used for "source network" in the previous NAT mapping step.
Either update existing "allow all" rule or create new a rule which is typically the "allow all through to the internet" type rule, but the key setting is gateway - here you must select the gateway which was automatically created for the VPN client.
The rule could also just be for certain hosts if you wanted.
Everything should then be working.
Kill Switch
At this point, if the VPN goes down traffic will still be routed through your normal WAN. To prevent this you can do the following...
Back to the rule we created (the one with the gateway set to our VPN client).
Under the setting tagged enter a unique tag name. Can be whatever you want, but copy to clipboard or remember it.
Then save the rule and apply changes.
Then from Firewall > Rules > Floating
Click add to add a new floating rule.
Action - block
Interface - WAN (or the interface that you want to block traffic without VPN)
Direction - any
Address Family - IPv4 typically
Protocol - any
Source/Destination - any
Description - always good to do
Tagged - enter tag we entered in the rule earlier
Then save and apply changes.
So, now, the rule we created to allow traffic through the VPN is tagged. The floating point rule prevents any of this tagged traffic from going out our non-VPN'd WAN interface. So if our VPN goes down then the internet is effectively cut-off.
Troubleshooting
To check status of VPN client connection...
Go to: Status > OpenVPN
Check if the client is connected. Here you can start, stop or restart the service.
Sometimes after making configuration changes things just don't seem to work. One thing to try is restarting the VPN client.
Also try Status > Filter Reload and reloading the filters after configuration changes.
Related Articles
A guide to using the IP Info tool along with some handy tips and tricks.
Networking
How to mount to a CIFS based network share from a Raspberry PI.
Raspberry PI, Linux, Networking
A quick and simple HTTP server in Python in only a few lines of code.
Raspberry PI, Python