In this article I will go through the configuration of OpenVPN on the pfSense platform. I have talked about the initial configuration of pfSense in this previous article and if you are not familiar with the platform then you can check that out to get you up and running. Let’s go ahead and start by talking about VPNs first and then we will move to the configuration.

A VPN(virtual private network) allows us to connect directly to our home private network over the internet. This means that if we are in a remote location and want to have access to services hosted within our private network then we can use a VPN to do so. VPNs are used because private networks(,, and are not routed in the public internet as these are reserved for private uses. A VPN gives us the ability to extend the private networks by creating a tunnel between the client in a remote location and the server in your private network. This means that once the session is up that the remote client will be able to access all the resources located within your private home network.

VPNs come in many flavors and you have different types. pfSense supports L2TP, PPTP, IPsec, and OpenVPN. You might be wondering why use OpenVPN and not the others. OpenVPN is open source and well maintained by the community which means that you can be safe in knowing that if there is a vulnerability found that it will get patched quickly. When it comes to performance OpenVPN works great on high latency connections and is capable of compression should you be limited on bandwidth on the client or server-side. With regards to authentication OpenVPN supports LDAP, Radius, and local database which makes it flexible in integrating with different types of environment. The authentication is solid because you can pair regular username and password with certificates for higher security. Encryption in OpenVPN is provided via OpenSSL which is an open source implementation of the SSL/TLS protocols and allows us to use some very strong cryptographic algorithms which can be hardware accelerated for better performance. When it comes to the networking side of things it can run over TCP or UDP depending if you want reliability or not but it will be slower should you decide on TCP. OpenVPN supports both IPv4 and IPv6 and is capable of creating a tunnel through a proxy, networks using NAT, and getting through firewalls. Overall OpenVPN is very solid compared to the other solutions which lack in many areas.

Let’s get started by configuring a certificate authority in pfSense. The certificate authority or CA will sign the certificates that we will be creating for the server and client side when we configure OpenVPN. You can access the certificate configuration by going over to System–>Cert Manager.


Under the CAs tab you might already have a CA created if you followed one of my previous articles as we needed to created one in order to sign an internal certificate to be used for securing the pfSense web interface.


If you do not have one here than you should create a CA and secure your pfSense web interface ASAP to prevent from snooping should you have it set to be accessible from the internet. Creating a CA is simple and is done by hitting the plus symbol on the right hand side. The form that you fill out should be self-explanatory.


After you finished setting up the CA the next step is to create some certificates that the recently created CA will sign for us. Since these are self-signed certificates most browsers will give you a warning if you try accessing a web site that is using them, e.g. the pfSense web GUI if you are creating a certificate to secure it. In a similar manner you want to hit the plus sign to create a certificate and go through the form. See below for the settings that I used for my OpenVPN server certificate.


Now that we have all the components in place we can configure OpenVPN. Head over to VPN–>OpenVPN.


Go ahead and select “Wizards” from the tab at the top which will guide us step by step to configure OpenVPN.


The step by step guide will first ask you the type of authentication backend that you are using. In our case we will select the local user access database provided by pfSense. Of course, if you do have an internal LDAP or Radius server that you want to use then you can select either of those options.


In the next step we will be selecting the CA that we created at the beginning of this article.


Following is the Server Certificate that we will be using which is the Certificate that we recently created.


In the next page we will start selecting several different configuration options. The first three options involve the interface where we will listening for connections, the protocol, and port number. You should select the WAN interface where OpenVPN will bind to if you want to be able to access your network from the outside. The protocol should be UDP unless you have a specific reason for using TCP. The port can be changed or you can use the default OpenVPN port of 1194 where it listens on.

The next sections deals with the cryptographic settings. In here we will specify to use TLS authentication and have it generate a shared TLS authentication key which will give us another layer of security. See below for the explanation provided by the OpenVPN documentation.

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:

  • DoS attacks or port flooding on the OpenVPN UDP port.
  • Port scanning to determine which server UDP ports are in a listening state.
  • Buffer overflow vulnerabilities in the SSL/TLS implementation.
  • SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key.

The DH parameter length used for public key cryptography should NOT be set to 1024 or lower. There is a lot of research that shows that 1024 bit keys can be brute force relatively quickly and RSA is recommending that all websites upgrade to 2048 bit keys by the end of this year.

At the bottom you have the option of selecting an encryption algorithm and whether your hardware can do crypto acceleration.


Moving onto the Tunnel settings we have the option of specifying the tunnel network which is the network that our clients connecting to the VPN will be assigned an address from. You can specify whether all traffic should be redirected through the tunnel and the local network that clients connecting from the outside can access. Near the middle we can specify the maximum number of concurrent sessions and whether we want to use compression for the data traversing the tunnel. At the bottom we have TOS fields used for QOS(quality of service), whether we want to allow communication between the clients tunneling in, and if duplicate connections should be allowed.


In the client settings we can specify if we want to allow clients to retain their connection should their IP address change. The second option will assign the clients an IP address from the tunnel network we configured at the top. You can configure the other options below if you want to assign certain other parameters to connecting clients.


After hitting next, we are presented with adding firewall rules. The rules are needed so that a connection can be established. Go ahead and check both boxes before finalizing.


Once you are done you should see an entry under the server tab of OpenVPN.


I actually did an edit on the previous entry above and configured the DNS server to point to my default gateway which is my pfSense box since it is configured as a DNS forwarder.


The next step is to start creating user accounts that we will use during the authentication process. Creating user accounts is done over at System–>User Manager under the users tab.


Go ahead and hit the plus sign to create a new user and fill out the form. Everything here should be self-explanatory.


Once the account has been created, we need to create a user certificate for the account. We will be going back to System–>Cert Manager and under the certificates tab create a new certificate.


Hit the plus sign to start the creation process. Make sure to select “User Certificate” from the dropdown as you are creating the certificate.


Once the certificate is created, we will go back to the user account that we made and modify it.


We will assign the certificate that we just created to the user account.


From the drop down list select the user certificate that we recently created.


We are almost done with the configuration and there are only a couple of small things left to do. Before we move onto the client configuration we need to export the keys and certificates from pfSense so that our clients can use them. This process is made easy by installing the OpenVPN Client Export Utility from System–>Packages.


We will be using this tool soon but before doing so we must setup Dynamic DNS. If you are familiar with IP addressing then you know that your ISP will assign you a public IP address via DHCP on your WAN port. This IP address is dynamic which means that it can change and unless you paid your ISP extra cash for a static address. When our clients connect to the OpenVPN server it will try to reach us on the public WAN address on port 1194. If the address changes then it won’t be able to reach us unless we somehow know the new address and we modify the configuration file. This becomes a huge pain to manage and Dynamic DNS will be able to solve this problem for us.

The way that dynamic DNS works is that it will map a hostname that we specify to the current WAN IP address. Dynamic DNS will check at a certain interval the WAN IP and maintain the hostname to IP address mapping current so that when we tried to reach the hostname over the internet then it will point to the correct WAN IP address of our router. In order to get a hostname we must register with a third-party and come up with a unique name that has not been taken yet. Here are a couple of different dynamic DNS provider where you can register a hostname from. Note that some of these are free.

Once you have register a hostname, head over to Services–>Dynamic DNS. In here under the DynDNS tab go ahead and add a new entry. From the service type menu select the provider that you registered with and make sure that you are monitoring the WAN interface. Under hostname type in your fully qualified domain name that you registered(I blacked mine out for privacy reasons). The last thing that you want to do is to type in your account information so that pfSense is capable of reaching your dynamic DNS provider and updating the hostname with your current WAN IP address.


Here is the list of Service Type from pfSense.


We will now go over to the VPN–>OpenVPN Section and go to the Client Export Tab.


In the client export tab we will be exporting the certificates, keys, and configurations files that we will need for our VPN client. In here you will have different options to select from. The remote access server should have the port number that you specified for OpenVPN as well as the protocol whether it’s TCP or UDP. For the hostname resolution we will be using Dynamic DNS which means that you will be selecting the hostname that you configured above. Everything else can be left at their default settings unless you have a reason for selecting the other options.


At the bottom you will have options to export the configuration and files. The standard configuration is what you will need and it is a good idea to get the archive as this will include the certificates and keys needed. Note that you can also download the windows installer from here depending on which platform you are using.


Alternatively you can also get the installer directly from the website:

The official website might have a more up to date version.


The installation process should be simple and you can leave the options at their default settings.


Make sure to install the network adapter when prompted to do so.


The next thing that you want to do is to transfer the archive downloaded from pfSense to the client securely(SFTP, FTPS, SCP, encrypted archived, or any other secure transfer method) . The files will have to be extracted and placed under the config directory of OpenVPN.


After placing the files in the config directory you can open the application


Note: If you experience any issues then try right clicking the OpenVPN GUI and running it as an administrator.

And right-click the OpenVPN icon on the bottom right and hit connect.


You will be prompted for your username and password.


In my case it failed with a cipher algorithm not found error.


I opened a command prompt and did an “openvpn –show-ciphers” to see what ciphers the client supported and noted that the cipher that I had chosen was not listed.


I went back into pfSense and changed the cipher to something supported by the client. This time it worked fine.


Going back into pfSense and selecting Status–>OpenVPN we can see that there is currently an active connection.


This concludes the OpenVPN server configuration on pfSense. I hope that this was useful for those out there trying to figure out how to configure OpenVPN. Thank you for taking your time to read this article. Happy new year and see you here next time.

101 Responses to “Configuring OpenVPN on pfSense”

  1. To use a /24 for Windows clients, add this directive to the pfSense OpenVPN Server :

    topology subnet


  2. Let’s say I did a fresh install with pfSense on my router and the first thing I did after basic configuration was to follow this guide. Would the clients connected to my OpenVPN server on pfSense be able to access internet without adding any rules to firewall/NAT?

    I think I have tried everything possible as far as my very limited knowledge goes and I still don’t have access to the internet when I connect with my phone. I can login to the web configuration but no internet what so ever.
    From the pfSense book:

    “OpenVPN clients and Internet Access
    If you simply want to NAT your OpenVPN clients to your WAN IP so they can access the Internet
    using the OpenVPN connection, rules should automatically allow this.”

    • I mean not adding any more rules besides the ones that the wizard creates.

      • Chris,

        If you followed the instructions in this article then it should work without any issues. A couple of things, when you connect to your OpenVPN server from the outside and your client gets an IP address in the tunnel network are you able to ping other clients in the local network? From your client connected from the outside via OpenVPN can you ping an IP address such as public DNS)? I want to make sure that your DNS is configured properly.



        • Thanks for replying Glenn.

          I can not ping

          I can ping my printer.

          Using ES file explorer to check the LAN shows only __MSBROWSE__ located on my neighbours network.

          I am not running any services on my LAN except the printer.

          When connected through VPN the “My IP adress” app shows the following:
          IP: ????????????
          Hostname: Please wait (nothing ever shows)
          Local IP:

          Note: I am also running pfSense as a client to a vpn provider.

          Connected to my wifi without VPN it shows the following:
          IP: (IP to my vpn provider)
          Hostname: xxxxx.xxxx.xx (Hostname of the provider)
          Local IP:

          I use for my LAN and for my OpenVPN server.

          Here is my server config:

          dev ovpns2
          dev-type tun
          dev-node /dev/tun2
          writepid /var/run/
          #user nobody
          #group nobody
          script-security 3
          keepalive 10 60
          proto udp
          cipher AES-256-CBC
          auth SHA256
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          client-connect /usr/local/sbin/
          client-disconnect /usr/local/sbin/
          local XXX.XX.XXX.XX <—- my realpublic IP
          engine rdrand
          client-config-dir /var/etc/openvpn-csc
          auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server2" via-env
          tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'www.abdfds.ciom' 1"
          lport 45000
          management /var/etc/openvpn/server2.sock unix
          max-clients 1
          push "route"
          push "dhcp-option DNS"
          push "redirect-gateway def1"
          ca /var/etc/openvpn/
          cert /var/etc/openvpn/server2.cert
          key /var/etc/openvpn/server2.key
          dh /etc/dh-parameters.4096
          tls-auth /var/etc/openvpn/server2.tls-auth 0
          comp-lzo adaptive

          • Solved it! I deleted all the NAT rules in advanced and changed to Automatic outbound NAT rule generation. Now it works perfect!

            Thanks again for your reply.

          • OK yeah that would do it. If you had it set to manual which I don’t think is the default setting(wasn’t for me) then you would have needed a rule there. Glad you got it working.

  3. Glenn,

    Thank you very much for this awesome walk through. Definitely the best one that I was able to find out on the Internet. I am having one issue though, and after seeing all of the help that you have given to others I’m almost embarrassed to ask because you’ve done so much!

    But I have walked through every solution that I could find and nothing seems to be working. So here goes.

    I’ve got my OpenVPN service up and running just fine. Everything installed perfectly following your guide. I can connect in from outside of my network just fine, but once I’m connected I am unable to see any other device on the network. My file server is what I’m really after.

    Here’s the thing. I can ping the server and all of the devices on the network, and I can ping the Internet (I used with no problems. But I cannot connect to the server ( When I connect from outside the network to OpenVPN, I am getting an IP address of

    I have my IPv4 Tunnel set at
    I have my IPv4 Local Network set at

    Here is what I have tried so far:

    – Rebooted the pfSense box after changes were made
    – Selected the Option to Allow Inter-Client Communication
    – Manually added the “Push” route in Advanced Settings
    – Made sure that I see an open session in STATUS > OPENVPN
    – In the OPENVPN session / Routing Table it shows my target network as
    – In Firewall Rules, I do have a rule under the OpenVPN tab (Source and Destination are both set to ANY)
    – Disabled Windows Firewall on my Server
    – Run the client OpenVPN program as Administrator

    I think I’ve pretty much tried everything that I’ve read online. Just wondering if you have any additional suggestions? The main difference that I see from my issue and what a lot of other people have experienced is that they were unable to ping their machines until they fixed the problem. In my case, I’m able to ping everything.

    Thanks in advance!

    • Mark,

      If you are able to ping the computer then I am thinking that it is not an issue with pfSense. What protocol are you using to connect to the file server(SMB/NFS/FTP)? Additionally, what Operating system is the file server running 2008R2/2012? Since you mentioned that it is a windows server can you try to map a network drive to “\\\C$” using a client in the local network and then try the same thing when you connect via OpenVPN (what are the results?).



      • Glenn,

        Thanks so much for the reply. I already had a share setup and before contacting you, the share would never work when I was off the LAN using OpenVPN. However, using your direction I think I may have found the problem.

        My existing share is setup using the machine name ‘SERVER’. So the share looks like \\server\users\mark\documents. I connected to the VPN and then tried using the share. When it gave me an error, I actually looked at the details of the error and it says that it cannot locate the name of the share. So I proceeded to setup the share like you advised, with the IP address instead of the machine name. That worked!

        So the issue with my contacting the server is that I will have to contact it using the IP address (through an Explorer window) rather than typing in \\server\.

        Thanks again for your help! Very much appreciated.


        • Nice! This sounded like a DNS problem to me. If you want to be able to reach your server via the computer name then you can modify the hosts file on the local computer that is accessing the file server. Alternatively, If you are using the DNS forwarder in pfSense then you can create a host override entry that maps the name of the server to the ip address.

          • Glenn,

            I did as you said and edited the hosts file on my PC. This solution worked perfectly.

            On behalf of all of us that have been reading your pfSense guides, I want to thank you so much. I’ve been wanting to build my own pfSense box for awhile now, and your guide was exactly what I needed to make it happen. In my few months working with the software, I’ve concluded that it can be very quirky at times, and much of the support either doesn’t address some of the issues (especially with package config issues) or is outdated.

            Thanks again!


  4. excellent guide , who did good work , I congratulate you and I want you to know that was a big help for me.

  5. rob furness says:

    I’m not very terminal literate and have followed a number of guides to set up a VPN on a pfsense 2.1 installation. From iOS i can make a connection but can’t ping anything.
    My LAN is,
    my pfsense box is
    my tunnel range is
    my ios device get given
    OpenVPN port is 34447
    any suggestions as to some basic tests i can do to diagnose the issue. Thanks in advance

    • Rob,

      Other users have had the same issue as you. Some of the previous comments left here might be able to help you. Here are a few that should get you started:

      “When you connect with a client from the outside do you get an IP address from the OpenVPN tunnel network? If you check the status–>openvpn do you see an active session? I would look at the firewall–>rules and go to the openvpn tab and make sure that you have a rule in place that allows clients from the openvpn network to communicate with your other internal subnets”

      “When you connect via VPN are you able to ping the pfSense internal IP address? Are you sure that it isn’t a firewall setting on your internal servers that could be causing you to not be able to reach them? Lastly, I have seen some weird behavior with pfSense every now and again when I make changes and things not applying properly unless I reboot the box. You might want to give it a shot to see if it does anything.”

      “When you originally went through the setup there should have been an option for “local network” which is the network that you want to make accessible from the remote endpoint. This is normally set to be your LAN network so that you can access it when you connect via the OpenVPN server. You can add it by going to VPN–> OpenVPN–>Server–>edit and going to the bottom under advanced configuration and adding a rule like the following:

      push “route”

      where the route is your LAN subnet. Additionally, you might want to try to put a check on the “Inter-client communication” box which will “Allow communication between clients connected to this server”. See “” for more information.



  6. I got tls handshake failed with this setup, anyone can figure it out? thank you.

    • Do you have a firewall rule allowing port 1194 on the WAN interface? Also check for an allow all rule on the OpenVPN virtual interface.

  7. Hi Glenn
    First off – Great job with the guide !

    I’m having some problems with my tunnel integrating with my squid3 proxy

    I’m able to access internet through the tunnel, but my blacklist ACL only works on the LAN part of my net, not on the outside part – and i can’t figure out what to do..

    Feels like i’ve tried just about everything

    • Novuz,

      So your clients can setup a tunnel with your pfsense server from the outside and get internet access through the tunnel but the blacklist ACL is not applying? When your client are connected to the tunnel can you ping the IP address of the squid3 proxy server? If you can ping it then I don’t see why you can’t just configure your browser settings to point at the proxy server and have the rules apply to them.



      • Well we have squid3 configured as a transparent proxy with squidguard to block social nets, so don’t even know where to find the proxy ip anymore 😛

        This is for a college assignment where we are to establish a UTM with a OPENvpn tunnel to a outside client and then block facebook both on the inside net and for everyone connecting through the tunnel.
        We tried to change the browsers proxy config manually and that works as we want it to, but it wasn’t an approved solution according to our teacher…
        Been sitting here activly trying to fix this and some other small errors for 17h straight now > . <

      • Though when doing a tracert to with the tunnel active and forcing traffic through that it continues straight to the internet after the tunnel and not through our WAN (dont know why, i suck at this)

        *2 (our teachers gateway instead of our WAN or LAN
        *3 onward to infinity and beyooooond

        • Try this, head over to interfaces–>assign and at the bottom where you see “Available network ports:” click the drop down and select the options that looks similar to “ovpns1 (remote access)”. After selecting it, on the right hand side click the plus sign to add the selected interface. When the interface has been added click on the name and enable it. Head over to your squid proxy server options and for the proxy interfaces where the server will bind to select your LAN and also the newly added interface. Let me know if this works.

          • An update !
            We solved it by switching to a tap bridge instread, but the main problem was a faulty dns 🙂
            Thank you so much for your help !

  8. Hi,
    can I run openvpn on 443 with port sharing with web servers like Apache..? which will be inside pfsense network only, so that both websites with https and openvpn works.?

  9. Andrås Székely says:

    Dear Glenn,

    You blog is great!

    I’m just googling an solution – found your site – to assign multiple users ( max 6 ) to one single WAN IP…… i could have around 10-12. Is this possible with pfSense?



    • AndrĂĄs,

      I don’t see why not. There is an option for “concurrent connections” when you are setting up the OpenVPN server on pfSense that by default I believe is 10 and you should be able to bump that up to accommodate the number of users that you plan on concurrently being connected. If you go through my post you will figure out where the setting is located.



  10. Thanks for your post.
    I’m stuck in the Client Export section because doesn’t show any package for export. In the same form, the ‘Remote Access Server’ (the first dropdown option) is empty –!6302&authkey=!AEsi0d4numcv_qk&v=3&ithint=photo%2cpng

    From before we had the VPN working (other office) and now we need set another client. Any idea?

  11. Aaron Rogers says:

    Hi Glenn, your openVPN guide is very helpful. Thank you for taking the time to do it. I am having trouble mapping drives. For example, I can get to other servers on my network through the VPN but I can’t map any drives. I have the “enable NetBIOS over TCP/IP” set but still doesn’t work. Any guidance would be appreciated.

  12. hi,i can connect from local only,cannot conect if i from outside network?
    Can you tell me how to connect from outside



  1. pfSense : 3 ans plus tard | Transmission Digitale - […] Setup Wizard, ceci allĂšge quelque peu la configuration, mais vous aimerez sans doute consulter ce site qui vous dĂ©crira en…
  2. Open VPN copying files very slow - TecHub - […] Here is a link to the tutorial I followed. […]
  3. Build Your Own VPN. Browse Securely from Anywhere - Vpn Tunnel - […] Configuring OpenVPN on pfSense […]
  4. Build Your Own VPN. Browse Securely from Anywhere - China VPN - […] Configuring OpenVPN on pfSense […]
  5. Build Your Own VPN. Browse Securely from Anywhere - Onlinevpn - […] Configuring OpenVPN on pfSense […]
  6. PfSense: Setup OpenVPN - KLB TV - […] This concludes the OpenVPN server configuration on pfSense. I hope that this was useful for those out there trying…
  7. Build Your Own VPN. Browse Securely from Anywhere - […] Configuring OpenVPN on pfSense […]
  8. Build Your Own VPN. Browse Securely from Anywhere – Real Estate Auckland NZ - […] Configuring OpenVPN on pfSense […]
  9. How To Block Https Sites In Squid3 | information - […] Configuring OpenVPN on pfSense | HIGHLNK – In this article I will go through the configuration of OpenVPN on…
  10. CONGRESS BIG BROTHER LOW TECH TRUMP DESTROYS INTERNET BROWSING PRIVACY - CashMcCall - […] is an article on how to set up OPEN VPN on PFSENSE. Click Here for your freaking Privacy LOCK…
  11. Build Your Own VPN. Browse Securely from Anywhere | On The Cheap - […] Configuring OpenVPN on pfSense […]
  12. program installation on linux router – Software installation - […] Configuring OpenVPN on pfSense […]
  13. Build Your Own VPN. Browse Securely from Anywhere - What is it - […] Configuring OpenVPN on pfSense […]

Leave a Reply