Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense Configuration Recipes - Common Scenarios
pfSense VPN Recipes - IPsec, OpenVPN, WireGuard

pfSense VPN Recipes - IPsec, OpenVPN, WireGuard

This section provides VPN configuration recipes for pfSense covering a range of deployment scenarios: site-to-site IPsec tunnels with equipment from different vendors, OpenVPN integration with corporate directories, WireGuard deployment for mobile users, and VPN channel failover.

Before configuring VPN connections, create a configuration backup at Diagnostics - Backup & Restore. General VPN information is available in the pfSense VPN section.

IPsec Site-to-Site Between pfSense and Cisco ASA

An IPsec tunnel between pfSense and Cisco ASA connects office networks through an encrypted channel. Matching Phase 1 and Phase 2 parameters on both sides is essential.

Step-by-Step

  1. Define parameters for both sides:

    • pfSense WAN IP: e.g., 203.0.113.1
    • Cisco ASA WAN IP: e.g., 198.51.100.1
    • pfSense LAN: 192.168.1.0/24
    • Cisco ASA LAN: 10.0.1.0/24

  2. On pfSense, navigate to VPN - IPsec - Tunnels and click Add P1

  3. Configure Phase 1:

    • Key Exchange Version - IKEv2
    • Remote Gateway - 198.51.100.1
    • Authentication Method - Mutual PSK
    • Pre-Shared Key - generate a strong key (minimum 32 characters)
    • Encryption Algorithm - AES 256-GCM, 128 bits
    • Hash Algorithm - SHA256
    • DH Group - 14 (2048 bit)
    • Lifetime - 28800

  4. Click Save, then click Show Phase 2 Entries and add Phase 2:

    • Mode - Tunnel IPv4
    • Local Network - LAN subnet (192.168.1.0/24)
    • Remote Network - 10.0.1.0/24
    • Encryption Algorithm - AES 256-GCM, 128 bits
    • Hash Algorithm - SHA256
    • PFS Key Group - 14 (2048 bit)
    • Lifetime - 3600

  5. On the Cisco ASA, configure matching parameters:

crypto ikev2 policy 10
 encryption aes-gcm-256
 integrity sha256
 group 14
 lifetime 28800

crypto ikev2 enable outside

tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
 ikev2 local-authentication pre-shared-key <key>
 ikev2 remote-authentication pre-shared-key <key>

access-list VPN_TRAFFIC extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto ipsec ikev2 ipsec-proposal AES256-GCM
 protocol esp encryption aes-gcm-256

crypto map VPN_MAP 10 match address VPN_TRAFFIC
crypto map VPN_MAP 10 set peer 203.0.113.1
crypto map VPN_MAP 10 set ikev2 ipsec-proposal AES256-GCM
crypto map VPN_MAP interface outside
  1. On pfSense, navigate to Firewall - Rules - IPsec and create a rule:
Action: Pass
Interface: IPsec
Source: 10.0.1.0/24
Destination: LAN net

  1. Enable the tunnel: Status - IPsec - Overview, click Connect P1 and P2

  2. Verify status under Status - IPsec - SPD and test connectivity by pinging between subnets

Important: encryption, hashing, DH group, and lifetime parameters must match on both sides. A mismatch in any parameter causes tunnel establishment failure.

IPsec Site-to-Site Between pfSense and AWS VPN Gateway

AWS VPN Gateway supports IPsec tunnels with external devices. AWS provides two tunnels for redundancy. Configuring both is recommended.

Step-by-Step

  1. In the AWS Console, create a Customer Gateway:

    • BGP ASN - 65000 (or your ASN)
    • IP Address - pfSense WAN public IP
    • Routing - Static

  2. Create a Virtual Private Gateway and attach it to the VPC

  3. Create a Site-to-Site VPN Connection:

    • Customer Gateway - select the one created above
    • Virtual Private Gateway - select the one created above
    • Routing Options - Static
    • Static IP Prefixes - pfSense LAN subnet (192.168.1.0/24)

  4. Download the VPN configuration: select Vendor: Generic to obtain parameters

  5. On pfSense, navigate to VPN - IPsec - Tunnels and create Phase 1 for the first tunnel:

    • Key Exchange Version - IKEv1 (AWS defaults to IKEv1)
    • Remote Gateway - first AWS tunnel IP (from the downloaded configuration)
    • Authentication Method - Mutual PSK
    • Pre-Shared Key - from the AWS configuration
    • Encryption Algorithm - AES 256
    • Hash Algorithm - SHA256
    • DH Group - 2 (AWS default)
    • Lifetime - 28800

  6. Add Phase 2:

    • Local Network - LAN subnet
    • Remote Network - VPC CIDR (e.g., 10.0.0.0/16)
    • Encryption Algorithm - AES 256
    • Hash Algorithm - SHA256
    • PFS Key Group - 2
    • Lifetime - 3600

  7. Repeat steps 5-6 for the second AWS tunnel (with a different Remote Gateway and PSK)

  8. Navigate to System - Routing - Gateways and add gateways for both tunnels

  9. Configure firewall rules on the IPsec interface to allow traffic from the VPC

  10. In the AWS Console, verify tunnel status under VPN Connections - Tunnel Details

Important: AWS uses DH Group 2 by default. Ensure Phase 1 and Phase 2 parameters exactly match the downloaded configuration. DPD (Dead Peer Detection) should be enabled on pfSense.

IPsec Site-to-Site Between pfSense and Azure VPN Gateway

Azure VPN Gateway supports IKEv2 with extended encryption options. Connecting pfSense to an Azure Virtual Network Gateway requires matching custom IPsec policies.

Step-by-Step

  1. In the Azure portal, create a Virtual Network Gateway:

    • Gateway type - VPN
    • VPN type - Route-based
    • SKU - VpnGw1 or higher
    • Virtual network - select the target VNet

  2. Create a Local Network Gateway:

    • IP address - pfSense WAN public IP
    • Address space - pfSense LAN subnet (192.168.1.0/24)

  3. Create a Connection:

    • Connection type - Site-to-site (IPsec)
    • Virtual network gateway - the gateway created above
    • Local network gateway - the LNG created above
    • Shared key - generate a strong key

  4. Configure an IPsec/IKE Policy on the Azure connection (Custom):

    • IKE Phase 1: AES256, SHA256, DHGroup14
    • IPsec Phase 2: GCMAES256, GCMAES256, PFS2048
    • SA Lifetime: 27000 seconds

  5. On pfSense, navigate to VPN - IPsec - Tunnels and create Phase 1:

    • Key Exchange Version - IKEv2
    • Remote Gateway - Azure VPN Gateway public IP
    • Pre-Shared Key - from the Azure connection
    • Encryption Algorithm - AES 256
    • Hash Algorithm - SHA256
    • DH Group - 14 (2048 bit)
    • Lifetime - 27000

  6. Add Phase 2:

    • Local Network - LAN subnet
    • Remote Network - Azure VNet CIDR (e.g., 10.1.0.0/16)
    • Encryption Algorithm - AES 256-GCM, 128 bits
    • PFS Key Group - 14
    • Lifetime - 3600

  7. Enable Dead Peer Detection: Threshold 10, Retry 3

  8. Create firewall rules on the IPsec interface to allow traffic from the Azure VNet

  9. Verify status under Status - IPsec on pfSense and in Azure Portal - Connection Status

For details on interface configuration, see the pfSense interfaces section.

OpenVPN with Active Directory Authentication

Integrating OpenVPN with Active Directory allows users to authenticate using corporate credentials. pfSense supports LDAP authentication against an AD domain controller.

Step-by-Step

  1. Navigate to System - User Manager - Authentication Servers and add an LDAP server:

    • Type - LDAP
    • Hostname or IP address - domain controller IP
    • Port - 636 (LDAPS) or 389 (LDAP)
    • Transport - SSL/TLS (recommended)
    • Peer Certificate Authority - domain CA certificate (import beforehand)
    • Protocol version - 3
    • Search scope - Entire Subtree
    • Base DN - DC=corp,DC=example,DC=com
    • Authentication Containers - OU=Users,DC=corp,DC=example,DC=com
    • Extended Query - enable and specify: memberOf=CN=VPN_Users,OU=Groups,DC=corp,DC=example,DC=com
    • Bind Credentials - DN and password of the AD service account

  2. Verify the connection by clicking Select a container - if containers appear, LDAP is working

  3. Navigate to System - User Manager - Settings and set the Authentication Server to the LDAP server

  4. Navigate to VPN - OpenVPN - Servers and create a server:

    • Server mode - Remote Access (SSL/TLS + User Auth)
    • Backend for authentication - select the AD LDAP server
    • Protocol - UDP on IPv4 only
    • Local port - 1194
    • TLS Configuration - enable TLS Key
    • Peer Certificate Authority - pfSense internal CA
    • Server certificate - OpenVPN server certificate
    • Encryption Algorithm - AES-256-GCM
    • Auth digest algorithm - SHA256
    • IPv4 Tunnel Network - 10.0.8.0/24
    • IPv4 Local Network - 192.168.1.0/24

  5. Navigate to Firewall - Rules - WAN and create a rule:

Action: Pass
Protocol: UDP
Destination port: 1194

  1. Navigate to Firewall - Rules - OpenVPN and allow VPN client traffic to LAN

  2. Install the OpenVPN Client Export package: System - Package Manager - openvpn-client-export

  3. Export client configurations: VPN - OpenVPN - Client Export

Important: the LDAP bind service account should have minimal privileges (read-only). Use LDAPS (port 636) to encrypt LDAP traffic.

WireGuard Road Warrior with QR Codes for Mobile

WireGuard provides high-performance VPN connectivity with minimal overhead. QR code generation simplifies configuration on mobile devices.

Step-by-Step

  1. Install the WireGuard package: System - Package Manager - Available Packages - WireGuard

  2. Navigate to VPN - WireGuard - Settings and enable WireGuard

  3. Navigate to VPN - WireGuard - Tunnels and create a tunnel:

    • Description - WAN WireGuard
    • Listen Port - 51820
    • Interface Keys - click Generate to create a key pair
    • Save the server public key

  4. Navigate to VPN - WireGuard - Peers and add a peer for each mobile device:

    • Tunnel - select the tunnel created above
    • Description - device name (e.g., iPhone-Admin)
    • Public Key - client public key (generate on the client or via pfSense)
    • Allowed IPs - unique client IP (e.g., 10.0.9.2/32)
    • Pre-shared Key - generate for additional security (optional)

  5. Assign an interface to the tunnel: Interfaces - Assign - select tun_wg0 and enable it

  6. Assign an IP address to the WireGuard interface: 10.0.9.1/24

  7. Create firewall rules:

    • On WAN: allow UDP 51820
    • On the WireGuard interface: allow traffic from 10.0.9.0/24

  8. Generate the client configuration:

[Interface]
PrivateKey = <client_private_key>
Address = 10.0.9.2/32
DNS = 10.0.9.1

[Peer]
PublicKey = <server_public_key>
Endpoint = 203.0.113.1:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
  1. Generate a QR code from the configuration. On a machine with qrencode installed:
qrencode -t ansiutf8 < client-wg.conf

Alternatively, use a local QR generator (do not transmit configuration data to external services).

  1. Open the WireGuard application on the mobile device, tap +, and scan the QR code

For further WireGuard details, see the pfSense VPN section.

Multi-WAN with OpenVPN Failover

With multiple WAN connections, OpenVPN can be configured to automatically switch to a backup channel when the primary link fails.

Step-by-Step

  1. Confirm that Multi-WAN is configured and both gateways are operational

  2. Navigate to System - Routing - Gateway Groups and create a group:

    • Group Name - VPN_Failover
    • Gateway Priority:
      • WAN_GW - Tier 1
      • WAN2_GW - Tier 2
    • Trigger Level - Packet Loss or High Latency

  3. Navigate to VPN - OpenVPN - Servers

  4. In the OpenVPN server settings:

    • Interface - select the VPN_Failover gateway group (or leave as any and handle through outbound NAT)

  5. Configure Firewall - NAT - Outbound:

    • Switch to Hybrid Outbound NAT
    • Create a rule for the OpenVPN subnet through each WAN interface

  6. Create firewall rules on both WAN interfaces to allow OpenVPN (UDP 1194)

  7. On the client side, add both server addresses to the OpenVPN configuration:

remote 203.0.113.1 1194 udp
remote 198.51.100.1 1194 udp
  1. Test failover: disconnect the primary WAN and verify that clients reconnect through the backup channel

Important: when WAN failover occurs, existing OpenVPN sessions are dropped. Clients must be configured for automatic reconnection. The resolv-retry infinite directive in the client configuration ensures repeated connection attempts.

VPN with Split DNS

Split DNS separates name resolution: corporate domains resolve through an internal server via VPN, while other queries use public DNS. The basic Split DNS recipe is available in the common configuration recipes section.

Extended Configuration with Multiple Domains

  1. Configure a basic OpenVPN server following the instructions in the common recipes

  2. Navigate to Services - DNS Resolver and add multiple Domain Overrides:

    • corp.example.com - 10.0.1.10 (primary AD)
    • dev.example.com - 10.0.2.10 (development environment)
    • staging.example.com - 10.0.3.10 (staging environment)

  3. In the OpenVPN server settings, add Advanced Configuration:

push "dhcp-option DOMAIN corp.example.com"
push "dhcp-option DOMAIN dev.example.com"
push "dhcp-option DOMAIN staging.example.com"
push "dhcp-option DNS 10.0.9.1"

  1. Add routes to all internal subnets:

    • IPv4 Local Network - 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24

  2. Confirm that the pfSense DNS Resolver listens on the OpenVPN tunnel interface

  3. Test corporate domain resolution through the VPN connection using nslookup or dig

For VPN connection troubleshooting, see the troubleshooting guide .

Last updated on
pfSense Service Recipes - HAProxy, Squid, SNMP