pfSense VPN - IPsec, OpenVPN, and WireGuard Tunnels
pfSense supports three VPN protocols: IPsec, OpenVPN, and WireGuard. Each protocol has distinct characteristics in terms of performance, compatibility, and ease of configuration. The choice of protocol depends on the specific requirements of the deployment - connecting remote employees, linking branch offices, or integrating with third-party equipment.
VPN Protocol Comparison
| Characteristic | IPsec | OpenVPN | WireGuard |
|---|---|---|---|
| Performance | High (hardware acceleration) | Moderate (userspace) | High (kernel-level) |
| Compatibility | Industry standard, works with any vendor | Requires OpenVPN client on both sides | Limited third-party device support |
| Ease of Setup | Complex (numerous Phase 1/2 parameters) | Moderate (PKI infrastructure) | Simple (minimal parameters) |
| Use Cases | Site-to-site, IKEv2 mobile clients | Remote access, site-to-site through NAT | Site-to-site, remote access |
| Native OS Support | Windows, macOS, Linux, iOS, Android (built-in) | Requires client installation on all platforms | Windows, macOS, Linux, iOS, Android (built-in) |
| NAT Traversal | Requires NAT-T (UDP 4500) | Works on any port, including TCP 443 | Works through NAT (UDP) |
Choosing the Right Protocol
IPsec should be used when connecting sites with equipment from different vendors (Cisco, Juniper, Fortinet) or when providing remote access through the built-in IKEv2 client in operating systems without installing additional software.
OpenVPN is the optimal choice for employee remote access with centralized certificate management and Active Directory integration. The protocol operates reliably in networks with restrictive policies, as it can use TCP 443.
WireGuard is recommended for new deployments where third-party equipment compatibility is not required. The protocol provides minimal latency and straightforward configuration. Native support in pfSense is available starting with version 2.7.
In This Section
- IPsec VPN - site-to-site tunnels, IKEv2 for mobile clients, troubleshooting, and connecting to third-party equipment
- OpenVPN - remote access server, site-to-site tunnels, client configuration export, and Active Directory integration
- WireGuard VPN - tunnel creation, peer configuration, interface assignment, and client setup